From 8ea09647241a49f0d4a2a8e9b2ddc2a8d6f004a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Mar 2024 22:02:43 +0000 Subject: [PATCH] feat(fsp): restrict @{run} for systemd. --- apparmor.d/groups/_full/systemd | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index fcd1ab43..bd66a845 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -19,6 +19,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -145,18 +146,24 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /tmp/namespace-dev-@{rand6}/{,**} rw, /tmp/systemd-private-*/{,**} rw, - @{run}/ r, - @{run}/credentials/{,**} rw, - @{run}/dbus/system_bus_socket rw, - @{run}/spice-vdagentd/spice-vdagent-sock rw, - @{run}/systemd/{,**} rw, - @{run}/udev/control rw, - @{run}/udev/data/* r, - @{run}/udev/tags/systemd/ r, - @{run}/user/@{uid}/{,**} rwlk, - owner @{run}/* rw, - owner @{run}/*/ rw, - owner @{run}/*/* rw, + @{run}/ rw, + @{run}/auditd.pid r, + @{run}/credentials/{,**} rw, + @{run}/initctl rw, + @{run}/spice-vdagentd/* rw, + @{run}/systemd/{,**} rw, + @{run}/udev/control rw, + @{run}/mount/ rw, + @{run}/mount/utab r, + + @{run}/udev/data/+module:configfs r, + @{run}/udev/data/+module:fuse r, + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/n@{int} r, + @{run}/udev/tags/systemd/ r, @{sys}/bus/ r, @{sys}/class/ r,