feat(fps): improve systemd profiles.

2025-01-18 08:58:15 +01:00 · 2024-09-23 14:59:44 +01:00 · 2024-09-23 14:59:44 +01:00 · 62cb546afa
commit 62cb546afa
parent c085c8038b
4 changed files with 88 additions and 43 deletions
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@ -11,7 +11,6 @@ include <tunables/global>
 profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/app>
-  include <abstractions/fontconfig-cache-write>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  umount @{run}/systemd/unit-root/{,**},

  pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
-  pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/,
+  pivot_root oldroot=@{run}/systemd/unit-root/    @{run}/systemd/unit-root/,

  change_profile,

@ -129,29 +129,37 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
       member=GetConnectionUnixUser
       peer=(name=org.freedesktop.DBus, label=dbus-system),

-  @{bin}/systemctl                  rix,
-  @{bin}/mount                      rix,
+  @{bin}/**                         Px,
+  @{lib}/**                         Px,
+  /etc/cron.*/*                     Px,
+  /etc/init.d/*                     Px,
+  /usr/share/*/**                   Px,

-  @{lib}/systemd/systemd-executor   rix,
-  @{lib}/systemd/systemd            rpx -> systemd-user,
+  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  @{lib}/systemd/systemd-executor   ix,

-  @{bin}/ldconfig                   rPx -> systemd-service,
-  @{bin}/mandb                      rPx -> systemd-service,
-  @{bin}/savelog                    rPx -> systemd-service,
-  @{coreutils_path}                 rPx -> systemd-service,
-  @{sh_path}                        rPx -> systemd-service,
+  # Systemd user: systemd --user
+  @{lib}/systemd/systemd            px -> systemd-user,

-  @{bin}/**                          Px,
-  @{lib}/**                          Px,
-  /etc/cron.*/*                      Px,
-  /etc/init.d/*                      Px,
-  /usr/share/*/**                    Px,
+  # Unit services using systemctl
+  @{bin}/systemctl                  Cx -> systemctl,

+  # Unit services
+  @{bin}/mount                      ix,
+
+  # Shell based systemd unit services
+  @{bin}/ldconfig                   Px -> systemd-service,
+  @{bin}/mandb                      Px -> systemd-service,
+  @{bin}/savelog                    Px -> systemd-service,
+  @{coreutils_path}                 Px -> systemd-service,
+  @{sh_path}                        Px -> systemd-service,
+
+  # Systemd profiles that need be stacked
  #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
-  @{lib}/systemd/systemd-networkd   rPx -> systemd//&systemd-networkd,
-  @{lib}/systemd/systemd-oomd       rPx -> systemd//&systemd-oomd,
-  @{lib}/systemd/systemd-resolved   rPx -> systemd//&systemd-resolved,
-  @{lib}/systemd/systemd-timesyncd  rPx -> systemd//&systemd-timesyncd,
+  @{lib}/systemd/systemd-networkd   Px -> systemd//&systemd-networkd,
+  @{lib}/systemd/systemd-oomd       Px -> systemd//&systemd-oomd,
+  @{lib}/systemd/systemd-resolved   Px -> systemd//&systemd-resolved,
+  @{lib}/systemd/systemd-timesyncd  Px -> systemd//&systemd-timesyncd,

  @{lib}/ r,
  / r,
@ -254,6 +262,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  owner /dev/shm/ rw,
  owner /dev/ttyS@{int} rwk,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <usr/systemd_systemctl.d>
+    include if exists <local/systemd_systemctl>
+  }
+
  include if exists <usr/systemd.d>
  include if exists <local/systemd>
 }
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -25,40 +25,47 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {

  network netlink raw,

-  signal (send) set=(term, cont, kill),
-  signal (receive) set=(hup) peer=@{p_systemd},
+  signal send set=(term, cont, kill),
+  signal receive set=hup peer=@{p_systemd},

-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
+  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
+  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,

  #aa:dbus own bus=session name=org.freedesktop.systemd1

  @{exec_path} mr,

-  @{bin}/dbus-broker                         rpx -> dbus-session,
-  @{bin}/dbus-broker-launch                  rpx -> dbus-session,
-  @{bin}/dbus-daemon                         rpx -> dbus-session,
-  @{lib}/dbus-1.0/dbus-daemon-launch-helper  rpx -> dbus-session,
+  @{bin}/**                         Px,
+  @{lib}/**                         Px,
+  /etc/cron.*/*                     Px,
+  /opt/*/**                         Px,
+  /usr/share/*/**                   Px,

-  @{bin}/systemctl                  rCx -> systemctl,
-  @{lib}/systemd/systemd-executor   rix,
-  @{sh_path}                        rix, # Should be handled by default profile?
-  @{bin}/grep                       rix,
-  @{bin}/sleep                      rix,
+  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  @{lib}/systemd/systemd-executor   ix,

-  @{bin}/**                          Px,
-  @{lib}/**                          Px,
-  /opt/*/**                          Px,
-  /usr/share/*/**                    Px,
+  # Unit services using systemctl
+  @{bin}/systemctl                  Cx -> systemctl,

+  # Shell based ystemd unit services
+  @{coreutils_path}                 Px -> systemd-user-service,
+  @{sh_path}                        Px -> systemd-user-service,
+
+  # Dbus needs to be started without environment scrubbing
+  @{bin}/dbus-broker                         px -> dbus-session,
+  @{bin}/dbus-broker-launch                  px -> dbus-session,
+  @{bin}/dbus-daemon                         px -> dbus-session,
+  @{lib}/dbus-1.0/dbus-daemon-launch-helper  px -> dbus-session,
+
+  # Audio profiles need to be stacked
  #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
-  @{bin}/pipewire                   rPx -> systemd-user//&pipewire,
-  @{bin}/pipewire-media-session     rPx -> systemd-user//&pipewire-media-session,
-  @{bin}/pipewire-pulse             rPx -> systemd-user//&pipewire-pulse,
-  @{bin}/pulseaudio                 rPx -> systemd-user//&pulseaudio,
-  @{bin}/wireplumber                rPx -> systemd-user//&wireplumber,
+  @{bin}/pipewire                   Px -> systemd-user//&pipewire,
+  @{bin}/pipewire-media-session     Px -> systemd-user//&pipewire-media-session,
+  @{bin}/pipewire-pulse             Px -> systemd-user//&pipewire-pulse,
+  @{bin}/pulseaudio                 Px -> systemd-user//&pulseaudio,
+  @{bin}/wireplumber                Px -> systemd-user//&wireplumber,

  /usr/ r,
  /usr/share/defaults/**.conf r,
--- a/apparmor.d/groups/_full/systemd-user-service
+++ b/apparmor.d/groups/_full/systemd-user-service
@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for generic systemd unit services. Only used by tiny systemd services
+# that start a shell or use context specific programs.
+
+# It does not specify an attachment path because it is intended to be used only
+# via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile systemd-user-service flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  include if exists <usr/systemd-user-service.d>
+  include if exists <local/systemd-user-service>
+}
+
+# vim:syntax=apparmor