From a334b461d04187db3d4e79d2587b3c790a882ca2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 15 Feb 2024 00:16:53 +0000 Subject: [PATCH] feat(fsp): update systemd related profiles. --- apparmor.d/groups/_full/systemd | 14 +++++--------- apparmor.d/groups/_full/systemd-service | 5 +++++ apparmor.d/groups/_full/systemd-user | 11 +++++++++++ 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b2a7cf34..45372b49 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -18,6 +18,7 @@ include profile systemd flags=(attach_disconnected,mediate_deleted) { include include + include include include @@ -46,15 +47,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, network inet dgram, - network inet raw, network inet stream, network inet6 dgram, - network inet6 raw, network inet6 stream, network netlink raw, mount -> @{run}/systemd/incoming/, mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/unit-root/{,**}, mount -> @{sys}/fs/fuse/connections/, mount -> @{sys}/kernel/config/, mount -> @{sys}/kernel/debug/, @@ -75,6 +75,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=sysfs sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=ramfs ramfs -> /dev/shm/, umount /, umount /dev/shm/, @@ -93,8 +94,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { ptrace (read, readby), unix (send) type=dgram, - - dbus, # TODO: WIP + # dbus: own bus=system name=org.freedesktop.systemd1 @{bin}/systemctl rix, @@ -134,15 +134,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, - /etc/default/** r, /etc/environment r, /etc/environment.d/{,**} r, - /etc/locale.conf r, /etc/machine-id r, - /etc/modules-load.d/ r, - /etc/networkd-dispatcher/{,**} r, + /etc/modules-load.d/{,**} r, /etc/systemd/{,**} r, - /etc/udev/hwdb.d/{,*} r, /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index 1b660489..459bd196 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -13,10 +13,15 @@ include profile systemd-service @{exec_path} flags=(attach_disconnected) { include include + include + + capability chown, + capability fsetid, @{bin}/ldconfig rix, @{bin}/savelog rix, @{bin}/systemctl rix, + @{bin}/gzip rix, @{coreutils_path} rix, @{shells_path} rmix, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 252d05ff..beb89315 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -19,6 +19,8 @@ include profile systemd-user flags=(attach_disconnected,mediate_deleted) { include include + include + include include include @@ -29,6 +31,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace (read), + # dbus: own bus=session name=org.freedesktop.systemd1 + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, @{bin}/dbus-broker-launch rix, # To avoid issue as in #74, #80 & #235 @@ -62,10 +71,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { / r, + /var/lib/gdm{3,}/.config/pulse/{,**} rw, /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw, owner @{HOME}/.local/ w, + owner @{user_config_dirs}/pulse/{,**} rw, owner @{user_config_dirs}/systemd/user/{,**} r, owner @{user_state_dirs}/ w,