feat(full): improve how systemd handle services

2025-01-18 00:48:10 +01:00 · 2023-11-22 18:42:23 +00:00 · 2023-11-22 18:42:23 +00:00 · 23be43ebd0
commit 23be43ebd0
parent f2ef493ca7
8 changed files with 163 additions and 20 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -17,7 +17,7 @@ abi <abi/3.0>,

 include <tunables/global>

-profile systemd flags=(attach_disconnected) {
+profile systemd flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/authentication>
@ -35,6 +35,7 @@ profile systemd flags=(attach_disconnected) {
  include <abstractions/wutmp>

  # Needed by systemd
+  capability audit_control,
  capability audit_read,
  capability audit_write,
  capability bpf,
@ -46,9 +47,9 @@ profile systemd flags=(attach_disconnected) {
  capability mknod,
  capability perfmon,
  capability sys_admin,
-  capability sys_tty_config,
-  capability sys_resource,
  capability sys_chroot,
+  capability sys_resource,
+  capability sys_tty_config,

  # Required by stacked profiles
  capability net_admin,
@ -90,15 +91,27 @@ profile systemd flags=(attach_disconnected) {
  dbus, # TODO: WIP
  dbus bind bus=system name=org.freedesktop.systemd1,

-  @{bin}/{,u}mount                  rix,
-  @{bin}/ldconfig                   rPx -> ldconfig.service,
-  @{bin}/chgrp                      rPx -> dmesg.service,
-  @{bin}/chmod                      rPx -> dmesg.service,
-  @{bin}/savelog                    rPx -> dmesg.service,
+  @{bin}/systemctl                  rix,
+  @{bin}/true                       rix,
+  @{lib}/systemd/systemd            rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE

-  audit @{lib}/** Pix,
-  audit @{bin}/** Pix,
-  audit /etc/init.d/* PUx,
+  @{bin}/{,ba,da}sh                 rPx -> systemd.service,
+  @{bin}/chgrp                      rPx -> systemd.service,
+  @{bin}/chmod                      rPx -> systemd.service,
+  @{bin}/cp                         rPx -> systemd.service,
+  @{bin}/find                       rPx -> systemd.service,
+  @{bin}/install                    rPx -> systemd.service,
+  @{bin}/ldconfig                   rPx -> systemd.service,
+  @{bin}/mandb                      rPx -> systemd.service,
+  @{bin}/mkdir                      rPx -> systemd.service,
+  @{bin}/mount                      rPx -> systemd.service,
+  @{bin}/savelog                    rPx -> systemd.service,
+
+  audit @{bin}/**                   Pix,
+  audit @{lib}/**                   Pix,
+  audit /etc/cron.*/*               PUx,
+  audit /etc/init.d/*               PUx,
+  audit /usr/share/*/*              Pix,

  @{bin}/pipewire                   rPx -> systemd//&pipewire,
  @{bin}/pipewire-media-session     rPx -> systemd//&pipewire-media-session,
@ -107,16 +120,11 @@ profile systemd flags=(attach_disconnected) {
  @{bin}/wireplumber                rPx -> systemd//&wireplumber,

  @{lib}/{,polkit-1/}polkitd        rPx -> systemd//&polkitd,
-  @{lib}/snapd/snapd-apparmor       rPx,
-  # @{lib}/systemd/systemd            rPx -> systemd-user, # FIXME: only works on server
+  @{lib}/pulse/gsettings-helper     rPx -> systemd//&pulseaudio,
  @{lib}/systemd/systemd-networkd   rPx -> systemd//&systemd-networkd,
  @{lib}/systemd/systemd-resolved   rPx -> systemd//&systemd-resolved,
  @{lib}/systemd/systemd-timesyncd  rPx -> systemd//&systemd-timesyncd,

-  /usr/share/apport/apport                                    rPx,
-  /usr/share/gdm/generate-config                              rPx,
-  /usr/share/unattended-upgrades/unattended-upgrade-shutdown  rPx,
-
  / r,
  /boot/ r,
  /boot/efi/ r,
@ -136,6 +144,7 @@ profile systemd flags=(attach_disconnected) {
  /etc/default/** r,
  /etc/environment r,
  /etc/environment.d/{,**} r,
+  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/modules-load.d/ r,
  /etc/networkd-dispatcher/{,**} r,
@ -171,6 +180,7 @@ profile systemd flags=(attach_disconnected) {

  @{sys}/bus/ r,
  @{sys}/class/ r,
+  @{sys}/class/power_supply r,
  @{sys}/class/sound/ r,
  @{sys}/devices/@{pci}/** r,
  @{sys}/devices/**/net/** r,
@ -219,6 +229,8 @@ profile systemd flags=(attach_disconnected) {
        /dev/tty@{int} rwk,
  owner /dev/console rwk,
  owner /dev/hugepages/ rw,
+  owner /dev/initctl rw,
+  owner /dev/input/event@{int} rw,
  owner /dev/mqueue/ rw,
  owner /dev/ttyS@{int} rwk,

--- a/apparmor.d/groups/service/dmesg.service
+++ b/apparmor.d/groups/service/dmesg.service
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

 # Profile for a systemd service, it does not specify an attachment path because
-# it is intended to be used only via "Px -> *.service" exec transitions from systemd
+# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service

 abi <abi/3.0>,

--- a/apparmor.d/groups/service/init-exim4
+++ b/apparmor.d/groups/service/init-exim4
@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/init.d/exim4
+profile init-exim4 @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{bin}/cat                rix,
+  @{bin}/chmod              rix,
+  @{bin}/chown              rix,
+  @{bin}/dirname            rix,
+  @{bin}/exim4              rPx,
+  @{bin}/getopt             rix,
+  @{bin}/grep               rix,
+  @{bin}/id                 rix,
+  @{bin}/install            rix,
+  @{bin}/mv                 rix,
+  @{bin}/plymouth           rPx,
+  @{bin}/run-parts          rix,
+  @{bin}/sed                rix,
+  @{bin}/start-stop-daemon  rix,
+  @{bin}/systemctl          rix,
+  @{bin}/touch              rix,
+  @{bin}/tr                 rix,
+  @{bin}/update-exim4.conf  rix,
+
+  /var/lib/exim4/config.autogenerated.tmp rw,
+
+  include if exists <local/init-exim4>
+}
--- a/apparmor.d/groups/service/ldconfig.service
+++ b/apparmor.d/groups/service/ldconfig.service
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

 # Profile for a systemd service, it does not specify an attachment path because
-# it is intended to be used only via "Px -> *.service" exec transitions from systemd
+# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service

 abi <abi/3.0>,

--- a/apparmor.d/groups/service/man-db.service
+++ b/apparmor.d/groups/service/man-db.service
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for a systemd service, it does not specify an attachment path because
+# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile man-db.service @{exec_path} {
+  include <abstractions/base>
+
+  @{bin}/install  mr,
+  @{bin}/find     mr,
+
+  include if exists <local/man-db.service>
+}
--- a/apparmor.d/groups/service/snapd.system-shutdown.service
+++ b/apparmor.d/groups/service/snapd.system-shutdown.service
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for a systemd service, it does not specify an attachment path because
+# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile snapd.system-shutdown.service @{exec_path} {
+  include <abstractions/base>
+
+  @{bin}/cp     mr,
+  @{bin}/mkdir  mr,
+
+  @{run}/initramfs/shutdown rw,
+  @{run}/initramfs/ rw,
+
+  include if exists <local/snapd.system-shutdown.service>
+}
--- a/apparmor.d/groups/service/systemd.service
+++ b/apparmor.d/groups/service/systemd.service
@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for a systemd service, it does not specify an attachment path because
+# it is intended to be used only via "Px -> *.service" exec transitions from systemd
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile systemd.service @{exec_path} flags=(attach_disconnected)  {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability sys_admin,
+
+  @{bin}/{,ba,da}sh     rm,
+
+  @{bin}/grep          rix,
+  @{bin}/grub-editenv  rPx,
+  @{bin}/ibus-daemon   rPx,
+  @{bin}/mkdir         rix,
+  @{bin}/mount         rix,
+  @{bin}/rm            rix,
+  @{bin}/systemctl     rix,
+
+  @{bin}/chgrp         rPx -> dmesg.service,
+  @{bin}/chmod         rPx -> dmesg.service,
+  @{bin}/savelog       rPx -> dmesg.service,
+
+  @{bin}/ldconfig      rPx -> ldconfig.service,
+
+  @{bin}/find          rPx -> man-db.service,
+  @{bin}/mandb         rPx -> man-db.service,
+  @{bin}/install       rPx -> man-db.service,
+
+  @{bin}/cp            rPx -> snapd.system-shutdown.service,
+  @{bin}/mkdir         rPx -> snapd.system-shutdown.service,
+
+  @{lib}/ r,
+
+  /var/cache/ldconfig/aux-cache* rw,
+
+  # grub-common.service
+  /boot/grub/grubenv rw,
+  /boot/grub/ w,
+
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  include if exists <local/systemd.service>
+}
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -1,7 +1,7 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'

-systemd attach_disconnected,complain
+systemd attach_disconnected,mediate_deleted,complain
 systemd-user attach_disconnected,complain

 aa-load complain