From faa40c8cdefb0543e067f567d6f7234196e234f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Mar 2024 16:53:34 +0000 Subject: [PATCH] feat(fsp): cleanup main systemd profiles. --- apparmor.d/groups/_full/bwrap | 3 --- apparmor.d/groups/_full/systemd | 37 +++++++++++++--------------- apparmor.d/groups/_full/systemd-user | 18 ++++++++------ 3 files changed, 27 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index 710f6c9b..bf74e172 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -44,9 +44,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/.ref rk, /bindfile@{rand6} rw, - /newroot/{,**} rw, - /tmp/newroot/ w, - /tmp/oldroot/ w, owner /var/cache/ w, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 610f3070..3b9cb394 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -80,6 +80,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, + remount @{HOMEDIRS}/, + remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, remount @{run}/systemd/mount-rootfs/{,**}, remount /, @@ -110,6 +112,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { unix (send) type=dgram, + unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), + unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + # dbus: own bus=system name=org.freedesktop.systemd1 # For stacked profiles @@ -132,11 +137,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{coreutils_path} rPx -> systemd-service, @{sh_path} rPx -> systemd-service, - @{bin}/** PUx, - @{lib}/** PUx, - audit /etc/cron.*/* PUx, - audit /etc/init.d/* PUx, - audit /usr/share/*/* PUx, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /usr/share/*/** Px, @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, @@ -199,15 +204,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, - @{sys}/fs/cgroup/{,**} rw, @{sys}/kernel/**/ r, @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/{uid_map,gid_map} r, - @{PROC}/@{pid}/attr/apparmor/exec w, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, @@ -220,8 +223,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -229,26 +231,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sys/kernel/random/* rw, - @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/oom_score_adj rw, - /dev/ r, - /dev/bus/usb/ r, - /dev/hwrng r, + /dev/autofs r, /dev/kmsg w, - /dev/rfkill rw, - /dev/shm/ rw, - /dev/tty rw, - /dev/tty@{int} rwk, + /dev/shm/ r, owner /dev/console rwk, + owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, + owner /dev/rfkill rw, owner /dev/ttyS@{int} rwk, - owner /dev/dri/card@{int} rw, include if exists include if exists diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 5f3aa766..855ea0ea 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -58,9 +58,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{bin}/dbus-broker-launch rix, # To avoid issue as in #74, #80 & #235 @{bin}/systemctl rCx -> systemctl, @{lib}/systemd/systemd-executor rix, + @{sh_path} rix, # Should be handled by default profile? + @{bin}/grep rix, - @{bin}/** Pix, - @{lib}/** Pix, + @{bin}/** Px, + @{lib}/** Px, + /opt/*/** Px, + /usr/share/*/** Px, @{bin}/pipewire rPx -> systemd-user//&pipewire, @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, @@ -107,6 +111,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+module:fuse r, @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -117,8 +122,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @@ -126,7 +129,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/stat r, - @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -138,14 +140,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/threads-max r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pids}/attr/apparmor/exec w, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/oom_score_adj rw, - /dev/media@{int} rw, /dev/snd/ r, /dev/tty rw,