mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(full): improve systemd-user profile.

Browse source
This commit is contained in:
Alexandre Pujol 2023-11-19 21:35:53 +00:00
parent 59140f5411
commit f43f950c90
Failed to generate hash of commit
1 changed files with 16 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
apparmor.d/groups/_full/systemd-user
View file

@ -2,9 +2,9 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for 'systemd --user' (not PID 1), it does not specify an attachment
# path because it is intended to be used only via "Px -> systemd-user" exec
# transitions from the systemd profile.
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-user" exec transitions from the systemd profile.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
@ -16,7 +16,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
profile systemd-user flags=(complain) {
profile systemd-user flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
@ -30,68 +30,28 @@ profile systemd-user flags=(complain) {
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,
@{bin}/systemctl rCx -> systemctl,
@{lib}/systemd/user-environment-generators/* rPx,
@{lib}/systemd/user-environment-generators/* rPx,
@{lib}/systemd/user-generators/* rPx,
audit @{lib}/** Pix,
audit @{bin}/** Pix,
# Server
@{lib}/openssh/agent-launch rPx,
@{bin}/pipewire rPx -> systemd-user//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
@{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd-user//&pulseaudio,
@{bin}/wireplumber rPx -> systemd-user//&wireplumber,
# Dbus
@{bin}/dbus-daemon rPx,
@{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
# Desktop
@{bin}/xdg-user-dirs-update rPx,
@{lib}/xdg-desktop-portal* rPx,
@{lib}/xdg-document-portal rPx,
@{lib}/xdg-permission-store rPx,
# Audio
@{bin}/pipewire rux, # FIXME: no new privs
@{bin}/pipewire-pulse rux, # FIXME: no new privs
@{bin}/pulseaudio rux, # FIXME: no new privs
@{bin}/wireplumber rux, # FIXME: no new privs
# Gnome
@{bin}/gjs rPx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/gnome-shell rPx,
@{bin}/gsettings rPx,
@{lib}/{,dconf/}dconf-service rPx,
@{lib}/dconf/dconf-service rPx,
@{lib}/evolution-addressbook-factory rPx,
@{lib}/evolution-calendar-factory rPx,
@{lib}/evolution-source-registry rPx,
@{lib}/gnome-session-binary rPx,
@{lib}/gnome-session-ctl rPx,
@{lib}/gnome-terminal-server rPx,
@{lib}/goa-* rPx,
@{lib}/gsd-* rPx,
@{lib}/gvfs-* rPx,
@{lib}/gvfs/gvfs-* rPx,
@{lib}/gvfs/gvfsd* rPx,
@{lib}/gvfsd* rPx,
@{lib}/tracker-extract-* rPx,
@{lib}/tracker-miner-* rPx,
# Ubuntu
@{bin}/snap rPx,
/usr/ r,
/etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r,
/etc/systemd/user/{,**} r,
/usr/ r,
owner @{user_config_dirs}/systemd/user/{,**} r,
owner @{run}/user/@{uid}/{,*/,*} rw,
owner @{run}/user/@{uid}/*/* rw,
owner @{run}/user/@{uid}/systemd/{,**} rw,
owner @{run}/user/@{uid}/systemd/{,**} rwl,
@{run}/mount/utab r,
@{run}/systemd/notify w,
@ -110,6 +70,7 @@ profile systemd-user flags=(complain) {
@{PROC}/@{pids}/stat r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/osrelease r,