diff --git a/apparmor.d/groups/service/man-db.service b/apparmor.d/groups/service/man-db.service deleted file mode 100644 index 5660bb66..00000000 --- a/apparmor.d/groups/service/man-db.service +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service - -abi , - -include - -profile man-db.service @{exec_path} { - include - - @{bin}/install mr, - @{bin}/find mr, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/service/snapd.system-shutdown.service b/apparmor.d/groups/service/snapd.system-shutdown.service deleted file mode 100644 index 01830b89..00000000 --- a/apparmor.d/groups/service/snapd.system-shutdown.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service - -abi , - -include - -profile snapd.system-shutdown.service @{exec_path} { - include - - @{bin}/cp mr, - @{bin}/mkdir mr, - - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/service/systemd.service b/apparmor.d/groups/service/systemd.service index fcfed4f9..657e68fe 100644 --- a/apparmor.d/groups/service/systemd.service +++ b/apparmor.d/groups/service/systemd.service @@ -17,27 +17,24 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { @{bin}/{,ba,da}sh rm, + @{bin}/cp rix, + @{bin}/find rix, @{bin}/grep rix, - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, + @{bin}/install rix, @{bin}/mkdir rix, @{bin}/mount rix, @{bin}/rm rix, @{bin}/systemctl rix, + @{bin}/grub-editenv rPx, + @{bin}/ibus-daemon rPx, + @{bin}/chgrp rPx -> dmesg.service, @{bin}/chmod rPx -> dmesg.service, @{bin}/savelog rPx -> dmesg.service, @{bin}/ldconfig rPx -> ldconfig.service, - @{bin}/find rPx -> man-db.service, - @{bin}/mandb rPx -> man-db.service, - @{bin}/install rPx -> man-db.service, - - @{bin}/cp rPx -> snapd.system-shutdown.service, - @{bin}/mkdir rPx -> snapd.system-shutdown.service, - @{lib}/ r, /var/cache/ldconfig/aux-cache* rw, @@ -46,6 +43,10 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { /boot/grub/grubenv rw, /boot/grub/ w, + # snapd.system-shutdown.service + @{run}/initramfs/shutdown rw, + @{run}/initramfs/ rw, + @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r,