feat(fsp): reorganise systemd.service.

2024-11-14 23:43:56 +01:00 · 2024-02-01 18:33:19 +00:00 · 2024-02-01 18:33:19 +00:00 · dbbb2150e2
commit dbbb2150e2
parent 0a74d5c6fe
4 changed files with 10 additions and 96 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -79,6 +79,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  umount,

  pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
+  pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/,

  change_profile,

@ -93,6 +94,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  # dbus: own bus=system name=org.freedesktop.systemd1

  @{bin}/systemctl                  rix,
+  @{bin}/mount                      rix,

  @{lib}/systemd/systemd-executor   rix,
  @{lib}/systemd/systemd            rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE
@ -100,7 +102,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {

  @{bin}/ldconfig                   rPx -> systemd.service,
  @{bin}/mandb                      rPx -> systemd.service,
-  @{bin}/mount                      rPx -> systemd.service,
  @{bin}/savelog                    rPx -> systemd.service,
  @{coreutils_path}                 rPx -> systemd.service,
  @{shells_path}                    rPx -> systemd.service,
--- a/apparmor.d/groups/service/systemd.service
+++ b/apparmor.d/groups/service/systemd.service
@ -2,40 +2,32 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# Profile for a systemd service, it does not specify an attachment path because
-# it is intended to be used only via "Px -> *.service" exec transitions from systemd
+# Profile for generic systemd unit services. Only used by service without profile.
+# It does not specify an attachment path because it is intended to be used only
+# via "Px -> systemd-service" exec transitions from the systemd profile.

 abi <abi/3.0>,

 include <tunables/global>

-profile systemd.service @{exec_path} flags=(attach_disconnected)  {
+profile systemd-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

  capability sys_admin,

-  # TODO:
-  mount -> @{sys}/fs/fuse/connections/, 
-  mount -> @{sys}/kernel/*/,
-  mount -> /dev/*/,
-  mount -> /efi/, 
-  mount -> /tmp/, 
-
-  @{bin}/mount         rix, # TODO: maybe, keep it in systemed
  @{bin}/systemctl     rix,
  @{coreutils_path}    rix,
  @{shells_path}      rmix,
+  @{bin}/ldconfig      rix,

  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,
-  @{bin}/ldconfig      rPx -> ldconfig.service,

  @{lib}/ r,

-  /var/cache/ldconfig/aux-cache* rw,
+  /var/cache/ldconfig/{,**} rw,

-  # grub-common.service
  /boot/grub/grubenv rw,
  /boot/grub/ w,

@ -50,6 +42,6 @@ profile systemd.service @{exec_path} flags=(attach_disconnected)  {
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,

-  include if exists <usr/systemd.service.d>
-  include if exists <local/systemd.service>
+  include if exists <usr/systemd-service.d>
+  include if exists <local/systemd-service>
 }
--- a/apparmor.d/groups/service/init-exim4
+++ b/apparmor.d/groups/service/init-exim4
@ -1,57 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /etc/init.d/exim4
-profile init-exim4 @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/nameservice-strict>
-
-  capability chown,
-  capability dac_read_search,
-  capability fowner,
-  capability fsetid,
-  capability kill,
-  capability net_admin,
-  capability sys_ptrace,
-
-  signal (send) peer=exim4,
-
-  ptrace (read) peer=@{systemd},
-
-  @{exec_path} mr,
-
-  @{bin}/cat                rix,
-  @{bin}/chmod              rix,
-  @{bin}/chown              rix,
-  @{bin}/dirname            rix,
-  @{bin}/exim4              rPx,
-  @{bin}/getopt             rix,
-  @{bin}/grep               rix,
-  @{bin}/id                 rix,
-  @{bin}/install            rix,
-  @{bin}/mv                 rix,
-  @{bin}/plymouth           rPx,
-  @{bin}/rm                 rix,
-  @{bin}/run-parts          rix,
-  @{bin}/sed                rix,
-  @{bin}/start-stop-daemon  rix,
-  @{bin}/systemctl          rix,
-  @{bin}/touch              rix,
-  @{bin}/tr                 rix,
-  @{bin}/update-exim4.conf  rix,
-
-  /etc/default/exim4 r,
-  /etc/exim4/* r,
-  /etc/mailname r,
-
-  /var/lib/exim4/* rw,
-
-  @{run}/exim4/{,**} rw,
-
-  include if exists <local/init-exim4>
-}
--- a/apparmor.d/groups/service/ldconfig.service
+++ b/apparmor.d/groups/service/ldconfig.service
@ -1,22 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Profile for a systemd service, it does not specify an attachment path because
-# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile ldconfig.service {
-  include <abstractions/base>
-
-  @{bin}/ldconfig  mr,
-  @{lib}/ r,
-
-  /var/cache/ldconfig/{,**} rw,
-
-  include if exists <usr/ldconfig.service.d>
-  include if exists <local/ldconfig.service>
-}