feat(profile): general update.

2024-02-29 21:45:42 +00:00 · 2024-02-29 21:45:42 +00:00 · 06abeac2ee
commit 06abeac2ee
parent cd09dc7688
33 changed files with 154 additions and 47 deletions
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/busctl
 profile busctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-session>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>

@ -19,15 +22,25 @@ profile busctl @{exec_path} {

  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,

+  dbus eavesdrop bus=session,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus.Monitoring
+       member=BecomeMonitor
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
  @{exec_path} mr,

  @{bin}/less  rPx -> child-pager,
  @{bin}/more  rPx -> child-pager,
  @{bin}/pager rPx -> child-pager,

-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/@{pids}/comm r,
-  @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/loginuid r,
+  owner @{PROC}/@{pid}/sessionid r,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/busctl>
 }
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -19,6 +19,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{run}/cloud-init/ds-identify.log w,
  @{run}/host/container-manager r,
  @{run}/systemd/notify w,

--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@ -19,7 +19,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
  @{bin}/systemd-detect-virt     rPx,
  @{lib}/cloud-init/ds-identify rPUx,

-  @{run}/cloud-init/cloud-init-generator.log rw,
+  @{run}/cloud-init/ w,
+  @{run}/cloud-init/cloud-init-generator.* rw,
  @{run}/cloud-init/disabled w,

  @{PROC}/cmdline r,
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -20,7 +20,10 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
  @{bin}/tr                      rix,
  @{bin}/uname                   rix,

-  @{run}/cloud-init/.ds-identify.result r,
+  @{run}/cloud-init/{,.}ds-identify.* rw,
+
+  @{PROC}/cmdline r,
+  @{PROC}/uptime r,

  include if exists <local/systemd-generator-ds-identify>
 }
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -19,6 +19,7 @@ profile systemd-journald @{exec_path} {
  capability dac_override,
  capability dac_read_search,
  capability fowner,
+  capability kill,
  capability setgid,
  capability setuid,
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -59,6 +59,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  / r,
  /boot/{,**} r,
  /efi/{,**} r,
+  /swap.img r,
  /swap/swapfile r,
  /swapfile r,