diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b9880d4f..b5837502 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -79,6 +79,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { umount, pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, change_profile, @@ -93,6 +94,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # dbus: own bus=system name=org.freedesktop.systemd1 @{bin}/systemctl rix, + @{bin}/mount rix, @{lib}/systemd/systemd-executor rix, @{lib}/systemd/systemd rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE @@ -100,7 +102,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{bin}/ldconfig rPx -> systemd.service, @{bin}/mandb rPx -> systemd.service, - @{bin}/mount rPx -> systemd.service, @{bin}/savelog rPx -> systemd.service, @{coreutils_path} rPx -> systemd.service, @{shells_path} rPx -> systemd.service, diff --git a/apparmor.d/groups/service/systemd.service b/apparmor.d/groups/_full/systemd-service similarity index 52% rename from apparmor.d/groups/service/systemd.service rename to apparmor.d/groups/_full/systemd-service index af1c4ca6..e099f75c 100644 --- a/apparmor.d/groups/service/systemd.service +++ b/apparmor.d/groups/_full/systemd-service @@ -2,40 +2,32 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd +# Profile for generic systemd unit services. Only used by service without profile. +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-service" exec transitions from the systemd profile. abi , include -profile systemd.service @{exec_path} flags=(attach_disconnected) { +profile systemd-service @{exec_path} flags=(attach_disconnected) { include include capability sys_admin, - # TODO: - mount -> @{sys}/fs/fuse/connections/, - mount -> @{sys}/kernel/*/, - mount -> /dev/*/, - mount -> /efi/, - mount -> /tmp/, - - @{bin}/mount rix, # TODO: maybe, keep it in systemed @{bin}/systemctl rix, @{coreutils_path} rix, @{shells_path} rmix, + @{bin}/ldconfig rix, @{bin}/grub-editenv rPx, @{bin}/ibus-daemon rPx, - @{bin}/ldconfig rPx -> ldconfig.service, @{lib}/ r, - /var/cache/ldconfig/aux-cache* rw, + /var/cache/ldconfig/{,**} rw, - # grub-common.service /boot/grub/grubenv rw, /boot/grub/ w, @@ -50,6 +42,6 @@ profile systemd.service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - include if exists - include if exists + include if exists + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/service/init-exim4 b/apparmor.d/groups/service/init-exim4 deleted file mode 100644 index 99e8b8be..00000000 --- a/apparmor.d/groups/service/init-exim4 +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/init.d/exim4 -profile init-exim4 @{exec_path} { - include - include - - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability net_admin, - capability sys_ptrace, - - signal (send) peer=exim4, - - ptrace (read) peer=@{systemd}, - - @{exec_path} mr, - - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/chown rix, - @{bin}/dirname rix, - @{bin}/exim4 rPx, - @{bin}/getopt rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/install rix, - @{bin}/mv rix, - @{bin}/plymouth rPx, - @{bin}/rm rix, - @{bin}/run-parts rix, - @{bin}/sed rix, - @{bin}/start-stop-daemon rix, - @{bin}/systemctl rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/update-exim4.conf rix, - - /etc/default/exim4 r, - /etc/exim4/* r, - /etc/mailname r, - - /var/lib/exim4/* rw, - - @{run}/exim4/{,**} rw, - - include if exists -} \ No newline at end of file diff --git a/apparmor.d/groups/service/ldconfig.service b/apparmor.d/groups/service/ldconfig.service deleted file mode 100644 index 8b97d595..00000000 --- a/apparmor.d/groups/service/ldconfig.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for a systemd service, it does not specify an attachment path because -# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service - -abi , - -include - -profile ldconfig.service { - include - - @{bin}/ldconfig mr, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - include if exists - include if exists -} \ No newline at end of file