From 491d2176a80d5ae8419d9d84dcdf348292bdd843 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Feb 2023 20:40:04 +0000 Subject: [PATCH] feat(profiles): add systemd as user. --- apparmor.d/groups/_full/systemd | 136 ++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 apparmor.d/groups/_full/systemd diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd new file mode 100644 index 00000000..87e9d163 --- /dev/null +++ b/apparmor.d/groups/_full/systemd @@ -0,0 +1,136 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This is not /sbin/init (PID 1) but systemd --user + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. +# See https://apparmor.pujol.io/development/structure/#full-system-policy +# for more information. + +# Distributions and other programs can add rules in the usr/systemd.d directory + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd +profile systemd /{usr/,}lib/systemd/systemd flags=(complain) { + include + include + include + include + + network netlink raw, + + ptrace (read), + + signal (send) set=(term, cont, kill), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/systemctl rCx -> systemctl, + + /{usr/,}lib/systemd/user-environment-generators/* rPx, + /{usr/,}lib/systemd/user-environment-generators/* rPx, + /{usr/,}lib/systemd/user-generators/* rPx, + + # Server + /{usr/,}lib/openssh/agent-launch rPx, + + # Dbus + @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + /{usr/,}bin/dbus-daemon rPx, + + # Desktop + @{libexec}/xdg-desktop-portal* rPx, + @{libexec}/xdg-document-portal rPx, + @{libexec}/xdg-permission-store rPx, + /{usr/,}bin/xdg-user-dirs-update rPx, + + # Audio + /{usr/,}bin/pipewire rux, # FIXME: no new privs + /{usr/,}bin/wireplumber rux, # FIXME: no new privs + /{usr/,}bin/pipewire-pulse rux, # FIXME: no new privs + + # Gnome + @{libexec}/{,dconf/}dconf-service rPx, + @{libexec}/evolution-addressbook-factory rPx, + @{libexec}/evolution-calendar-factory rPx, + @{libexec}/evolution-source-registry rPx, + @{libexec}/gnome-session-binary rPx, + @{libexec}/gnome-session-ctl rPx, + @{libexec}/gnome-terminal-server rPx, + @{libexec}/goa-* rPx, + @{libexec}/gsd-* rPx, + @{libexec}/gvfs-* rPx, + @{libexec}/gvfsd* rPx, + @{libexec}/tracker-extract-* rPx, + @{libexec}/tracker-miner-* rPx, + /{usr/,}bin/gjs rPx, + /{usr/,}bin/gnome-keyring-daemon rPx, + /{usr/,}bin/gnome-shell rPx, + /{usr/,}lib/dconf/dconf-service rPx, + /{usr/,}lib/gvfs/gvfs-* rPx, + /{usr/,}lib/gvfs/gvfsd* rPx, + + # Ubuntu + /{usr/,}bin/snap rPx, + + /etc/systemd/user.conf r, + /etc/systemd/user.conf.d/{,**} r, + /etc/systemd/user/{,**} r, + + /usr/ r, + + owner @{user_config_dirs}/systemd/user/{,**} r, + + owner @{run}/user/@{uid}/{,*/,*} rw, + owner @{run}/user/@{uid}/*/* rw, + owner @{run}/user/@{uid}/systemd/{,**} rw, + + @{run}/mount/utab r, + @{run}/systemd/notify w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pids}/attr/apparmor/exec w, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/oom_score_adj rw, + + profile systemctl { + include + + /{usr/,}bin/systemctl mr, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pids}/status r, + + include if exists + include if exists + } + + include if exists + include if exists +}