From ff766028437621f1253e647de541dd17746b66df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 Feb 2023 23:41:19 +0000 Subject: [PATCH] feat(systemd): split systemd-sleep profile. --- apparmor.d/groups/systemd/systemd-sleep | 14 +++----- apparmor.d/groups/systemd/systemd-sleep-grub2 | 24 ++++++++++++++ .../groups/systemd/systemd-sleep-hdparm | 16 +++++++++ .../groups/systemd/systemd-sleep-nvidia | 33 +++++++++++++++++++ .../groups/systemd/systemd-sleep-sysstat | 16 +++++++++ .../groups/systemd/systemd-sleep-upgrades | 16 +++++++++ 6 files changed, 110 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/groups/systemd/systemd-sleep-grub2 create mode 100644 apparmor.d/groups/systemd/systemd-sleep-hdparm create mode 100644 apparmor.d/groups/systemd/systemd-sleep-nvidia create mode 100644 apparmor.d/groups/systemd/systemd-sleep-sysstat create mode 100644 apparmor.d/groups/systemd/systemd-sleep-upgrades diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 80da50b7..fd861c57 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,21 +19,17 @@ profile systemd-sleep @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/nvidia-sleep.sh rix, - /{usr/,}lib/systemd/system-sleep/hdparm rix, - /{usr/,}lib/systemd/system-sleep/nvidia rix, - /{usr/,}lib/systemd/system-sleep/sysstat.sleep rPUx, - /{usr/,}lib/systemd/system-sleep/unattended-upgrades rix, + /{usr/,}lib/systemd/system-sleep/hdparm rPx, + /{usr/,}lib/systemd/system-sleep/nvidia rPx, + /{usr/,}lib/systemd/system-sleep/sysstat.sleep rPx, + /{usr/,}lib/systemd/system-sleep/unattended-upgrades rPx, + /{usr/,}lib/systemd/system-sleep/grub2.sleep rPx, /etc/systemd/sleep.conf r, /etc/systemd/sleep.conf.d/{,*} r, @{sys}/power/state rw, - @{PROC}/driver/nvidia/suspend w, - - /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2 new file mode 100644 index 00000000..ea2cc419 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-grub2 @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/grub2.sleep +profile systemd-sleep-nvidia @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/uname rix, + + /etc/sysconfig/bootloader r, + + @{PROC}/@{pid}/maps r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm new file mode 100644 index 00000000..ee4d1de6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/hdparm +profile systemd-sleep-hdparm @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia new file mode 100644 index 00000000..441fb69f --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/nvidia +profile systemd-sleep-nvidia @{exec_path} { + include + include + + capability sys_admin, + capability sys_tty_config, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nvidia-sleep.sh rix, + /{usr/,}bin/chvt rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + + @{run}/nvidia-sleep/* rw, + + @{PROC}/driver/nvidia/suspend w, + + /dev/tty rw, + /dev/tty[0-9]* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat new file mode 100644 index 00000000..993d1565 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/sysstat.sleep +profile systemd-sleep-sysstat @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades new file mode 100644 index 00000000..267275ea --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/system-sleep/unattended-upgrades +profile systemd-sleep-upgrades @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file