feat(full): add new systemd variable.

2025-01-18 08:58:15 +01:00 · 2023-11-19 11:13:40 +00:00 · 2023-11-19 11:13:40 +00:00 · 2143fb03af
commit 2143fb03af
parent b79a1fcd31
7 changed files with 14 additions and 5 deletions
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -44,14 +44,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  # but will fall back to a non-privileged version if it fails.
  deny capability net_admin,

-  ptrace (read,trace) peer=unconfined,
-
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  network netlink raw,

+  signal (receive) set=(hup) peer=@{systemd},
+
+  ptrace (read,trace) peer=@{systemd},
+
  dbus send bus=system path=/org/freedesktop/login[0-9]
    interface=org.freedesktop.login[0-9].Manager
    member={CreateSession,ReleaseSession}
--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} {

  capability net_admin,

-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@ -14,6 +14,8 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {

  capability sys_resource,

+  signal (send) peer=@{systemd},
+
  @{exec_path} mr,

  /etc/machine-id r,
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} {
  network inet6 stream,
  network netlink raw,

-  ptrace peer=unconfined,
+  ptrace (read) peer=@{systemd},

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -44,7 +44,7 @@ profile snapd @{exec_path} {
  umount /snap/*/*/,

  ptrace (read) peer=snap,
-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},

  dbus (send) bus=system path=/org/freedesktop/
         interface=org.freedesktop.login1.Manager
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -54,6 +54,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  umount @{run}/udisks2/temp-mount-*/,
  umount /media/cdrom[0-9]/,

+  signal (receive) set=(int) peer=@{systemd},
+
  dbus (send,receive) bus=system path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect,
--- a/apparmor.d/tunables/multiarch.d/apparmor.d
+++ b/apparmor.d/tunables/multiarch.d/apparmor.d
@ -53,3 +53,6 @@
 # Common places for binaries and libraries across distributions
@{bin}=/{,usr/}{,s}bin
@{lib}=/{,usr/}lib{,exec,32,64}
+
+# Name of the systemd profile: unconfined || systemd
+@{systemd}=unconfined