From 23be43ebd011aa895cb6c98a6509c173bb098e03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 22 Nov 2023 18:42:23 +0000 Subject: [PATCH] feat(full): improve how systemd handle services --- apparmor.d/groups/_full/systemd | 46 ++++++++++------ apparmor.d/groups/service/dmesg.service | 2 +- apparmor.d/groups/service/init-exim4 | 37 +++++++++++++ apparmor.d/groups/service/ldconfig.service | 2 +- apparmor.d/groups/service/man-db.service | 19 +++++++ .../service/snapd.system-shutdown.service | 22 ++++++++ apparmor.d/groups/service/systemd.service | 53 +++++++++++++++++++ dists/flags/main.flags | 2 +- 8 files changed, 163 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/groups/service/init-exim4 create mode 100644 apparmor.d/groups/service/man-db.service create mode 100644 apparmor.d/groups/service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/service/systemd.service diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 97c72db9..adf9cf01 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -17,7 +17,7 @@ abi , include -profile systemd flags=(attach_disconnected) { +profile systemd flags=(attach_disconnected,mediate_deleted) { include include include @@ -35,6 +35,7 @@ profile systemd flags=(attach_disconnected) { include # Needed by systemd + capability audit_control, capability audit_read, capability audit_write, capability bpf, @@ -46,9 +47,9 @@ profile systemd flags=(attach_disconnected) { capability mknod, capability perfmon, capability sys_admin, - capability sys_tty_config, - capability sys_resource, capability sys_chroot, + capability sys_resource, + capability sys_tty_config, # Required by stacked profiles capability net_admin, @@ -90,15 +91,27 @@ profile systemd flags=(attach_disconnected) { dbus, # TODO: WIP dbus bind bus=system name=org.freedesktop.systemd1, - @{bin}/{,u}mount rix, - @{bin}/ldconfig rPx -> ldconfig.service, - @{bin}/chgrp rPx -> dmesg.service, - @{bin}/chmod rPx -> dmesg.service, - @{bin}/savelog rPx -> dmesg.service, + @{bin}/systemctl rix, + @{bin}/true rix, + @{lib}/systemd/systemd rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE - audit @{lib}/** Pix, - audit @{bin}/** Pix, - audit /etc/init.d/* PUx, + @{bin}/{,ba,da}sh rPx -> systemd.service, + @{bin}/chgrp rPx -> systemd.service, + @{bin}/chmod rPx -> systemd.service, + @{bin}/cp rPx -> systemd.service, + @{bin}/find rPx -> systemd.service, + @{bin}/install rPx -> systemd.service, + @{bin}/ldconfig rPx -> systemd.service, + @{bin}/mandb rPx -> systemd.service, + @{bin}/mkdir rPx -> systemd.service, + @{bin}/mount rPx -> systemd.service, + @{bin}/savelog rPx -> systemd.service, + + audit @{bin}/** Pix, + audit @{lib}/** Pix, + audit /etc/cron.*/* PUx, + audit /etc/init.d/* PUx, + audit /usr/share/*/* Pix, @{bin}/pipewire rPx -> systemd//&pipewire, @{bin}/pipewire-media-session rPx -> systemd//&pipewire-media-session, @@ -107,16 +120,11 @@ profile systemd flags=(attach_disconnected) { @{bin}/wireplumber rPx -> systemd//&wireplumber, @{lib}/{,polkit-1/}polkitd rPx -> systemd//&polkitd, - @{lib}/snapd/snapd-apparmor rPx, - # @{lib}/systemd/systemd rPx -> systemd-user, # FIXME: only works on server + @{lib}/pulse/gsettings-helper rPx -> systemd//&pulseaudio, @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, - /usr/share/apport/apport rPx, - /usr/share/gdm/generate-config rPx, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown rPx, - / r, /boot/ r, /boot/efi/ r, @@ -136,6 +144,7 @@ profile systemd flags=(attach_disconnected) { /etc/default/** r, /etc/environment r, /etc/environment.d/{,**} r, + /etc/locale.conf r, /etc/machine-id r, /etc/modules-load.d/ r, /etc/networkd-dispatcher/{,**} r, @@ -171,6 +180,7 @@ profile systemd flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, + @{sys}/class/power_supply r, @{sys}/class/sound/ r, @{sys}/devices/@{pci}/** r, @{sys}/devices/**/net/** r, @@ -219,6 +229,8 @@ profile systemd flags=(attach_disconnected) { /dev/tty@{int} rwk, owner /dev/console rwk, owner /dev/hugepages/ rw, + owner /dev/initctl rw, + owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/ttyS@{int} rwk, diff --git a/apparmor.d/groups/service/dmesg.service b/apparmor.d/groups/service/dmesg.service index cc12313d..ce825ce7 100644 --- a/apparmor.d/groups/service/dmesg.service +++ b/apparmor.d/groups/service/dmesg.service @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd +# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service abi , diff --git a/apparmor.d/groups/service/init-exim4 b/apparmor.d/groups/service/init-exim4 new file mode 100644 index 00000000..d93dafca --- /dev/null +++ b/apparmor.d/groups/service/init-exim4 @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/exim4 +profile init-exim4 @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/chown rix, + @{bin}/dirname rix, + @{bin}/exim4 rPx, + @{bin}/getopt rix, + @{bin}/grep rix, + @{bin}/id rix, + @{bin}/install rix, + @{bin}/mv rix, + @{bin}/plymouth rPx, + @{bin}/run-parts rix, + @{bin}/sed rix, + @{bin}/start-stop-daemon rix, + @{bin}/systemctl rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/update-exim4.conf rix, + + /var/lib/exim4/config.autogenerated.tmp rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/service/ldconfig.service b/apparmor.d/groups/service/ldconfig.service index 736b7ae7..8b97d595 100644 --- a/apparmor.d/groups/service/ldconfig.service +++ b/apparmor.d/groups/service/ldconfig.service @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd +# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service abi , diff --git a/apparmor.d/groups/service/man-db.service b/apparmor.d/groups/service/man-db.service new file mode 100644 index 00000000..5660bb66 --- /dev/null +++ b/apparmor.d/groups/service/man-db.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for a systemd service, it does not specify an attachment path because +# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service + +abi , + +include + +profile man-db.service @{exec_path} { + include + + @{bin}/install mr, + @{bin}/find mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/service/snapd.system-shutdown.service b/apparmor.d/groups/service/snapd.system-shutdown.service new file mode 100644 index 00000000..01830b89 --- /dev/null +++ b/apparmor.d/groups/service/snapd.system-shutdown.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for a systemd service, it does not specify an attachment path because +# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service + +abi , + +include + +profile snapd.system-shutdown.service @{exec_path} { + include + + @{bin}/cp mr, + @{bin}/mkdir mr, + + @{run}/initramfs/shutdown rw, + @{run}/initramfs/ rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/service/systemd.service b/apparmor.d/groups/service/systemd.service new file mode 100644 index 00000000..fcfed4f9 --- /dev/null +++ b/apparmor.d/groups/service/systemd.service @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for a systemd service, it does not specify an attachment path because +# it is intended to be used only via "Px -> *.service" exec transitions from systemd + +abi , + +include + +profile systemd.service @{exec_path} flags=(attach_disconnected) { + include + include + + capability sys_admin, + + @{bin}/{,ba,da}sh rm, + + @{bin}/grep rix, + @{bin}/grub-editenv rPx, + @{bin}/ibus-daemon rPx, + @{bin}/mkdir rix, + @{bin}/mount rix, + @{bin}/rm rix, + @{bin}/systemctl rix, + + @{bin}/chgrp rPx -> dmesg.service, + @{bin}/chmod rPx -> dmesg.service, + @{bin}/savelog rPx -> dmesg.service, + + @{bin}/ldconfig rPx -> ldconfig.service, + + @{bin}/find rPx -> man-db.service, + @{bin}/mandb rPx -> man-db.service, + @{bin}/install rPx -> man-db.service, + + @{bin}/cp rPx -> snapd.system-shutdown.service, + @{bin}/mkdir rPx -> snapd.system-shutdown.service, + + @{lib}/ r, + + /var/cache/ldconfig/aux-cache* rw, + + # grub-common.service + /boot/grub/grubenv rw, + /boot/grub/ w, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cf97f94e..5e64a76d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,7 +1,7 @@ # Common profile flags definition for all distributions # One profile by line using the format: ' ' -systemd attach_disconnected,complain +systemd attach_disconnected,mediate_deleted,complain systemd-user attach_disconnected,complain aa-load complain