diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 8440fae5..977a7be8 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -5,7 +5,7 @@ include include - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, unix (bind) type=stream addr=@@{hex}/bus/systemctl/, diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 65f50595..72ccd3d7 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,8 +8,8 @@ signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{systemd_user}, - signal (receive) set=(cont,term) peer=@{systemd}, + signal (receive) set=(cont,term) peer=@{p_systemd_user}, + signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, signal (receive) set=(term,kill) peer=gnome-system-monitor, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index b8e75946..46d5fdc8 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -5,12 +5,12 @@ dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,StartUnit,StartTransientUnit} - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index fda67e03..2f6bb992 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -10,11 +10,11 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="{:*,org.freedesktop.systemd1}", label="@{systemd_user}"), + peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit - peer=(name="{:*,org.freedesktop.systemd1}", label="@{systemd_user}"), + peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), include if exists diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index a1763342..b98291bf 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 05f47139..3a449bd2 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -28,7 +28,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term, cont, kill), signal (receive) set=(hup) peer=@{systemd}, - ptrace (read), + ptrace (read),@{p_systemd} unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system, unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index e04b9471..c941e29a 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -30,7 +30,7 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, dbus bus=system, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index d24b2cd1..34352654 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -22,7 +22,7 @@ profile plymouthd @{exec_path} { network netlink raw, signal (send) peer=unconfined, - signal (send) set=(rtmin+23) peer=@{systemd}, + signal (send) set=(rtmin+23) peer=@{p_systemd}, signal (send) set=(rtmin+23) peer=systemd-shutdown, ptrace (read) peer=plymouth, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 89c2238b..98d09551 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -46,7 +46,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 004a8681..cc0b29db 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -11,14 +11,14 @@ profile gnome-session-ctl @{exec_path} { include include - signal (receive) set=(kill) peer=@{systemd}, + signal (receive) set=(kill) peer=@{p_systemd}, unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6b87cf44..616bb442 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -165,7 +165,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved - peer=(name=:*, label="@{systemd_user}"), + peer=(name=:*, label="@{p_systemd_user}"), dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 94fafbcf..cc93faea 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 4d4d90a7..adc56bae 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -39,7 +39,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read), ptrace (trace) peer=@{profile_name}, - signal (receive) set=(hup) peer=@{systemd}, + signal (receive) set=(hup) peer=@{p_systemd}, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(term) peer=kwin_wayland, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 10036438..a48227ff 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,7 +11,7 @@ profile startplasma @{exec_path} { include include - signal (receive) set=(hup) peer=@{systemd}, + signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, @{exec_path} mr, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index e32ba1b6..d1d068ae 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 9367208d..21f1fea2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -49,9 +49,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{systemd}, + signal (receive) set=(hup) peer=@{p_systemd}, - ptrace (read,trace) peer=@{systemd}, + ptrace (read,trace) peer=@{p_systemd}, unix (bind) type=stream addr=@@{hex}/bus/sshd/system, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 06305318..a3855751 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -22,7 +22,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { signal send peer=child-pager, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, unix (bind) type=stream addr=@@{hex}/bus/networkctl/system, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 91fd63c9..9c06aa64 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,7 +22,7 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 299f29e3..d600860b 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,7 +12,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd/systemd-generator-run index 928e6b35..99fcd4c6 100644 --- a/apparmor.d/groups/systemd/systemd-generator-run +++ b/apparmor.d/groups/systemd/systemd-generator-run @@ -11,7 +11,7 @@ profile systemd-generator-run @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd/systemd-generator-veritysetup index 035cc01d..d1ba5eff 100644 --- a/apparmor.d/groups/systemd/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup @@ -11,7 +11,7 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 03788680..c2e45293 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -33,7 +33,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.login1 - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" dbus receive bus=system path=/org/freedesktop/login@{int}{,/seat/auto,session/_@{int}} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index c68295a6..370763f2 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -33,7 +33,7 @@ profile systemd-machined @{exec_path} { #aa:dbus own bus=system name=org.freedesktop.machine1 - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index a04cf876..60e10876 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -14,7 +14,7 @@ profile systemd-sulogin-shell @{exec_path} { capability net_admin, capability sys_resource, - signal (receive) set=(hup) peer=@{systemd}, + signal (receive) set=(hup) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 8449a37c..9495cad1 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -22,7 +22,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/systemd1/unit/* interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 53c0885b..f054748d 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index 1acb6aea..435f0693 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} { capability net_admin, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 8be6f311..850bf9b9 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -14,7 +14,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { capability sys_resource, - signal (send) peer=@{systemd}, + signal (send) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6eca9a84..229fc6e0 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -94,7 +94,7 @@ profile update-notifier @{exec_path} { dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label="@{systemd}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), include if exists } diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 68a121bd..22854ae2 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -11,7 +11,7 @@ profile anacron @{exec_path} { include include - signal (receive) set=(usr1) peer=@{systemd}, + signal (receive) set=(usr1) peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index ddfe2c68..18db61d3 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -14,7 +14,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include include - signal (send) set=(int) peer=@{systemd}, + signal (send) set=(int) peer=@{p_systemd}, #aa:dbus own bus=session name=org.freedesktop.Flatpak diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7e80ed01..c531089c 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} { network inet6 stream, network netlink raw, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 2f976bc0..c16d75d3 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -34,16 +34,16 @@ profile snap @{exec_path} { dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"), + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved - peer=(name=:*, label="@{systemd}"), + peer=(name=:*, label="@{p_systemd}"), dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved - peer=(name=:*, label="@{systemd_user}"), + peer=(name=:*, label="@{p_systemd_user}"), dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 4d30cccd..f2fbf118 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -46,7 +46,7 @@ profile snapd @{exec_path} { umount /snap/*/*/, ptrace (read) peer=snap, - ptrace (read) peer=@{systemd}, + ptrace (read) peer=@{p_systemd}, unix (bind) type=stream addr=@@{hex}/bus/systemctl/, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 3d7e8ed7..0137ead6 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -23,7 +23,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { ptrace (read), signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{systemd}, + signal (send) peer=@{p_systemd}, signal (send) set=(cont,hup) peer=su, # signal (send) set=(winch), signal (send) set=(winch) peer=child-pager, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index dcb786f1..f6bd81aa 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -57,7 +57,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom@{int}/, - signal (receive) set=(int) peer=@{systemd}, + signal (receive) set=(int) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles new file mode 100644 index 00000000..f15af0d8 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Define some variables for some commonly used profile. They may be used in +# other profiles peer label. + +# All variables that refer to a profile should be prefixed with `p_` + +# Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` +@{p_systemd}=unconfined +@{p_systemd_user}=unconfined diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index fe4b1edf..68efe0b7 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,10 +56,6 @@ @{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} -# Name of the systemd profiles: unconfined || systemd -@{systemd}=unconfined -@{systemd_user}=unconfined - # Udev data dynamic assignment ranges @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index b9f27460..e893560b 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -39,8 +39,8 @@ func (p FullSystemPolicy) Apply() ([]string, error) { if err != nil { return res, err } - out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) - out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1) + out := strings.Replace(string(content), "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) + out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) if err := path.WriteFile([]byte(out)); err != nil { return res, err }