From 3c0b83d1b0238765af951860b1713cb5dfdc7b46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Nov 2024 19:02:07 +0000 Subject: [PATCH] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-cat | 5 ++--- apparmor.d/groups/systemd/systemd-cgls | 6 +++++- apparmor.d/groups/systemd/systemd-escape | 1 - apparmor.d/groups/systemd/systemd-sysusers | 6 ++++++ apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/systemd/userdbctl | 5 ++++- 6 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 967d776d..fd202c18 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -9,14 +9,13 @@ include @{exec_path} = @{bin}/systemd-cat profile systemd-cat @{exec_path} { include + include + include capability net_admin, @{exec_path} mr, - @{bin}/cat rix, - @{bin}/echo rix, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index d0ded5ee..e74280f6 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,7 +10,11 @@ include profile systemd-cgls @{exec_path} { include - ptrace (read), + capability sys_ptrace, + + ptrace read, + + signal send set=cont peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 4a542497..469ccc94 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -10,7 +10,6 @@ include profile systemd-escape @{exec_path} { include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index e1ca76d5..254faeca 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { capability fsetid, capability net_admin, + signal send set=cont peer=child-pager, + @{exec_path} mr, + @{pager_path} rPx -> child-pager, + # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, @@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}@{hex} rw, /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/cgroup r, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index a38e455f..ce698dc9 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -25,7 +25,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{lib}/systemd/systemd-userwork rix, + /etc/gshadow r, /etc/shadow r, + /etc/machine-id r, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index b4081eac..97625db3 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -21,11 +21,14 @@ profile userdbctl @{exec_path} { @{pager_path} rPx -> child-pager, - /etc/shadow r, /etc/gshadow r, + /etc/shadow r, + + /etc/machine-id r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/uid_map r, include if exists