feat(profile): small improvment on systemd profiles.

2024-11-14 23:43:56 +01:00 · 2024-05-18 13:09:25 +01:00 · 2024-05-18 13:09:25 +01:00 · 5e6af16580
commit 5e6af16580
parent 17bfd0e869
5 changed files with 7 additions and 12 deletions
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -14,9 +14,6 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/common/systemd>

-  # Needed?
-  audit capability net_admin,
-
  unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,

  #aa:dbus own bus=system name=org.freedesktop.locale1
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@ -19,21 +19,21 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {

  ptrace (read),

-  mount flags=(rw rslave) -> /,
+  mount options=(rw rslave) -> /,
  umount /etc/machine-id,

  @{exec_path} mr,

  / r,
-  /etc/machine-id rw,
  /etc/ r,
+  /etc/machine-id rw,
  /var/ r,

        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
-  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/setgroups r,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/systemd-machine-id-setup>
 }
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@ -6,8 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/systemd-mount
-@{exec_path} += @{bin}/systemd-umount
+@{exec_path} = @{bin}/systemd-mount @{bin}/systemd-umount
 profile systemd-mount @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -24,8 +24,8 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/oomd.conf r,
  /etc/systemd/oomd.conf.d/{,**} r,

-          @{run}/systemd/io.system.ManagedOOM rw,
-          @{run}/systemd/io.systemd.ManagedOOM rw,
+        @{run}/systemd/io.system.ManagedOOM rw,
+        @{run}/systemd/io.systemd.ManagedOOM rw,
        @{run}/systemd/notify rw,
  owner @{run}/systemd/journal/socket w,

--- a/apparmor.d/groups/systemd/systemd-sleep-grub2
+++ b/apparmor.d/groups/systemd/systemd-sleep-grub2
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep
 profile systemd-sleep-grub @{exec_path} {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>

  @{exec_path} mr,

@ -18,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} {

  /etc/sysconfig/bootloader r,

-  /var/lib/nscd/passwd r,
-
  @{PROC}/@{pid}/maps r,

  /dev/tty rw,