feat(profile): improve some systemd profiles.

2025-02-03 08:45:06 +01:00 · 2024-11-10 19:02:07 +00:00 · 2024-11-10 19:02:07 +00:00 · 3c0b83d1b0
commit 3c0b83d1b0
parent 7b9d412f02
6 changed files with 19 additions and 6 deletions
--- a/apparmor.d/groups/systemd/systemd-cat
+++ b/apparmor.d/groups/systemd/systemd-cat
@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cat
 profile systemd-cat @{exec_path} {
  include <abstractions/base>
+  include <abstractions/app-launcher-root>
+  include <abstractions/consoles>

  capability net_admin,

  @{exec_path} mr,

-  @{bin}/cat rix,
-  @{bin}/echo rix,
-
  include if exists <local/systemd-cat>
 }

--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@ -10,7 +10,11 @@ include <tunables/global>
 profile systemd-cgls @{exec_path} {
  include <abstractions/base>

-  ptrace (read),
+  capability sys_ptrace,
+
+  ptrace read,
+
+  signal send set=cont peer=child-pager,

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@ -10,7 +10,6 @@ include <tunables/global>
 profile systemd-escape @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/common/systemd>

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  capability fsetid,
  capability net_admin,

+  signal send set=cont peer=child-pager,
+
  @{exec_path} mr,

+  @{pager_path} rPx -> child-pager,
+
  # Config file locations
  /etc/sysusers.d/{,*.conf} r,
  @{run}/sysusers.d/{,*.conf} r,
@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  /etc/.#{group,gshadow}@{hex} rw,
  /etc/.pwd.lock rwk,

+  owner @{PROC}/@{pid}/cgroup r,
+
        /dev/tty@{int} rw,
  owner /dev/pts/@{int} rw,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -25,7 +25,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)

  @{lib}/systemd/systemd-userwork rix,

+  /etc/gshadow r,
  /etc/shadow r,
+
  /etc/machine-id r,

  @{run}/systemd/userdb/{,**} rw,
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@ -21,11 +21,14 @@ profile userdbctl @{exec_path} {

  @{pager_path} rPx -> child-pager,

-  /etc/shadow r,
  /etc/gshadow r,
+  /etc/shadow r,
+
+  /etc/machine-id r,

        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/gid_map r,
  owner @{PROC}/@{pid}/uid_map r,

  include if exists <local/userdbctl>