diff --git a/apparmor.d/groups/_full/init b/apparmor.d/groups/_full/init deleted file mode 100644 index d6248b2c..00000000 --- a/apparmor.d/groups/_full/init +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Full system policy profile. - -# /sbin/init (PID 1) is a link to /usr/lib/systemd/systemd - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. -# See https://apparmor.pujol.io/development/structure/#full-system-policy -# for more information. - -# Distributions and other programs can add rules in the usr/init.d directory - diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eeb1181f..ddf859ad 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -2,137 +2,13 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This is not /sbin/init (PID 1) but systemd --user +# Main profile for full system policy. + +# Profile for systemd (PID 1), it does not specify an attachment path because +# it is direclty used by systemd. # Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. -# See https://apparmor.pujol.io/development/structure/#full-system-policy -# for more information. +# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy. # Distributions and other programs can add rules in the usr/systemd.d directory -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd -profile systemd @{lib}/systemd/systemd flags=(complain) { - include - include - include - include - - network netlink raw, - - ptrace (read), - - signal (send) set=(term, cont, kill), - - @{exec_path} mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/systemctl rCx -> systemctl, - - @{lib}/systemd/user-environment-generators/* rPx, - @{lib}/systemd/user-environment-generators/* rPx, - @{lib}/systemd/user-generators/* rPx, - - # Server - @{lib}/openssh/agent-launch rPx, - - # Dbus - @{bin}/dbus-daemon rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - - # Desktop - @{bin}/xdg-user-dirs-update rPx, - @{lib}/xdg-desktop-portal* rPx, - @{lib}/xdg-document-portal rPx, - @{lib}/xdg-permission-store rPx, - - # Audio - @{bin}/pipewire rux, # FIXME: no new privs - @{bin}/pipewire-pulse rux, # FIXME: no new privs - @{bin}/pulseaudio rux, # FIXME: no new privs - @{bin}/wireplumber rux, # FIXME: no new privs - - # Gnome - @{bin}/gjs rPx, - @{bin}/gnome-keyring-daemon rPx, - @{bin}/gnome-shell rPx, - @{bin}/gsettings rPx, - @{lib}/{,dconf/}dconf-service rPx, - @{lib}/dconf/dconf-service rPx, - @{lib}/evolution-addressbook-factory rPx, - @{lib}/evolution-calendar-factory rPx, - @{lib}/evolution-source-registry rPx, - @{lib}/gnome-session-binary rPx, - @{lib}/gnome-session-ctl rPx, - @{lib}/gnome-terminal-server rPx, - @{lib}/goa-* rPx, - @{lib}/gsd-* rPx, - @{lib}/gvfs-* rPx, - @{lib}/gvfs/gvfs-* rPx, - @{lib}/gvfs/gvfsd* rPx, - @{lib}/gvfsd* rPx, - @{lib}/tracker-extract-* rPx, - @{lib}/tracker-miner-* rPx, - - # Ubuntu - @{bin}/snap rPx, - - /etc/systemd/user.conf r, - /etc/systemd/user.conf.d/{,**} r, - /etc/systemd/user/{,**} r, - - /usr/ r, - - owner @{user_config_dirs}/systemd/user/{,**} r, - - owner @{run}/user/@{uid}/{,*/,*} rw, - owner @{run}/user/@{uid}/*/* rw, - owner @{run}/user/@{uid}/systemd/{,**} rw, - - @{run}/mount/utab r, - @{run}/systemd/notify w, - @{run}/udev/data/* r, - @{run}/udev/tags/systemd/ r, - - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/cgroup r, - @{PROC}/cmdline r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pids}/attr/apparmor/exec w, - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - profile systemctl { - include - - @{bin}/systemctl mr, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pids}/status r, - - include if exists - include if exists - } - - include if exists - include if exists -} diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user new file mode 100644 index 00000000..1accc54d --- /dev/null +++ b/apparmor.d/groups/_full/systemd-user @@ -0,0 +1,138 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for 'systemd --user' (not PID 1), it does not specify an attachment +# path because it is intended to be used only via "Px -> systemd-user" exec +# transitions from the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy. + +# Distributions and other programs can add rules in the usr/systemd-user.d directory + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd +profile systemd-user flags=(complain) { + include + include + include + include + + network netlink raw, + + ptrace (read), + + signal (send) set=(term, cont, kill), + + @{exec_path} mr, + + @{bin}/{,ba,da}sh rix, + @{bin}/systemctl rCx -> systemctl, + + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-generators/* rPx, + + # Server + @{lib}/openssh/agent-launch rPx, + + # Dbus + @{bin}/dbus-daemon rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + + # Desktop + @{bin}/xdg-user-dirs-update rPx, + @{lib}/xdg-desktop-portal* rPx, + @{lib}/xdg-document-portal rPx, + @{lib}/xdg-permission-store rPx, + + # Audio + @{bin}/pipewire rux, # FIXME: no new privs + @{bin}/pipewire-pulse rux, # FIXME: no new privs + @{bin}/pulseaudio rux, # FIXME: no new privs + @{bin}/wireplumber rux, # FIXME: no new privs + + # Gnome + @{bin}/gjs rPx, + @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-shell rPx, + @{bin}/gsettings rPx, + @{lib}/{,dconf/}dconf-service rPx, + @{lib}/dconf/dconf-service rPx, + @{lib}/evolution-addressbook-factory rPx, + @{lib}/evolution-calendar-factory rPx, + @{lib}/evolution-source-registry rPx, + @{lib}/gnome-session-binary rPx, + @{lib}/gnome-session-ctl rPx, + @{lib}/gnome-terminal-server rPx, + @{lib}/goa-* rPx, + @{lib}/gsd-* rPx, + @{lib}/gvfs-* rPx, + @{lib}/gvfs/gvfs-* rPx, + @{lib}/gvfs/gvfsd* rPx, + @{lib}/gvfsd* rPx, + @{lib}/tracker-extract-* rPx, + @{lib}/tracker-miner-* rPx, + + # Ubuntu + @{bin}/snap rPx, + + /etc/systemd/user.conf r, + /etc/systemd/user.conf.d/{,**} r, + /etc/systemd/user/{,**} r, + + /usr/ r, + + owner @{user_config_dirs}/systemd/user/{,**} r, + + owner @{run}/user/@{uid}/{,*/,*} rw, + owner @{run}/user/@{uid}/*/* rw, + owner @{run}/user/@{uid}/systemd/{,**} rw, + + @{run}/mount/utab r, + @{run}/systemd/notify w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pids}/attr/apparmor/exec w, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/oom_score_adj rw, + + profile systemctl { + include + + @{bin}/systemctl mr, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pids}/status r, + + include if exists + include if exists + } + + include if exists + include if exists +}