mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(profiles): initial dbus rules for systemd profiles.
This commit is contained in:
Alexandre Pujol
parent
7a18cfed40
commit
f6b6e99cde
5 changed files with 80 additions and 62 deletions
|
|
@ -27,6 +27,10 @@ profile child-systemctl flags=(attach_disconnected) {
|
|||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd[0-9]
|
||||
interface=org.freedesktop.systemd[0-9].Manager
|
||||
member=GetUnitFileState,
|
||||
|
||||
/{usr/,}bin/systemctl mr,
|
||||
|
||||
/etc/systemd/user/{,**} rwl,
|
||||
|
|
|
|||
|
|
@ -13,8 +13,15 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/dbus-strict>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
# To set a hostname
|
||||
capability sys_admin,
|
||||
capability sys_admin, # To set a hostname
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,GetAll},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -38,4 +45,5 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/udev/data/+dmi:id r,
|
||||
|
||||
include if exists <local/systemd-hostnamed>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -15,20 +15,29 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/systemd-common>
|
||||
|
||||
# Needed?
|
||||
audit deny capability net_admin,
|
||||
audit capability net_admin,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=ReleaseName,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/locale[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/default/keyboard r,
|
||||
|
||||
/etc/default/locale rw,
|
||||
/etc/default/.#locale* rw,
|
||||
/etc/locale.conf r,
|
||||
/etc/vconsole.conf r,
|
||||
|
||||
/usr/share/systemd/language-fallback-map r,
|
||||
/usr/share/X11/xkb/rules/evdev r,
|
||||
|
||||
/etc/default/.#locale* rw,
|
||||
/etc/default/keyboard r,
|
||||
/etc/default/locale rw,
|
||||
/etc/locale.conf r,
|
||||
/etc/vconsole.conf r,
|
||||
/etc/X11/xorg.conf.d/*.conf r,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
include if exists <local/systemd-localed>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,40 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
|
||||
interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/job/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Get,PropertiesChanged},
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/unit/**
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={PropertiesChanged,Get},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
|
||||
interface=org.freedesktop.PolicyKit[0-9].Authority
|
||||
member=CheckAuthorization,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/**
|
||||
interface=org.freedesktop.systemd[0-9]/.Scope
|
||||
member=Abandon,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/systemd[0-9]
|
||||
interface=org.freedesktop.systemd[0-9].Manager
|
||||
member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/systemd[0-9]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.login[0-9],
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
|
@ -50,6 +84,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
@{run}/udev/data/c10:[0-9]* r,
|
||||
@{run}/udev/data/c116:[0-9]* r, # for ALSA
|
||||
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
|
||||
@{run}/udev/data/c21:[0-9]* r,
|
||||
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
|
||||
@{run}/udev/data/c21:[0-9]* r,
|
||||
@{run}/udev/data/c23[0-9]:[0-9]* r,
|
||||
|
|
@ -99,57 +134,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
/dev/dri/card[0-9]* rw,
|
||||
/dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc)
|
||||
/dev/mqueue/ r,
|
||||
/dev/nvme* r,
|
||||
/dev/shm/{,**/} rw,
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
# DBus
|
||||
# all members for login-related, specific for others
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"),
|
||||
|
||||
dbus (send, receive)
|
||||
bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
|
||||
|
||||
dbus (send, receive)
|
||||
bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
|
||||
|
||||
dbus (send, receive)
|
||||
bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*" peer=(name="{org.freedesktop.DBus,:*}"),
|
||||
|
||||
dbus receive
|
||||
bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"),
|
||||
|
||||
dbus receive
|
||||
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"),
|
||||
|
||||
dbus receive
|
||||
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
|
||||
|
||||
dbus receive
|
||||
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
|
||||
|
||||
dbus receive
|
||||
bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
|
||||
|
||||
dbus send
|
||||
bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"),
|
||||
|
||||
dbus (bind)
|
||||
bus="system"
|
||||
name="org.freedesktop.login1",
|
||||
|
||||
include if exists <local/systemd-logind>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2018-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2018-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -14,6 +15,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability sys_time,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,ReleaseName,RequestName},
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/timedate[0-1]
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/dev/rtc[0-9] r,
|
||||
|
|
@ -27,5 +36,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/.#timezone* rw,
|
||||
/etc/timezone rw,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
include if exists <local/systemd-timedated>
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue