diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt new file mode 100644 index 00000000..975478c6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-binfmt +profile systemd-binfmt @{exec_path} { + include + + @{exec_path} mr, + + # Config file locations + /etc/binfmt.d/*.conf r, + @{run}/binfmt.d/*.conf r, + /usr/lib/binfmt.d/*.conf r, + + owner @{PROC}/@{pid}/stat r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb new file mode 100644 index 00000000..e5a2833b --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-hwdb +profile systemd-hwdb @{exec_path} { + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/stat r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind new file mode 100644 index 00000000..f8f03925 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-logind @@ -0,0 +1,91 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-logind +profile systemd-logind @{exec_path} flags=(complain) { + include + include + include + include + + capability sys_tty_config, + capability chown, + capability dac_override, + capability sys_admin, + + network netlink raw, + + @{exec_path} mr, + + /etc/systemd/sleep.conf r, + /etc/systemd/logind.conf r, + /etc/passwd r, + /etc/nsswitch.conf r, + + /boot/{,**} r, + + /var/lib/systemd/linger/ r, + + @{run}/utmp rk, + + @{run}/udev/tags/master-of-seat/ r, + @{run}/udev/tags/power-switch/ r, + @{run}/udev/tags/uaccess/ r, + @{run}/udev/static_node-tags/uaccess/ r, + + @{run}/udev/data/c10:[0-9]* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c238:[0-9]* r, + + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+backlight:intel_backlight r, + + @{run}/systemd/seats/ r, + @{run}/systemd/seats/.#seat* rw, + @{run}/systemd/seats/seat0 rw, + @{run}/systemd/inhibit/ r, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/[0-9]*{,.ref} rw, + @{run}/systemd/sessions/.#* rw, + @{run}/systemd/users/ r, + @{run}/systemd/users/[0-9]* rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/userdb/ r, + + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/dri/card[0-9]* rw, + /dev/tty[0-9]* rw, + /dev/nvme* r, + + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/**/{uevent,enabled,status} r, + @{sys}/devices/**/brightness rw, + + @{sys}/class/drm/ r, + @{sys}/power/{state,resume_offset,resume,disk} r, + + @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + + @{PROC}/swaps r, + @{PROC}/[0-9]*/cgroup r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/sessionid r, + @{PROC}/[0-9]*/fd/ r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined new file mode 100644 index 00000000..113db353 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-machined @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-machined +profile systemd-machined @{exec_path} flags=(complain) { + include + include + + capability sys_ptrace, + + @{exec_path} mr, + + /etc/machine-id r, + + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/machines/ r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved new file mode 100644 index 00000000..1332d943 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ +# 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-3.0-only + +# Version of program profiled: 247.3 + +abi , +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-resolved +profile systemd-resolved @{exec_path} { + include + include + include + include + # include + + capability net_bind_service, + capability net_raw, + capability setpcap, + + network unix stream, + network unix dgram, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Runtime directories + /{,var/}run/systemd/netif/links/* r, + /{,var/}run/systemd/resolve/{,**} rw, + + # Config + /etc/systemd/resolved.conf r, + /etc/systemd/resolved.conf.d/{,*} r, + + # Proc + owner @{PROC}/*/stat r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + # System access + @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, +} diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers new file mode 100644 index 00000000..fc31d6fb --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-sysusers +profile systemd-sysusers @{exec_path} { + include + + @{exec_path} mr, + + # Config file locations + /etc/sysusers.d/*.conf r, + @{run}/sysusers.d/*.conf r, + /usr/lib/sysusers.d/*.conf r, + + # Where the users can be created, + /home/{,*} rw, + /var/{,**} rw, + /run/{,**} rw, + + /etc/ r, + /etc/passwd r, + /etc/group r, + /etc/gshadow r, + /etc/.#group* rw, + /etc/.#gshadow* rw, + /etc/.pwd.lock rwk, + + owner @{PROC}/@{pid}/stat r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles new file mode 100644 index 00000000..c8a382c8 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-tmpfiles +profile systemd-tmpfiles @{exec_path} { + include + include + include + + capability dac_read_search, + capability fsetid, + capability mknod, + capability fowner, + + @{exec_path} mr, + + /etc/machine-id r, + /usr/share/factory/{,**} r, + + # Config file locations + /etc/tmpfiles.d/ + /etc/tmpfiles.d/{,*.conf} r, + @{run}/tmpfiles.d/{,*.conf} r, + /usr/lib/tmpfiles.d/{,*.conf} r, + @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, + @{run}/user/@{pid}/user-tmpfiles.d/{,*.conf} r, + @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, + /usr/share/user-tmpfiles.d/{,*.conf} r, + + # Where the tmpfiles can be created, + /{,*} rw, + /dev/{,**} rw, + /var/{,**} rwk, + /run/{,**} rw, + /tmp/{,**} rwk, + /srv/{,**} rw, + + @{run}/systemd/userdb/ r, + @{sys}/devices/system/cpu/microcode/reload w, + + @{PROC}/@{pid}/net/unix r, + + include if exists +}