diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app index bfe12e56..d0ddfaaa 100644 --- a/apparmor.d/groups/_full/bwrap-app +++ b/apparmor.d/groups/_full/bwrap-app @@ -11,7 +11,6 @@ include profile bwrap-app flags=(attach_disconnected,mediate_deleted) { include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d85d04e2..36c31e60 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { umount @{run}/systemd/unit-root/{,**}, pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, change_profile, @@ -129,29 +129,37 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { member=GetConnectionUnixUser peer=(name=org.freedesktop.DBus, label=dbus-system), - @{bin}/systemctl rix, - @{bin}/mount rix, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /usr/share/*/** Px, - @{lib}/systemd/systemd-executor rix, - @{lib}/systemd/systemd rpx -> systemd-user, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, - @{bin}/ldconfig rPx -> systemd-service, - @{bin}/mandb rPx -> systemd-service, - @{bin}/savelog rPx -> systemd-service, - @{coreutils_path} rPx -> systemd-service, - @{sh_path} rPx -> systemd-service, + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /usr/share/*/** Px, + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + # Unit services + @{bin}/mount ix, + + # Shell based systemd unit services + @{bin}/ldconfig Px -> systemd-service, + @{bin}/mandb Px -> systemd-service, + @{bin}/savelog Px -> systemd-service, + @{coreutils_path} Px -> systemd-service, + @{sh_path} Px -> systemd-service, + + # Systemd profiles that need be stacked #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, + @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd, + @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd, + @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved, + @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd, @{lib}/ r, / r, @@ -254,6 +262,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, + profile systemctl { + include + include + + include if exists + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index f8860412..7b6ef77f 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -25,40 +25,47 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal (send) set=(term, cont, kill), - signal (receive) set=(hup) peer=@{p_systemd}, + signal send set=(term, cont, kill), + signal receive set=hup peer=@{p_systemd}, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, + unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 @{exec_path} mr, - @{bin}/dbus-broker rpx -> dbus-session, - @{bin}/dbus-broker-launch rpx -> dbus-session, - @{bin}/dbus-daemon rpx -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper rpx -> dbus-session, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, - @{bin}/systemctl rCx -> systemctl, - @{lib}/systemd/systemd-executor rix, - @{sh_path} rix, # Should be handled by default profile? - @{bin}/grep rix, - @{bin}/sleep rix, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + # Shell based ystemd unit services + @{coreutils_path} Px -> systemd-user-service, + @{sh_path} Px -> systemd-user-service, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + # Audio profiles need to be stacked #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire rPx -> systemd-user//&pipewire, - @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd-user//&pulseaudio, - @{bin}/wireplumber rPx -> systemd-user//&wireplumber, + @{bin}/pipewire Px -> systemd-user//&pipewire, + @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, + @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, + @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, + @{bin}/wireplumber Px -> systemd-user//&wireplumber, /usr/ r, /usr/share/defaults/**.conf r, diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service new file mode 100644 index 00000000..0aaeba21 --- /dev/null +++ b/apparmor.d/groups/_full/systemd-user-service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. + +abi , + +include + +profile systemd-user-service flags=(complain) { + include + include + + include if exists + include if exists +} + +# vim:syntax=apparmor