Reorganise the directories.

apparmor.d/groups/systemd/child-systemctl

@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> child-systemctl" exec transitions
+# from other profiles. We want to confine the systemctl(1) utility when
+# it is invoked from other confined applications, but not when it is
+# used in regular (unconfined) shell scripts or run directly by the user.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# Do not attach to /{usr/,}bin/systemctl by default
+profile child-systemctl {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/wutmp>
+
+  capability sys_ptrace,
+
+  ptrace (read),
+
+  /{usr/,}bin/systemctl mr,
+
+  owner @{PROC}/@{pid}/stat r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/1/environ r,
+        @{PROC}/1/sched r,
+        @{PROC}/cmdline r,
+
+  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+
+  /dev/kmsg w,
+
+  include if exists <local/child-systemctl>
+}

apparmor.d/groups/systemd/systemd-ac-power

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-ac-power
+profile systemd-ac-power @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  owner @{PROC}/@{pid}/stat r,
+
+  @{sys}/class/power_supply/ r,
+
+  @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/ r,
+  @{sys}/devices/**/power_supply/{AC,BAT[0-9]*}/{type,online} r,
+
+}

apparmor.d/groups/systemd/systemd-analyze

@@ -0,0 +1,55 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/systemd-analyze
+profile systemd-analyze @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # Needed for the prctl's PR_SET_MM option:
+  #  prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
+  capability sys_resource,
+
+  signal (send) peer=child-pager,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/pager     rPx -> child-pager,
+  /{usr/,}bin/less      rPx -> child-pager,
+  /{usr/,}bin/more      rPx -> child-pager,
+  /{usr/,}bin/man       rPx,
+
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/comm r,
+        @{PROC}/swaps r,
+
+  # For systemd-analyze cat-config
+  /etc/systemd/** r,
+  /{usr/,}lib/systemd/** r,
+
+  @{sys}/fs/cgroup/{,**} r,
+  @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw,
+  @{sys}/firmware/acpi/tables/FPDT r,
+
+  @{sys}/module/**/uevent r,
+  @{sys}/devices/**/uevent r,
+  @{run}/udev/data/* r,
+
+  @{run}/udev/tags/systemd/ r,
+  @{run}/systemd/system/ r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
+  owner /tmp/systemd-temporary-*/ rw,
+
+  /usr/ r,
+
+  /etc/default/locale r,
+
+  include if exists <local/systemd-analyze>
+}

apparmor.d/groups/systemd/systemd-backlight

@@ -0,0 +1,42 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-backlight
+profile systemd-backlight @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # Needed?
+  deny capability net_admin,
+
+  @{exec_path} mr,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/backlight/ r,
+
+  @{sys}/devices/pci[0-9]*/**/class r,
+  @{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw,
+  @{sys}/devices/pci[0-9]*/**/backlight/**/{max_brightness,actual_brightness} r,
+  @{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r,
+
+  @{sys}/devices/platform/**/leds/*backlight*/uevent r,
+  @{sys}/devices/platform/**/leds/*backlight*/max_brightness r,
+  @{sys}/devices/platform/**/leds/*backlight*/brightness rw,
+
+
+  @{run}/udev/data/+backlight:* r,
+  @{run}/udev/data/+leds:*backlight* r,
+
+  /var/lib/systemd/backlight/*backlight* rw,
+
+}
+

apparmor.d/groups/systemd/systemd-detect-virt

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/systemd-detect-virt
+profile systemd-detect-virt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  @{exec_path} mr,
+
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+
+  include if exists <local/systemd-detect-virt>
+}

apparmor.d/groups/systemd/systemd-fsck

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-fsck
+profile systemd-fsck @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+  include <abstractions/systemd-common>
+
+  capability sys_resource,
+
+  # Needed?
+  deny capability net_admin,
+
+  @{exec_path} mr,
+
+  /{usr/,}sbin/fsck   rPx,
+  /{usr/,}sbin/e2fsck rPx,
+
+  owner @{run}/systemd/quotacheck w,
+
+  include if exists <local/systemd-fsck>
+}

apparmor.d/groups/systemd/systemd-fsckd

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
+profile systemd-fsckd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  capability sys_tty_config,
+
+  # Needed?
+  deny capability net_admin,
+
+  @{exec_path} mr,
+
+  owner @{run}/systemd/fsck.progress w,
+
+  include if exists <local/systemd-fsckd>
+}

apparmor.d/groups/systemd/systemd-hostnamed

@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
+profile systemd-hostnamed @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # To set a hostname
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
+
+  /etc/hostname rw,
+  /etc/.#hostname* rw,
+
+}

apparmor.d/groups/systemd/systemd-journalctl

@@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/journalctl
+profile systemd-journalctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  capability sys_resource,
+
+  signal (send) peer=child-pager,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/pager rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+
+  /{run,var}/log/journal/ r,
+  /{run,var}/log/journal/[0-9a-f]*/ r,
+  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
+  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+
+  # For --setup-keys and --verify
+  owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
+  owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
+  owner /var/tmp/#[0-9]* rw,
+
+  /var/lib/systemd/catalog/database rw,
+  /var/lib/systemd/catalog/.#database* rw,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-journalctl>
+}

apparmor.d/groups/systemd/systemd-journald

@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-journald
+profile systemd-journald @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  capability syslog,
+  capability sys_ptrace,
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  /etc/systemd/journald.conf r,
+
+  @{run}/log/ rw,
+  /{run,var}/log/journal/ rw,
+  /{run,var}/log/journal/[0-9a-f]*/ rw,
+  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+  /{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
+  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+  /{run,var}/log/journal/[0-9a-f]*/fss rw,
+
+  owner @{run}/systemd/journal/{,**} rw,
+  owner @{run}/systemd/notify rw,
+
+  @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
+  @{run}/udev/data/c10:224      r, # for /dev/tpm0
+  @{run}/udev/data/+usb:*       r,
+  @{run}/udev/data/+pci:*       r,
+  @{run}/udev/data/+hid:*       r,
+  @{run}/udev/data/+acpi:*      r,
+  @{run}/udev/data/+scsi:*      r,
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+usb-serial:* r,
+  @{run}/udev/data/+platform:regulatory.[0-9]* r,
+  @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
+
+  @{sys}/devices/**/uevent r,
+  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/module/printk/parameters/time r,
+
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/attr/current r,
+  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/sys/kernel/random/boot_id r,
+  @{PROC}/sys/kernel/hostname r,
+
+  /dev/kmsg rw,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  include if exists <local/systemd-journald>
+}

apparmor.d/groups/systemd/systemd-localed

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-localed
+profile systemd-localed @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+
+  # Needed?
+  audit deny capability net_admin,
+
+  @{exec_path} mr,
+
+  /etc/default/keyboard r,
+
+  /etc/default/locale rw,
+  /etc/default/.#locale* rw,
+
+  /usr/share/systemd/language-fallback-map r,
+
+}

apparmor.d/groups/systemd/systemd-modules-load

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-modules-load
+profile systemd-modules-load @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # To load kernel modules
+  capability sys_module,
+
+  # Needed?
+  audit deny capability net_admin,
+
+  @{exec_path} mr,
+
+  @{sys}/module/*/initstate r,
+
+  /etc/modules r,
+  /etc/modprobe.d/ r,
+  /etc/modprobe.d/*.conf r,
+  /etc/modules-load.d/ r,
+  /etc/modules-load.d/*.conf r,
+
+  include if exists <local/systemd-modules-load>
+}

apparmor.d/groups/systemd/systemd-networkd

@@ -0,0 +1,46 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
+profile systemd-networkd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  capability net_admin,
+  capability net_raw,
+  capability net_bind_service,
+
+  @{exec_path} mr,
+
+  /etc/systemd/networkd.conf r,
+  /etc/systemd/network/ r,
+  /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
+
+  owner @{run}/systemd/netif/links/.#* rw,
+  owner @{run}/systemd/netif/links/[0-9]* rw,
+  owner @{run}/systemd/netif/leases/[0-9]* rw,
+  owner @{run}/systemd/netif/leases/.#* rw,
+  owner @{run}/systemd/netif/.#state* rw,
+  owner @{run}/systemd/netif/.#state rw,
+  owner @{run}/systemd/netif/state rw,
+
+  # To be able to configure network interfaces
+        @{PROC}/sys/net/ipv{4,6}/** rw,
+
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
+
+  @{sys}/devices/**/net/** r,
+
+  @{run}/udev/data/n[0-9]* r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  include if exists <local/systemd-networkd>
+}

apparmor.d/groups/systemd/systemd-networkd-wait-online

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online
+profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  @{exec_path} mr,
+
+  @{run}/systemd/netif/links/[0-9]* r,
+
+  include if exists <local/systemd-networkd-wait-online>
+}

apparmor.d/groups/systemd/systemd-rfkill

@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-rfkill
+profile systemd-rfkill @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # Needed?
+  audit deny capability net_admin,
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /dev/rfkill rw,
+
+  @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r,
+
+  /var/lib/systemd/rfkill/* rw,
+
+  @{run}/systemd/notify rw,
+
+  @{run}/udev/data/+rfkill:* r,
+
+  include if exists <local/systemd-rfkill>
+}

apparmor.d/groups/systemd/systemd-shutdown

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-shutdown
+profile systemd-shutdown @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  capability sys_resource,
+  capability sys_boot,
+  capability kill,
+
+  signal (send) set=(stop, cont, term, kill),
+
+  @{exec_path} mr,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/sys/kernel/core_pattern w,
+  owner @{PROC}/sys/kernel/printk rw,
+
+  include if exists <local/systemd-shutdown>
+}

apparmor.d/groups/systemd/systemd-sysctl

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
+profile systemd-sysctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  # Are these needed?
+  deny capability sys_ptrace,
+  deny capability sys_admin,
+  deny capability net_admin,
+  deny capability sys_resource,
+
+  @{exec_path} mr,
+
+  @{PROC}/sys/** rw,
+
+  /etc/sysctl.d/ r,
+  /etc/sysctl.d/*.conf r,
+
+  /etc/sysctl.conf r,
+
+  include if exists <local/systemd-sysctl>
+}

apparmor.d/groups/systemd/systemd-timedated

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-timedated
+profile systemd-timedated @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  capability sys_time,
+
+  @{exec_path} mr,
+
+  /dev/rtc[0-9] r,
+
+  /etc/.#adjtime* rw,
+  /etc/adjtime rw,
+
+  /etc/.#localtime* rw,
+  /etc/localtime rw,
+
+  /etc/.#timezone* rw,
+  /etc/timezone rw,
+
+  include if exists <local/systemd-timedated>
+}

apparmor.d/groups/systemd/systemd-timesyncd

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
+profile systemd-timesyncd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+  include <abstractions/nameservice-strict>
+
+  capability sys_time,
+
+  @{exec_path} mr,
+
+  /etc/systemd/timesyncd.conf r,
+
+  owner /var/lib/systemd/timesync/clock rw,
+
+  owner @{run}/systemd/timesync/synchronized rw,
+        @{run}/systemd/netif/state r,
+
+  include if exists <local/systemd-timesyncd>
+}