mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(fsp): cleanup main systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-05 16:53:34 +00:00
parent 62f1f7df6e
commit faa40c8cde
Failed to generate hash of commit
3 changed files with 27 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/_full/bwrap
View file

@ -44,9 +44,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/.ref rk,
/bindfile@{rand6} rw,
/newroot/{,**} rw,
/tmp/newroot/ w,
/tmp/oldroot/ w,
owner /var/cache/ w,

37
apparmor.d/groups/_full/systemd
View file

@ -80,6 +80,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
mount options=(rw slave) -> @{run}/systemd/incoming/,
remount @{HOME}/{,**},
remount @{HOMEDIRS}/,
remount @{MOUNTDIRS}/,
remount @{MOUNTS}/{,**},
remount @{run}/systemd/mount-rootfs/{,**},
remount /,
@ -110,6 +112,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
unix (send) type=dgram,
unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none),
unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd),
# dbus: own bus=system name=org.freedesktop.systemd1
# For stacked profiles
@ -132,11 +137,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{coreutils_path} rPx -> systemd-service,
@{sh_path} rPx -> systemd-service,
@{bin}/** PUx,
@{lib}/** PUx,
audit /etc/cron.*/* PUx,
audit /etc/init.d/* PUx,
audit /usr/share/*/* PUx,
@{bin}/** Px,
@{lib}/** Px,
/etc/cron.*/* Px,
/etc/init.d/* Px,
/usr/share/*/** Px,
@{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd,
@{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd,
@ -199,15 +204,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/fs/fuse/connections/ r,
@{sys}/fs/pstore/ r,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/kernel/**/ r,
@{sys}/module/**/uevent r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/{uid_map,gid_map} r,
@{PROC}/@{pid}/attr/apparmor/exec w,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@ -220,8 +223,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/setgroups rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/@{pid}/uid_map w,
@{PROC}/@{pid}/uid_map rw,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/pressure/* r,
@ -229,26 +231,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{PROC}/sys/fs/binfmt_misc/ r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/* r,
@{PROC}/sys/kernel/random/* rw,
@{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/oom_score_adj rw,
/dev/ r,
/dev/bus/usb/ r,
/dev/hwrng r,
/dev/autofs r,
/dev/kmsg w,
/dev/rfkill rw,
/dev/shm/ rw,
/dev/tty rw,
/dev/tty@{int} rwk,
/dev/shm/ r,
owner /dev/console rwk,
owner /dev/dri/card@{int} rw,
owner /dev/hugepages/ rw,
owner /dev/initctl rw,
owner /dev/input/event@{int} rw,
owner /dev/mqueue/ rw,
owner /dev/rfkill rw,
owner /dev/ttyS@{int} rwk,
owner /dev/dri/card@{int} rw,
include if exists <usr/systemd.d>
include if exists <local/systemd>

18
apparmor.d/groups/_full/systemd-user
View file

@ -58,9 +58,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{bin}/dbus-broker-launch rix, # To avoid issue as in #74, #80 & #235
@{bin}/systemctl rCx -> systemctl,
@{lib}/systemd/systemd-executor rix,
@{sh_path} rix, # Should be handled by default profile?
@{bin}/grep rix,
@{bin}/** Pix,
@{lib}/** Pix,
@{bin}/** Px,
@{lib}/** Px,
/opt/*/** Px,
/usr/share/*/** Px,
@{bin}/pipewire rPx -> systemd-user//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
@ -107,6 +111,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/b254:@{int} r, # for /dev/zram*
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@ -117,8 +122,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/**/sound/**/pcm_class r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
@{sys}/module/apparmor/parameters/enabled r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@ -126,7 +129,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/stat r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@ -138,14 +140,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
@{PROC}/sys/kernel/threads-max r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/gid_map r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pids}/attr/apparmor/exec w,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pids}/oom_score_adj rw,
/dev/media@{int} rw,
/dev/snd/ r,
/dev/tty rw,