diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index bd66a845..e2e1b2e9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -53,33 +53,45 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink raw, - mount -> @{run}/systemd/incoming/, - mount -> @{run}/systemd/mount-rootfs/{,**}, - mount -> @{run}/systemd/unit-root/{,**}, - mount -> @{sys}/fs/fuse/connections/, - mount -> @{sys}/kernel/config/, - mount -> @{sys}/kernel/debug/, - mount -> @{sys}/kernel/tracing/, - mount -> /, - mount -> /dev/, - mount -> /dev/hugepages/, - mount -> /dev/mqueue/, - mount -> /efi/, - mount -> /tmp/, - mount @{run}/systemd/namespace-@{rand6}/ -> @{run}/systemd/mount-rootfs/proc/, - mount @{run}/systemd/namespace-@{rand6}/dev/ -> @{run}/systemd/mount-rootfs/dev/, - mount /dev/*/ -> @{run}/systemd/namespace-@{rand6}/dev/*/, - mount /dev/ptmx -> @{run}/systemd/namespace-@{rand6}/dev/ptmx, - mount /dev/tty -> @{run}/systemd/namespace-@{rand6}/dev/tty, - mount /tmp/systemd-private-*/tmp/ -> @{run}/systemd/mount-rootfs/tmp/, - mount fstype=proc proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tmpfs tmpfs -> /dev/shm/, - mount fstype=ramfs ramfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> /efi/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=tmpfs tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + + mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, + mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /efi/, + mount options=(rw move) -> /tmp/, + mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + + remount @{HOME}/{,**}, + remount @{MOUNTS}/{,**}, + remount @{run}/systemd/mount-rootfs/{,**}, + remount /, + remount options=(ro nosuid bind) /dev/, + remount options=(ro nosuid nodev bind) /dev/hugepages/, + remount options=(ro nosuid nodev bind) /var/, + remount options=(ro nosuid nodev noexec bind) /boot/, + remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, + remount options=(ro nosuid noexec bind) /dev/pts/, umount /, umount /dev/shm/, + umount @{PROC}/sys/fs/binfmt_misc/, umount @{run}/systemd/mount-rootfs/{,**}, umount @{run}/systemd/namespace-@{rand6}/{,**}, umount @{run}/systemd/unit-root/{,**},