diff --git a/apparmor.d/groups/systemd/systemd-user-generators-autostart b/apparmor.d/groups/systemd/systemd-user-generators-autostart new file mode 100644 index 00000000..c16806a4 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-autostart @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator +profile systemd-user-generators-autostart @{exec_path} { + include + + @{exec_path} mr, + + /etc/xdg/autostart/*.desktop r, + + owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-generators-environment b/apparmor.d/groups/systemd/systemd-user-generators-environment new file mode 100644 index 00000000..4a7a17b9 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-environment @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator +profile systemd-user-generators-environment @{exec_path} { + include + + @{exec_path} mr, + + /etc/environment.d/{,**} r, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-generators-flatpak b/apparmor.d/groups/systemd/systemd-user-generators-flatpak new file mode 100644 index 00000000..4f1fe7da --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-flatpak @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak +profile systemd-user-generators-flatpak @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index faeb2a48..337b28a2 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -18,7 +18,7 @@ cc-remote-login-helper complain cfdisk complain cgdisk complain child-open complain -chronyd complain +chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure complain @@ -238,6 +238,9 @@ systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-update-done complain systemd-update-utmp complain +systemd-user-generators-autostart complain +systemd-user-generators-environment complain +systemd-user-generators-flatpak complain systemd-user-runtime-dir complain systemd-user-sessions complain systemd-userdbd attach_disconnected,complain @@ -266,3 +269,129 @@ xdg-permission-store attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xorg attach_disconnected,complain + +# Profiles not commited yet +glib-genmarshal complain +glib-gettextize complain +glib-mkenums complain +gnome-session-custom-session complain +gnome-session-inhibit complain +gnome-session-quit complain +gnome-shell-extension-prefs complain +gnome-shell-extension-tool complain +gnome-shell-hotplug-sniffer complain +gnome-shell-perf-helper complain +gnome-shell-perf-tool complain +gnome-shell-portal-helper complain +gnome-tweak-tool-lid-inhibitor complain +homectl complain +loginctl complain +machinectl complain +nfsdcld complain +oomctl complain +podman attach_disconnected,complain +prime-switch complain +qrencode complain +splunkforwarder complain +systemd-bless-boot complain +systemd-boot-check-no-failures complain +systemd-cgroups-agent +systemd-export complain +systemd-growfs complain +systemd-hibernate-resume complain +systemd-import complain +systemd-import-fs complain +systemd-importd complain +systemd-journal-gatewayd complain +systemd-journal-remote complain +systemd-journal-upload complain +systemd-network-generator complain +systemd-notify complain +systemd-pstore complain +systemd-pull complain +systemd-quotacheck complain +systemd-repart complain +systemd-reply-password complain +systemd-run complain +systemd-socket-activate complain +systemd-socket-proxyd complain +systemd-stdio-bridge complain +systemd-sulogin-shell complain +systemd-sysext complain +systemd-time-wait-sync complain +systemd-xdg-autostart-condition complain +timedatectl complain +virtiofsd complain +virtlockd complain +hwsim complain +iwdmon complain +nvidia-settings complain +gkbd-keyboard-display complain +mullvad-setup complain + +# Work in Progress +bwrap attach_disconnected,complain +bwrap-default attach_disconnected,mediate_deleted,complain +cni-bridge complain +cni-firewall complain +cni-portmap complain +cni-tuning complain +ctop complain +dbus-broker complain +dbus-broker-launch complain +fprintd-delete complain +fprintd-enroll complain +fprintd-list complain +fprintd-verify complain +install-catalog complain +lazydocker complain +losetup complain +modprobed-db complain +mount-ntfs-3g complain +multipathd complain +rpc.idmapd complain +rpc.mountd complain +rpc.statd complain +rpcbind complain +smbspool complain +tomb complain +tomb-kdb-pbkdf2 complain +virt-aa-helper complain +virtlogd complain +virtnetworkd complain +virtnodedevd complain +virtqemud attach_disconnected,complain +virtstoraged attach_disconnected,complain +virtxend attach_disconnected,complain + +# Debian server dev +cracklib-packer complain +cron-cracklib complain +cron-etckeeper complain +cron-sysstat complain +sysstat complain +update-cracklib complain + +# Ubuntu + +# Whonix +mate-notification-daemon complain + +# Flatpak slow dev +flatpak-oci-authenticator complain +flatpak-portal attach_disconnected,complain +flatpak-system-helper complain +flatpak-validate-icon complain + +# GDM +gdm-host-chooser complain +gdm-simple-chooser complain + +# Simple when used for extension, more complex for javascript based gnome app. +gjs-console attach_disconnected,complain + +# Not easy +portmaster-start complain + +# Require firewall rules for firewalld first +firewall-applet complain