diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 3b9cb394..390f397d 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -57,9 +57,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=autofs systemd-1 -> /efi/, mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, @@ -184,6 +184,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/initctl rw, @{run}/systemd/{,**} rw, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index 8b8203f4..29094f65 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -2,7 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Profile for generic systemd unit services. Only used by service without profile. +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + # It does not specify an attachment path because it is intended to be used only # via "Px -> systemd-service" exec transitions from the systemd profile.