From f6b6e99cde943a82bfaa52d97b466914f1bfcda8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 5 Jun 2022 14:53:10 +0100
Subject: [PATCH] feat(profiles): initial dbus rules for systemd profiles.

---
 apparmor.d/groups/systemd/child-systemctl   |  4 +
 apparmor.d/groups/systemd/systemd-hostnamed | 12 ++-
 apparmor.d/groups/systemd/systemd-localed   | 29 ++++---
 apparmor.d/groups/systemd/systemd-logind    | 84 +++++++++------------
 apparmor.d/groups/systemd/systemd-timedated | 13 +++-
 5 files changed, 80 insertions(+), 62 deletions(-)

diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl
index 507df21b..338f4f98 100644
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@@ -27,6 +27,10 @@ profile child-systemctl flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+       interface=org.freedesktop.systemd[0-9].Manager
+       member=GetUnitFileState,
+
   /{usr/,}bin/systemctl mr,
 
   /etc/systemd/user/{,**} rwl,
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 6b951974..4a830450 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -13,8 +13,15 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
-  # To set a hostname
-  capability sys_admin,
+  capability sys_admin,  # To set a hostname
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName},
+
+  dbus receive bus=system path=/org/freedesktop/hostname[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll},
 
   @{exec_path} mr,
 
@@ -38,4 +45,5 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/+dmi:id r,
 
+  include if exists <local/systemd-hostnamed>
 }
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index c3a3e304..efb53cf1 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -15,20 +15,29 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/systemd-common>
 
   # Needed?
-  audit deny capability net_admin,
+  audit capability net_admin,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=ReleaseName,
+
+  dbus receive bus=system path=/org/freedesktop/locale[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
 
   @{exec_path} mr,
 
-  /etc/default/keyboard r,
-
-  /etc/default/locale rw,
-  /etc/default/.#locale* rw,
-  /etc/locale.conf r,
-  /etc/vconsole.conf r,
-
   /usr/share/systemd/language-fallback-map r,
   /usr/share/X11/xkb/rules/evdev r,
 
+  /etc/default/.#locale* rw,
+  /etc/default/keyboard r,
+  /etc/default/locale rw,
+  /etc/locale.conf r,
+  /etc/vconsole.conf r,
   /etc/X11/xorg.conf.d/*.conf r,
 
+  @{run}/systemd/notify rw,
+
+  include if exists <local/systemd-localed>
 }
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 5f392dce..8cedc840 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -24,6 +24,40 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
 
   network netlink raw,
 
+  dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
+       interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,login[0-9].*},
+
+  dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/job/**
+       interface=org.freedesktop.DBus.Properties
+       member={Get,PropertiesChanged},
+
+  dbus (send,receive) bus=system path=/org/freedesktop/systemd[0-9]/unit/**
+       interface=org.freedesktop.DBus.Properties
+       member={PropertiesChanged,Get},
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionCredentials,GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=CheckAuthorization,
+
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/**
+       interface=org.freedesktop.systemd[0-9]/.Scope
+       member=Abandon,
+
+  dbus receive bus=system path=/org/freedesktop/systemd[0-9]
+       interface=org.freedesktop.systemd[0-9].Manager
+       member={StartUnit,StartTransientUnit,Subscribe,JobRemoved,UnitRemoved,Reloading},
+
+  dbus receive bus=system path=/org/freedesktop/systemd[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged,
+
+  dbus bind bus=system 
+       name=org.freedesktop.login[0-9],
+
   @{exec_path} mr,
 
   /etc/machine-id r,
@@ -50,6 +84,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/udev/data/c10:[0-9]* r,
   @{run}/udev/data/c116:[0-9]* r, # for ALSA
   @{run}/udev/data/c13:[0-9]* r,  # for /dev/input/*
+  @{run}/udev/data/c21:[0-9]* r,
   @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
   @{run}/udev/data/c21:[0-9]* r,
   @{run}/udev/data/c23[0-9]:[0-9]* r,
@@ -99,57 +134,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /dev/dri/card[0-9]* rw,
   /dev/input/event[0-9]* rw,  # Input devices (keyboard, mouse, etc)
   /dev/mqueue/ r,
-  /dev/nvme* r,
   /dev/shm/{,**/} rw,
   /dev/tty[0-9]* rw,
 
-  # DBus
-  # all members for login-related, specific for others
-  dbus send
-    bus="system" path="/org/freedesktop/DBus"         interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"),
-
-  dbus (send, receive)
-    bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
-
-  dbus (send, receive)
-    bus="system" path="/org/freedesktop/login1/**"    interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
-
-  dbus (send, receive)
-    bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*"        peer=(name="{org.freedesktop.DBus,:*}"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/login1"       interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/systemd1"     interface="org.freedesktop.DBus.Properties"     member="PropertiesChanged" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/systemd1"     interface="org.freedesktop.systemd1.Manager"    member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/systemd1"     interface="org.freedesktop.systemd1.Manager"    member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope"  member="Abandon" peer=(name="org.freedesktop.systemd1"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/systemd1/job/**"  interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/systemd1/job/**"  interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"),
-
-  dbus (bind)
-   bus="system"
-   name="org.freedesktop.login1",
-
   include if exists <local/systemd-logind>
 }
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index 1e227632..4f28e457 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -14,6 +15,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
 
   capability sys_time,
 
+  dbus (send,receive) bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,ReleaseName,RequestName},
+
+  dbus receive bus=system path=/org/freedesktop/timedate[0-1]
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   @{exec_path} mr,
 
   /dev/rtc[0-9] r,
@@ -27,5 +36,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
   /etc/.#timezone* rw,
   /etc/timezone rw,
 
+  @{run}/systemd/notify rw,
+
   include if exists <local/systemd-timedated>
 }