feat(fsp): update mounting rules.

2025-01-18 17:08:09 +01:00 · 2024-03-15 23:45:18 +00:00 · 2024-03-15 23:45:18 +00:00 · 1b8b52962b
commit 1b8b52962b
parent e3f9013c3a
2 changed files with 15 additions and 7 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -52,14 +52,18 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  network inet6 stream,
  network netlink raw,

-  mount fstype=autofs                                             systemd-1 -> /efi/,
-  mount fstype=proc  options=(rw nosuid nodev noexec)                  proc -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=sysfs options=(rw nosuid nodev noexec)                 sysfs -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=tmpfs                                                  tmpfs -> /dev/shm/,
-  mount fstype=tmpfs                                                  tmpfs -> /tmp/,
-  mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime)     tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
-  mount fstype=tmpfs options=(rw nosuid noexec strictatime)           tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
+  mount fstype=autofs                                                 systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
+  mount fstype=autofs                                                 systemd-1 -> /efi/,
+  mount fstype=hugetlbfs options=(rw nosuid nodev)                    hugetlbfs -> /dev/hugepages/,
+  mount fstype=proc      options=(rw nosuid nodev noexec)                  proc -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=sysfs     options=(rw nosuid nodev noexec)                 sysfs -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=tmpfs                                                      tmpfs -> /dev/shm/,
+  mount fstype=tmpfs                                                      tmpfs -> /tmp/,
+  mount fstype=tmpfs     options=(rw nosuid nodev noexec strictatime)     tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
+  mount fstype=tmpfs     options=(rw nosuid nodev noexec)                 tmpfs -> /dev/shm/,
+  mount fstype=tmpfs     options=(rw nosuid noexec strictatime)           tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,

+  mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
  mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
  mount options=(rw bind)                       @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
  mount options=(rw move)                                                   -> @{sys}/fs/fuse/connections/,
@ -90,6 +94,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  remount options=(ro nosuid nodev bind)         /var/,
  remount options=(ro nosuid nodev noexec bind)  /boot/,
  remount options=(ro nosuid nodev noexec bind)  /dev/mqueue/,
+  remount options=(ro nosuid nodev noexec bind)  /efi/,
  remount options=(ro nosuid noexec bind)        /dev/pts/,

  umount /,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -30,6 +30,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {

  ptrace (read),

+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
+
  # dbus: own bus=session name=org.freedesktop.systemd1

  @{exec_path} mr,