feat(fps): improve systemd profiles.

This commit is contained in:
Alexandre Pujol 2024-09-23 14:59:44 +01:00
parent c085c8038b
commit 62cb546afa
Failed to generate hash of commit
4 changed files with 88 additions and 43 deletions

View file

@ -11,7 +11,6 @@ include <tunables/global>
profile bwrap-app flags=(attach_disconnected,mediate_deleted) { profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/app> include <abstractions/common/app>
include <abstractions/fontconfig-cache-write>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

View file

@ -129,29 +129,37 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
member=GetConnectionUnixUser member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label=dbus-system), peer=(name=org.freedesktop.DBus, label=dbus-system),
@{bin}/systemctl rix,
@{bin}/mount rix,
@{lib}/systemd/systemd-executor rix,
@{lib}/systemd/systemd rpx -> systemd-user,
@{bin}/ldconfig rPx -> systemd-service,
@{bin}/mandb rPx -> systemd-service,
@{bin}/savelog rPx -> systemd-service,
@{coreutils_path} rPx -> systemd-service,
@{sh_path} rPx -> systemd-service,
@{bin}/** Px, @{bin}/** Px,
@{lib}/** Px, @{lib}/** Px,
/etc/cron.*/* Px, /etc/cron.*/* Px,
/etc/init.d/* Px, /etc/init.d/* Px,
/usr/share/*/** Px, /usr/share/*/** Px,
# Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor ix,
# Systemd user: systemd --user
@{lib}/systemd/systemd px -> systemd-user,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Unit services
@{bin}/mount ix,
# Shell based systemd unit services
@{bin}/ldconfig Px -> systemd-service,
@{bin}/mandb Px -> systemd-service,
@{bin}/savelog Px -> systemd-service,
@{coreutils_path} Px -> systemd-service,
@{sh_path} Px -> systemd-service,
# Systemd profiles that need be stacked
#aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
@{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd,
@{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd,
@{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved,
@{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd,
@{lib}/ r, @{lib}/ r,
/ r, / r,
@ -254,6 +262,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
owner /dev/shm/ rw, owner /dev/shm/ rw,
owner /dev/ttyS@{int} rwk, owner /dev/ttyS@{int} rwk,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <usr/systemd_systemctl.d>
include if exists <local/systemd_systemctl>
}
include if exists <usr/systemd.d> include if exists <usr/systemd.d>
include if exists <local/systemd> include if exists <local/systemd>
} }

View file

@ -25,40 +25,47 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
network netlink raw, network netlink raw,
signal (send) set=(term, cont, kill), signal send set=(term, cont, kill),
signal (receive) set=(hup) peer=@{p_systemd}, signal receive set=hup peer=@{p_systemd},
ptrace (read) peer=@{p_systemd}, ptrace read peer=@{p_systemd},
unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
#aa:dbus own bus=session name=org.freedesktop.systemd1 #aa:dbus own bus=session name=org.freedesktop.systemd1
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-broker rpx -> dbus-session,
@{bin}/dbus-broker-launch rpx -> dbus-session,
@{bin}/dbus-daemon rpx -> dbus-session,
@{lib}/dbus-1.0/dbus-daemon-launch-helper rpx -> dbus-session,
@{bin}/systemctl rCx -> systemctl,
@{lib}/systemd/systemd-executor rix,
@{sh_path} rix, # Should be handled by default profile?
@{bin}/grep rix,
@{bin}/sleep rix,
@{bin}/** Px, @{bin}/** Px,
@{lib}/** Px, @{lib}/** Px,
/etc/cron.*/* Px,
/opt/*/** Px, /opt/*/** Px,
/usr/share/*/** Px, /usr/share/*/** Px,
# Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor ix,
# Unit services using systemctl
@{bin}/systemctl Cx -> systemctl,
# Shell based ystemd unit services
@{coreutils_path} Px -> systemd-user-service,
@{sh_path} Px -> systemd-user-service,
# Dbus needs to be started without environment scrubbing
@{bin}/dbus-broker px -> dbus-session,
@{bin}/dbus-broker-launch px -> dbus-session,
@{bin}/dbus-daemon px -> dbus-session,
@{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session,
# Audio profiles need to be stacked
#aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
@{bin}/pipewire rPx -> systemd-user//&pipewire, @{bin}/pipewire Px -> systemd-user//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session,
@{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse, @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd-user//&pulseaudio, @{bin}/pulseaudio Px -> systemd-user//&pulseaudio,
@{bin}/wireplumber rPx -> systemd-user//&wireplumber, @{bin}/wireplumber Px -> systemd-user//&wireplumber,
/usr/ r, /usr/ r,
/usr/share/defaults/**.conf r, /usr/share/defaults/**.conf r,

View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for generic systemd unit services. Only used by tiny systemd services
# that start a shell or use context specific programs.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
abi <abi/3.0>,
include <tunables/global>
profile systemd-user-service flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include if exists <usr/systemd-user-service.d>
include if exists <local/systemd-user-service>
}
# vim:syntax=apparmor