feat(fsp): rewrite systemd-user profile.

Works fine when fsp is not enabled, still has issue in fsp mode.
This commit is contained in:
Alexandre Pujol 2024-02-06 22:41:12 +01:00
parent d0a052b7ae
commit c006371e5b
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
2 changed files with 51 additions and 15 deletions

View File

@ -4,7 +4,7 @@
# Profile for 'systemd --user', not PID 1 but the user manager for any UID. # Profile for 'systemd --user', not PID 1 but the user manager for any UID.
# It does not specify an attachment path because it is intended to be used only # It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-user" exec transitions from the systemd profile. # via "AppArmorProfile=systemd-user" from a systemd unit file.
# Only use this profile with a fully configured system. Otherwise it **WILL** # Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/. # break your computer. See https://apparmor.pujol.io/full-system-policy/.
@ -18,26 +18,25 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd @{exec_path} = @{lib}/systemd/systemd
profile systemd-user flags=(attach_disconnected,mediate_deleted) { profile systemd-user flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility> include <abstractions/audio>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
network netlink raw, network netlink raw,
ptrace (read),
signal (send) set=(term, cont, kill), signal (send) set=(term, cont, kill),
signal (receive) set=(hup) peer=@{systemd}, signal (receive) set=(hup) peer=@{systemd},
ptrace (read),
@{exec_path} mr, @{exec_path} mr,
@{bin}/dbus-broker-launch rix, # To avoid issue as in #74, #80 & #235
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{lib}/systemd/systemd-executor rix, @{lib}/systemd/systemd-executor rix,
audit @{lib}/** Pix, @{bin}/** Pix,
audit @{bin}/** Pix, @{lib}/** Pix,
@{bin}/pipewire rPx -> systemd-user//&pipewire, @{bin}/pipewire rPx -> systemd-user//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
@ -46,22 +45,51 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{bin}/wireplumber rPx -> systemd-user//&wireplumber, @{bin}/wireplumber rPx -> systemd-user//&wireplumber,
/usr/ r, /usr/ r,
/usr/share/alsa-card-profile/{,**} r,
/usr/share/dbus-1/{,**} r,
/usr/share/defaults/**.conf r,
/usr/share/pipewire/{,**} r,
/usr/share/pulseaudio/{,**} r,
/usr/share/spa-*/bluez@{int}/{,*} r,
/usr/share/wireplumber/{,**} r,
/etc/pipewire/{,**} r,
/etc/machine-id r,
/etc/systemd/user.conf r, /etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r, /etc/systemd/user.conf.d/{,**} r,
/etc/systemd/user/{,**} r, /etc/systemd/user/{,**} r,
/ r,
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
owner @{HOME}/.local/ w,
owner @{user_config_dirs}/systemd/user/{,**} r, owner @{user_config_dirs}/systemd/user/{,**} r,
owner @{run}/user/@{uid}/{,*/,*} rw, owner @{user_state_dirs}/ w,
owner @{run}/user/@{uid}/*/* rw, owner @{user_state_dirs}/wireplumber/{,**} rw,
owner @{run}/user/@{uid}/systemd/{,**} rwl,
@{run}/systemd/users/@{uid} r,
owner @{run}/user/@{uid}/ rw,
owner @{run}/user/@{uid}/** rwkl,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/notify w, @{run}/systemd/notify w,
@{run}/udev/data/* r, @{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/tags/systemd/ r, @{run}/udev/tags/systemd/ r,
@{sys}/bus/ r,
@{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@ -78,14 +106,23 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{PROC}/swaps r, @{PROC}/swaps r,
@{PROC}/sys/fs/nr_open r, @{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/threads-max r, @{PROC}/sys/kernel/threads-max r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/gid_map r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pids}/attr/apparmor/exec w, owner @{PROC}/@{pids}/attr/apparmor/exec w,
owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pids}/oom_score_adj rw, owner @{PROC}/@{pids}/oom_score_adj rw,
/dev/media@{int} rw,
/dev/snd/ r,
/dev/tty rw,
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>

View File

@ -1,3 +1,2 @@
# TODO: works as intended on server, does not work on desktop [Service]
# [Service] AppArmorProfile=systemd-user
# AppArmorProfile=systemd-user