feat: prefix variables that refer to a profile

2024-11-14 15:33:47 +01:00 · 2024-04-02 13:41:08 +01:00 · 2024-04-02 13:41:08 +01:00 · 6dd0c36e9a
commit 6dd0c36e9a
parent 751bc683d9
39 changed files with 57 additions and 49 deletions
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -5,7 +5,7 @@
  include <abstractions/bus-system>
  include <abstractions/consoles>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,

--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -8,8 +8,8 @@
  signal (receive)                           peer=sudo,
  signal (receive)                           peer=top,
  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
-  signal (receive) set=(cont,term)           peer=@{systemd_user},
-  signal (receive) set=(cont,term)           peer=@{systemd},
+  signal (receive) set=(cont,term)           peer=@{p_systemd_user},
+  signal (receive) set=(cont,term)           peer=@{p_systemd},
  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,kill)           peer=gnome-shell,
  signal (receive) set=(term,kill)           peer=gnome-system-monitor,
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@ -5,12 +5,12 @@
  dbus send bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member={GetUnit,StartUnit,StartTransientUnit}
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@ -10,11 +10,11 @@
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.systemd1}", label="@{systemd_user}"),
+       peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=GetUnit
-       peer=(name="{:*,org.freedesktop.systemd1}", label="@{systemd_user}"),
+       peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),

  include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -28,7 +28,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  signal (send) set=(term, cont, kill),
  signal (receive) set=(hup) peer=@{systemd},

-  ptrace (read),
+  ptrace (read),@{p_systemd}

  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -30,7 +30,7 @@ profile dbus-system flags=(attach_disconnected) {
  network bluetooth stream,
  network bluetooth seqpacket,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  dbus bus=system,

--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -22,7 +22,7 @@ profile plymouthd @{exec_path} {
  network netlink raw,

  signal (send) peer=unconfined,
-  signal (send) set=(rtmin+23) peer=@{systemd},
+  signal (send) set=(rtmin+23) peer=@{p_systemd},
  signal (send) set=(rtmin+23) peer=systemd-shutdown,

  ptrace (read) peer=plymouth,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -46,7 +46,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@ -11,14 +11,14 @@ profile gnome-session-ctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>

-  signal (receive) set=(kill) peer=@{systemd},
+  signal (receive) set=(kill) peer=@{p_systemd},

  unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member={StartUnit,StopUnit}
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  dbus send bus=session path=/org/gnome/SessionManager
       interface=org.gnome.SessionManager
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -165,7 +165,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd_user}"),
+       peer=(name=:*, label="@{p_systemd_user}"),

  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -39,7 +39,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  ptrace (read),
  ptrace (trace) peer=@{profile_name},

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},
  signal (send) set=(kill, term) peer=startplasma,
  signal (send) set=(kill, term) peer=xorg,
  signal (send) set=(term) peer=kwin_wayland,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -11,7 +11,7 @@ profile startplasma @{exec_path} {
  include <abstractions/base>
  include <abstractions/kde-strict>

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},
  signal (receive) set=(term) peer=sddm,

  @{exec_path} mr,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  capability sys_nice,
  capability sys_ptrace,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -49,9 +49,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},

-  ptrace (read,trace) peer=@{systemd},
+  ptrace (read,trace) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/sshd/system,

--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -22,7 +22,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  signal send peer=child-pager,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,7 +22,7 @@ profile systemd-analyze @{exec_path} {

  signal (send) peer=child-pager,

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -12,7 +12,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-run
+++ b/apparmor.d/groups/systemd/systemd-generator-run
@ -11,7 +11,7 @@ profile systemd-generator-run @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-veritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup
@ -11,7 +11,7 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -33,7 +33,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=org.freedesktop.login1

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  dbus receive bus=system path=/org/freedesktop/login@{int}{,/seat/auto,session/_@{int}}
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -33,7 +33,7 @@ profile systemd-machined @{exec_path} {

  #aa:dbus own bus=system name=org.freedesktop.machine1

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-sulogin-shell
+++ b/apparmor.d/groups/systemd/systemd-sulogin-shell
@ -14,7 +14,7 @@ profile systemd-sulogin-shell @{exec_path} {
  capability net_admin,
  capability sys_resource,

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -22,7 +22,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,

  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
-  unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none),
+  unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),

  #aa:dbus own bus=system name=org.freedesktop.timesync1

--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} {

  capability net_admin,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@ -14,7 +14,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {

  capability sys_resource,

-  signal (send) peer=@{systemd},
+  signal (send) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -94,7 +94,7 @@ profile update-notifier @{exec_path} {
    dbus send bus=system path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
         member=GetUnitFileState
-         peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+         peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

    include if exists <local/update-notifier_systemctl>
  }
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@ -11,7 +11,7 @@ profile anacron @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  signal (receive) set=(usr1) peer=@{systemd},
+  signal (receive) set=(usr1) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@ -14,7 +14,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

-  signal (send) set=(int) peer=@{systemd},
+  signal (send) set=(int) peer=@{p_systemd},

  #aa:dbus own bus=session name=org.freedesktop.Flatpak

--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} {
  network inet6 stream,
  network netlink raw,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -34,16 +34,16 @@ profile snap @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  dbus receive bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd}"),
+       peer=(name=:*, label="@{p_systemd}"),
  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd_user}"),
+       peer=(name=:*, label="@{p_systemd_user}"),

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -46,7 +46,7 @@ profile snapd @{exec_path} {
  umount /snap/*/*/,

  ptrace (read) peer=snap,
-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,

--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -23,7 +23,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
  ptrace (read),

  signal (send,receive) peer=cockpit-bridge,
-  signal (send) peer=@{systemd},
+  signal (send) peer=@{p_systemd},
  signal (send) set=(cont,hup) peer=su,
  # signal (send) set=(winch),
  signal (send) set=(winch) peer=child-pager,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -57,7 +57,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  umount @{run}/udisks2/temp-mount-*/,
  umount /media/cdrom@{int}/,

-  signal (receive) set=(int) peer=@{systemd},
+  signal (receive) set=(int) peer=@{p_systemd},

  #aa:dbus own bus=system name=org.freedesktop.UDisks2

--- a/apparmor.d/tunables/multiarch.d/profiles
+++ b/apparmor.d/tunables/multiarch.d/profiles
@ -0,0 +1,12 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Define some variables for some commonly used profile. They may be used in 
+# other profiles peer label.
+
+# All variables that refer to a profile should be prefixed with `p_`
+
+# Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user`
+@{p_systemd}=unconfined
+@{p_systemd_user}=unconfined
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@ -56,10 +56,6 @@
@{bin}=/{,usr/}{,s}bin
@{lib}=/{,usr/}lib{,exec,32,64}

-# Name of the systemd profiles: unconfined || systemd
-@{systemd}=unconfined
-@{systemd_user}=unconfined
-
 # Udev data dynamic assignment ranges
@{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
--- a/pkg/prebuild/prepare/fsp.go
+++ b/pkg/prebuild/prepare/fsp.go
@ -39,8 +39,8 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	if err != nil {
 		return res, err
 	}
-	out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1)
-	out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1)
+	out := strings.Replace(string(content), "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1)
+	out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1)
 	if err := path.WriteFile([]byte(out)); err != nil {
 		return res, err
 	}