mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(fsp): rewrite systemd-user profile.
Works fine when fsp is not enabled, still has issue in fsp mode.
This commit is contained in:
parent
d0a052b7ae
commit
c006371e5b
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
|
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
|
||||||
# It does not specify an attachment path because it is intended to be used only
|
# It does not specify an attachment path because it is intended to be used only
|
||||||
# via "Px -> systemd-user" exec transitions from the systemd profile.
|
# via "AppArmorProfile=systemd-user" from a systemd unit file.
|
||||||
|
|
||||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||||
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
|
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
|
||||||
@ -18,26 +18,25 @@ include <tunables/global>
|
|||||||
@{exec_path} = @{lib}/systemd/systemd
|
@{exec_path} = @{lib}/systemd/systemd
|
||||||
profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-accessibility>
|
include <abstractions/audio>
|
||||||
include <abstractions/bus-session>
|
|
||||||
include <abstractions/bus-system>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/video>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
ptrace (read),
|
|
||||||
|
|
||||||
signal (send) set=(term, cont, kill),
|
signal (send) set=(term, cont, kill),
|
||||||
signal (receive) set=(hup) peer=@{systemd},
|
signal (receive) set=(hup) peer=@{systemd},
|
||||||
|
|
||||||
|
ptrace (read),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/dbus-broker-launch rix, # To avoid issue as in #74, #80 & #235
|
||||||
@{bin}/systemctl rCx -> systemctl,
|
@{bin}/systemctl rCx -> systemctl,
|
||||||
@{lib}/systemd/systemd-executor rix,
|
@{lib}/systemd/systemd-executor rix,
|
||||||
|
|
||||||
audit @{lib}/** Pix,
|
@{bin}/** Pix,
|
||||||
audit @{bin}/** Pix,
|
@{lib}/** Pix,
|
||||||
|
|
||||||
@{bin}/pipewire rPx -> systemd-user//&pipewire,
|
@{bin}/pipewire rPx -> systemd-user//&pipewire,
|
||||||
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
|
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
|
||||||
@ -46,22 +45,51 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
|||||||
@{bin}/wireplumber rPx -> systemd-user//&wireplumber,
|
@{bin}/wireplumber rPx -> systemd-user//&wireplumber,
|
||||||
|
|
||||||
/usr/ r,
|
/usr/ r,
|
||||||
|
/usr/share/alsa-card-profile/{,**} r,
|
||||||
|
/usr/share/dbus-1/{,**} r,
|
||||||
|
/usr/share/defaults/**.conf r,
|
||||||
|
/usr/share/pipewire/{,**} r,
|
||||||
|
/usr/share/pulseaudio/{,**} r,
|
||||||
|
/usr/share/spa-*/bluez@{int}/{,*} r,
|
||||||
|
/usr/share/wireplumber/{,**} r,
|
||||||
|
|
||||||
|
/etc/pipewire/{,**} r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
/etc/systemd/user.conf r,
|
/etc/systemd/user.conf r,
|
||||||
/etc/systemd/user.conf.d/{,**} r,
|
/etc/systemd/user.conf.d/{,**} r,
|
||||||
/etc/systemd/user/{,**} r,
|
/etc/systemd/user/{,**} r,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
|
/var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
|
||||||
|
|
||||||
|
owner @{HOME}/.local/ w,
|
||||||
|
|
||||||
owner @{user_config_dirs}/systemd/user/{,**} r,
|
owner @{user_config_dirs}/systemd/user/{,**} r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/{,*/,*} rw,
|
owner @{user_state_dirs}/ w,
|
||||||
owner @{run}/user/@{uid}/*/* rw,
|
owner @{user_state_dirs}/wireplumber/{,**} rw,
|
||||||
owner @{run}/user/@{uid}/systemd/{,**} rwl,
|
|
||||||
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
owner @{run}/user/@{uid}/ rw,
|
||||||
|
owner @{run}/user/@{uid}/** rwkl,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
@{run}/systemd/notify w,
|
@{run}/systemd/notify w,
|
||||||
@{run}/udev/data/* r,
|
@{run}/udev/data/+module:configfs r,
|
||||||
|
@{run}/udev/data/+module:fuse r,
|
||||||
|
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
|
||||||
|
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||||
|
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||||
|
@{run}/udev/data/c116:@{int} r, # For ALSA
|
||||||
|
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||||
|
@{run}/udev/data/n@{int} r,
|
||||||
@{run}/udev/tags/systemd/ r,
|
@{run}/udev/tags/systemd/ r,
|
||||||
|
|
||||||
|
@{sys}/bus/ r,
|
||||||
|
@{sys}/devices/**/sound/**/pcm_class r,
|
||||||
|
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
@ -78,14 +106,23 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
|||||||
@{PROC}/swaps r,
|
@{PROC}/swaps r,
|
||||||
@{PROC}/sys/fs/nr_open r,
|
@{PROC}/sys/fs/nr_open r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
|
@{PROC}/sys/kernel/overflowgid r,
|
||||||
|
@{PROC}/sys/kernel/overflowuid r,
|
||||||
@{PROC}/sys/kernel/pid_max r,
|
@{PROC}/sys/kernel/pid_max r,
|
||||||
@{PROC}/sys/kernel/threads-max r,
|
@{PROC}/sys/kernel/threads-max r,
|
||||||
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
|
owner @{PROC}/@{pid}/gid_map r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
owner @{PROC}/@{pid}/uid_map r,
|
||||||
owner @{PROC}/@{pids}/attr/apparmor/exec w,
|
owner @{PROC}/@{pids}/attr/apparmor/exec w,
|
||||||
owner @{PROC}/@{pids}/fd/ r,
|
owner @{PROC}/@{pids}/fd/ r,
|
||||||
owner @{PROC}/@{pids}/mountinfo r,
|
owner @{PROC}/@{pids}/mountinfo r,
|
||||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||||
|
|
||||||
|
/dev/media@{int} rw,
|
||||||
|
/dev/snd/ r,
|
||||||
|
/dev/tty rw,
|
||||||
|
|
||||||
profile systemctl {
|
profile systemctl {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
@ -1,3 +1,2 @@
|
|||||||
# TODO: works as intended on server, does not work on desktop
|
[Service]
|
||||||
# [Service]
|
AppArmorProfile=systemd-user
|
||||||
# AppArmorProfile=systemd-user
|
|
||||||
|
Loading…
Reference in New Issue
Block a user