From 07acb8043b1b9a7fa4633342827bde4e2c5a992a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 22 Nov 2023 20:51:10 +0000
Subject: [PATCH] feat(profiles): rename all systemd generator.

---
 .../groups/systemd/systemd-generator-fstab    | 25 +++++++++++
 .../groups/systemd/systemd-generator-getty    | 25 +++++++++++
 .../groups/systemd/systemd-generator-gpt-auto | 30 ++++++++++++++
 ...rator => systemd-generator-user-autostart} |  6 +--
 ...tor => systemd-generator-user-environment} |  4 +-
 .../systemd/systemd-user-generators-autostart | 27 ------------
 .../systemd-user-generators-environment       | 21 ----------
 .../systemd/systemd-user-generators-flatpak   |  6 +--
 dists/flags/main.flags                        | 41 ++++++++++---------
 9 files changed, 110 insertions(+), 75 deletions(-)
 create mode 100644 apparmor.d/groups/systemd/systemd-generator-fstab
 create mode 100644 apparmor.d/groups/systemd/systemd-generator-getty
 create mode 100644 apparmor.d/groups/systemd/systemd-generator-gpt-auto
 rename apparmor.d/groups/systemd/{systemd-xdg-autostart-generator => systemd-generator-user-autostart} (75%)
 rename apparmor.d/groups/systemd/{systemd-environment-d-generator => systemd-generator-user-environment} (84%)
 delete mode 100644 apparmor.d/groups/systemd/systemd-user-generators-autostart
 delete mode 100644 apparmor.d/groups/systemd/systemd-user-generators-environment

diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab
new file mode 100644
index 000000000..2ce7c16a6
--- /dev/null
+++ b/apparmor.d/groups/systemd/systemd-generator-fstab
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/systemd/system-generators/systemd-fstab-generator
+profile systemd-generator-fstab @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  capability dac_override,
+
+  @{exec_path} mr,
+
+  /etc/fstab r,
+
+  @{run}/systemd/generator/** w,
+
+  @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-generator-fstab>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty
new file mode 100644
index 000000000..56b4ac9a6
--- /dev/null
+++ b/apparmor.d/groups/systemd/systemd-generator-getty
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/systemd/system-generators/systemd-getty-generator
+profile systemd-generator-getty @{exec_path} flags=(attach_disconnected)  {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  @{exec_path} mr,
+
+  @{run}/systemd/generator/getty.target.wants/ w,
+  @{run}/systemd/generator/getty.target.wants/serial-getty@ttyS@{int}.service w,
+
+  @{sys}/devices/virtual/tty/console/active r,
+
+  @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-generator-getty>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto
new file mode 100644
index 000000000..b3fd238aa
--- /dev/null
+++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/systemd/system-generators/systemd-gpt-auto-generator
+profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected)  {
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/systemd-common>
+
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  / r,
+  /boot/ r,
+  /efi/ r,
+  /etc/fstab r,
+
+  @{run}/systemd/generator.late/**.{,auto}mount w,
+  @{run}/systemd/generator.late/local-fs.target.wants/ w,
+
+  @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-generator-gpt-auto>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator b/apparmor.d/groups/systemd/systemd-generator-user-autostart
similarity index 75%
rename from apparmor.d/groups/systemd/systemd-xdg-autostart-generator
rename to apparmor.d/groups/systemd/systemd-generator-user-autostart
index 1d3c2856d..ebbf9b62c 100644
--- a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator
+++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
-profile systemd-xdg-autostart-generator @{exec_path} {
+profile systemd-generator-user-autostart @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
@@ -23,5 +23,5 @@ profile systemd-xdg-autostart-generator @{exec_path} {
 
   owner @{PROC}/@{pid}/cgroup r,
 
-  include if exists <local/systemd-xdg-autostart-generator>
+  include if exists <local/systemd-generator-user-autostart>
 }
diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-generator-user-environment
similarity index 84%
rename from apparmor.d/groups/systemd/systemd-environment-d-generator
rename to apparmor.d/groups/systemd/systemd-generator-user-environment
index fdea976a9..58c006a20 100644
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-environment-generators/*
-profile systemd-environment-d-generator @{exec_path} {
+profile systemd-generator-user-environment @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
@@ -28,5 +28,5 @@ profile systemd-environment-d-generator @{exec_path} {
 
   /dev/tty rw,
 
-  include if exists <local/systemd-environment-d-generator>
+  include if exists <local/systemd-generator-user-environment>
 }
diff --git a/apparmor.d/groups/systemd/systemd-user-generators-autostart b/apparmor.d/groups/systemd/systemd-user-generators-autostart
deleted file mode 100644
index b5372ec32..000000000
--- a/apparmor.d/groups/systemd/systemd-user-generators-autostart
+++ /dev/null
@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator
-profile systemd-user-generators-autostart @{exec_path} {
-  include <abstractions/base>
-
-  ptrace (read) peer=unconfined,
-
-  @{exec_path} mr,
-
-  /etc/xdg/autostart/{,*.desktop} r,
-
-  owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
-
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/1/environ r,
-  @{PROC}/@{pids}/cgroup r,
-
-  include if exists <local/systemd-user-generators-autostart>
-}
diff --git a/apparmor.d/groups/systemd/systemd-user-generators-environment b/apparmor.d/groups/systemd/systemd-user-generators-environment
deleted file mode 100644
index 4a7a17b9d..000000000
--- a/apparmor.d/groups/systemd/systemd-user-generators-environment
+++ /dev/null
@@ -1,21 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator
-profile systemd-user-generators-environment @{exec_path} {
-  include <abstractions/base>
-
-  @{exec_path} mr,
-
-  /etc/environment.d/{,**} r,
-
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-
-  include if exists <local/systemd-user-generators-environment>
-}
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-user-generators-flatpak b/apparmor.d/groups/systemd/systemd-user-generators-flatpak
index 4f1fe7dac..b1f6d5981 100644
--- a/apparmor.d/groups/systemd/systemd-user-generators-flatpak
+++ b/apparmor.d/groups/systemd/systemd-user-generators-flatpak
@@ -6,11 +6,11 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak
-profile systemd-user-generators-flatpak @{exec_path} {
+@{exec_path} = @{lib}/systemd/user-environment-generators/60-flatpak
+profile systemd-generator-user-environment-flatpak @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  include if exists <local/systemd-user-generators-flatpak>
+  include if exists <local/systemd-generator-user-environment-flatpak>
 }
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 7a34ebbea..09fa4eef8 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -282,62 +282,65 @@ swtpm_ioctl complain
 swtpm_localca complain
 swtpm_setup complain
 systemd-analyze complain
-systemd-arch-generator complain
 systemd-ask-password complain
 systemd-backlight complain
 systemd-binfmt attach_disconnected,complain
-systemd-bless-boot-generator attach_disconnected,complain
 systemd-cgls complain
 systemd-cgtop complain
-systemd-cloud-init-generator attach_disconnected,complain
 systemd-coredump attach_disconnected,mediate_deleted,complain
 systemd-cryptsetup complain
-systemd-cryptsetup-generator attach_disconnected,complain
-systemd-debug-generator attach_disconnected,complain
 systemd-dissect complain
-systemd-ds-identify-generator attach_disconnected,complain
-systemd-environment-d-generator complain
 systemd-escape complain
-systemd-fstab-generator attach_disconnected,complain
-systemd-getty-generator attach_disconnected,complain
-systemd-gpt-auto-generator attach_disconnected,complain
-systemd-hibernate-resume-generator attach_disconnected,complain
+systemd-firstboot complain
+systemd-generator-bless-boot attach_disconnected,complain
+systemd-generator-cloud-init attach_disconnected,complain
+systemd-generator-cryptsetup attach_disconnected,complain
+systemd-generator-debug attach_disconnected,complain
+systemd-generator-ds-identify attach_disconnected,complain
+systemd-generator-environment-arch complain
+systemd-generator-environment-flatpak complain
+systemd-generator-fstab attach_disconnected,complain
+systemd-generator-getty attach_disconnected,complain
+systemd-generator-gpt-auto attach_disconnected,complain
+systemd-generator-hibernate-resume attach_disconnected,complain
+systemd-generator-integritysetup attach_disconnected,complain
+systemd-generator-ostree attach_disconnected,complain
+systemd-generator-run attach_disconnected,complain
+systemd-generator-system-update attach_disconnected,complain
+systemd-generator-user-autostart complain
+systemd-generator-user-environment complain
+systemd-generator-user-environment-flatpak complain
+systemd-generator-veritysetup attach_disconnected,complain
 systemd-homed attach_disconnected,complain
 systemd-homework complain
 systemd-hostnamed attach_disconnected,complain
 systemd-hwdb attach_disconnected,mediate_deleted,complain
 systemd-inhibit attach_disconnected,complain
-systemd-integritysetup-generator attach_disconnected,complain
 systemd-localed attach_disconnected,complain
 systemd-logind attach_disconnected,complain
 systemd-machine-id-setup attach_disconnected,complain
 systemd-modules-load complain
 systemd-mount complain
+systemd-network-generator complain
 systemd-oomd attach_disconnected,complain
 systemd-portabled complain
 systemd-random-seed complain
 systemd-remount-fs complain
 systemd-resolve complain
 systemd-resolved attach_disconnected,complain
-systemd-run-generator attach_disconnected,complain
 systemd-shutdown complain
 systemd-sleep complain
-systemd-system-update-generator attach_disconnected,complain
 systemd-timedated attach_disconnected,complain
 systemd-tty-ask-password-agent complain
 systemd-udevd attach_disconnected,complain
 systemd-update-done complain
 systemd-update-utmp complain
-systemd-user-generators-autostart complain
-systemd-user-generators-environment complain
-systemd-user-generators-flatpak complain
 systemd-user-runtime-dir complain
 systemd-user-sessions complain
 systemd-userdbd attach_disconnected,complain
 systemd-userwork complain
 systemd-vconsole-setup complain
-systemd-veritysetup-generator attach_disconnected,complain
-systemd-xdg-autostart-generator complain
+systemd.service attach_disconnected,complain
 systemsettings complain
 thunderbird complain
 thunderbird-glxtest complain