mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
feat(full): update full system structure.
- Aims to be compatible with full-policy profile - Required by systemd
This commit is contained in:
parent
4df3f2e52f
commit
499b9e785d
3 changed files with 143 additions and 144 deletions
|
@ -1,15 +0,0 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Full system policy profile.
|
||||
|
||||
# /sbin/init (PID 1) is a link to /usr/lib/systemd/systemd
|
||||
|
||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||
# break your computer.
|
||||
# See https://apparmor.pujol.io/development/structure/#full-system-policy
|
||||
# for more information.
|
||||
|
||||
# Distributions and other programs can add rules in the usr/init.d directory
|
||||
|
|
@ -2,137 +2,13 @@
|
|||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# This is not /sbin/init (PID 1) but systemd --user
|
||||
# Main profile for full system policy.
|
||||
|
||||
# Profile for systemd (PID 1), it does not specify an attachment path because
|
||||
# it is direclty used by systemd.
|
||||
|
||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||
# break your computer.
|
||||
# See https://apparmor.pujol.io/development/structure/#full-system-policy
|
||||
# for more information.
|
||||
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
|
||||
|
||||
# Distributions and other programs can add rules in the usr/systemd.d directory
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd
|
||||
profile systemd @{lib}/systemd/systemd flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
signal (send) set=(term, cont, kill),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
||||
@{lib}/systemd/user-environment-generators/* rPx,
|
||||
@{lib}/systemd/user-environment-generators/* rPx,
|
||||
@{lib}/systemd/user-generators/* rPx,
|
||||
|
||||
# Server
|
||||
@{lib}/openssh/agent-launch rPx,
|
||||
|
||||
# Dbus
|
||||
@{bin}/dbus-daemon rPx,
|
||||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
|
||||
|
||||
# Desktop
|
||||
@{bin}/xdg-user-dirs-update rPx,
|
||||
@{lib}/xdg-desktop-portal* rPx,
|
||||
@{lib}/xdg-document-portal rPx,
|
||||
@{lib}/xdg-permission-store rPx,
|
||||
|
||||
# Audio
|
||||
@{bin}/pipewire rux, # FIXME: no new privs
|
||||
@{bin}/pipewire-pulse rux, # FIXME: no new privs
|
||||
@{bin}/pulseaudio rux, # FIXME: no new privs
|
||||
@{bin}/wireplumber rux, # FIXME: no new privs
|
||||
|
||||
# Gnome
|
||||
@{bin}/gjs rPx,
|
||||
@{bin}/gnome-keyring-daemon rPx,
|
||||
@{bin}/gnome-shell rPx,
|
||||
@{bin}/gsettings rPx,
|
||||
@{lib}/{,dconf/}dconf-service rPx,
|
||||
@{lib}/dconf/dconf-service rPx,
|
||||
@{lib}/evolution-addressbook-factory rPx,
|
||||
@{lib}/evolution-calendar-factory rPx,
|
||||
@{lib}/evolution-source-registry rPx,
|
||||
@{lib}/gnome-session-binary rPx,
|
||||
@{lib}/gnome-session-ctl rPx,
|
||||
@{lib}/gnome-terminal-server rPx,
|
||||
@{lib}/goa-* rPx,
|
||||
@{lib}/gsd-* rPx,
|
||||
@{lib}/gvfs-* rPx,
|
||||
@{lib}/gvfs/gvfs-* rPx,
|
||||
@{lib}/gvfs/gvfsd* rPx,
|
||||
@{lib}/gvfsd* rPx,
|
||||
@{lib}/tracker-extract-* rPx,
|
||||
@{lib}/tracker-miner-* rPx,
|
||||
|
||||
# Ubuntu
|
||||
@{bin}/snap rPx,
|
||||
|
||||
/etc/systemd/user.conf r,
|
||||
/etc/systemd/user.conf.d/{,**} r,
|
||||
/etc/systemd/user/{,**} r,
|
||||
|
||||
/usr/ r,
|
||||
|
||||
owner @{user_config_dirs}/systemd/user/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/{,*/,*} rw,
|
||||
owner @{run}/user/@{uid}/*/* rw,
|
||||
owner @{run}/user/@{uid}/systemd/{,**} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/systemd/notify w,
|
||||
@{run}/udev/data/* r,
|
||||
@{run}/udev/tags/systemd/ r,
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/swaps r,
|
||||
@{PROC}/sys/fs/nr_open r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/threads-max r,
|
||||
owner @{PROC}/@{pids}/attr/apparmor/exec w,
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pids}/status r,
|
||||
|
||||
include if exists <usr/systemd_systemctl.d>
|
||||
include if exists <local/systemd_systemctl>
|
||||
}
|
||||
|
||||
include if exists <usr/systemd.d>
|
||||
include if exists <local/systemd>
|
||||
}
|
||||
|
|
138
apparmor.d/groups/_full/systemd-user
Normal file
138
apparmor.d/groups/_full/systemd-user
Normal file
|
@ -0,0 +1,138 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Profile for 'systemd --user' (not PID 1), it does not specify an attachment
|
||||
# path because it is intended to be used only via "Px -> systemd-user" exec
|
||||
# transitions from the systemd profile.
|
||||
|
||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
|
||||
|
||||
# Distributions and other programs can add rules in the usr/systemd-user.d directory
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd
|
||||
profile systemd-user flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
signal (send) set=(term, cont, kill),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/systemctl rCx -> systemctl,
|
||||
|
||||
@{lib}/systemd/user-environment-generators/* rPx,
|
||||
@{lib}/systemd/user-environment-generators/* rPx,
|
||||
@{lib}/systemd/user-generators/* rPx,
|
||||
|
||||
# Server
|
||||
@{lib}/openssh/agent-launch rPx,
|
||||
|
||||
# Dbus
|
||||
@{bin}/dbus-daemon rPx,
|
||||
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
|
||||
|
||||
# Desktop
|
||||
@{bin}/xdg-user-dirs-update rPx,
|
||||
@{lib}/xdg-desktop-portal* rPx,
|
||||
@{lib}/xdg-document-portal rPx,
|
||||
@{lib}/xdg-permission-store rPx,
|
||||
|
||||
# Audio
|
||||
@{bin}/pipewire rux, # FIXME: no new privs
|
||||
@{bin}/pipewire-pulse rux, # FIXME: no new privs
|
||||
@{bin}/pulseaudio rux, # FIXME: no new privs
|
||||
@{bin}/wireplumber rux, # FIXME: no new privs
|
||||
|
||||
# Gnome
|
||||
@{bin}/gjs rPx,
|
||||
@{bin}/gnome-keyring-daemon rPx,
|
||||
@{bin}/gnome-shell rPx,
|
||||
@{bin}/gsettings rPx,
|
||||
@{lib}/{,dconf/}dconf-service rPx,
|
||||
@{lib}/dconf/dconf-service rPx,
|
||||
@{lib}/evolution-addressbook-factory rPx,
|
||||
@{lib}/evolution-calendar-factory rPx,
|
||||
@{lib}/evolution-source-registry rPx,
|
||||
@{lib}/gnome-session-binary rPx,
|
||||
@{lib}/gnome-session-ctl rPx,
|
||||
@{lib}/gnome-terminal-server rPx,
|
||||
@{lib}/goa-* rPx,
|
||||
@{lib}/gsd-* rPx,
|
||||
@{lib}/gvfs-* rPx,
|
||||
@{lib}/gvfs/gvfs-* rPx,
|
||||
@{lib}/gvfs/gvfsd* rPx,
|
||||
@{lib}/gvfsd* rPx,
|
||||
@{lib}/tracker-extract-* rPx,
|
||||
@{lib}/tracker-miner-* rPx,
|
||||
|
||||
# Ubuntu
|
||||
@{bin}/snap rPx,
|
||||
|
||||
/etc/systemd/user.conf r,
|
||||
/etc/systemd/user.conf.d/{,**} r,
|
||||
/etc/systemd/user/{,**} r,
|
||||
|
||||
/usr/ r,
|
||||
|
||||
owner @{user_config_dirs}/systemd/user/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/{,*/,*} rw,
|
||||
owner @{run}/user/@{uid}/*/* rw,
|
||||
owner @{run}/user/@{uid}/systemd/{,**} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/systemd/notify w,
|
||||
@{run}/udev/data/* r,
|
||||
@{run}/udev/tags/systemd/ r,
|
||||
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
|
||||
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/swaps r,
|
||||
@{PROC}/sys/fs/nr_open r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/threads-max r,
|
||||
owner @{PROC}/@{pids}/attr/apparmor/exec w,
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pids}/status r,
|
||||
|
||||
include if exists <usr/systemd_systemctl.d>
|
||||
include if exists <local/systemd_systemctl>
|
||||
}
|
||||
|
||||
include if exists <usr/systemd-user.d>
|
||||
include if exists <local/systemd-user>
|
||||
}
|
Loading…
Reference in a new issue