feat(profiles): general update.

2022-08-31 21:54:33 +01:00 · 2022-08-31 21:54:33 +01:00 · 0f61c4649c
commit 0f61c4649c
parent 0238adaaf1
23 changed files with 207 additions and 199 deletions
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}bin/* r,
-  /{usr/,}sbin/* r,
  @{libexec}/** r,
-  /opt/** r,
  / r,
+  /{usr/,}{s,}bin/* r,
+  /opt/** r,

  /etc/systemd/coredump.conf r,

@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/systemd/coredump/#[0-9]* rwl,
  owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,

-  owner @{PROC}/@{pid}/setgroups r,
-        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
-        @{PROC}/@{pids}/limits r,
-        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/environ r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/fdinfo/[0-9]* r,
+        @{PROC}/@{pids}/limits r,
+        @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pid}/setgroups r,

  include if exists <local/systemd-coredump>
 }
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
       peer=(name=org.freedesktop.PolicyKit1),

  dbus receive bus=system path=/org/freedesktop/hostname[0-9]
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll,SetHostname},
+       interface=org.freedesktop.{DBus.Properties,hostname1}
+       member={Get,GetAll,SetHostname}
+       peer=(name=:*),

  dbus bind bus=system 
       name=org.freedesktop.hostname[0-9],
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
       interface=org.freedesktop.DBus.Properties
       member=Get,

+  dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged 
+       peer=(name=org.freedesktop.DBus),
+
  dbus bind bus=system
       name=org.freedesktop.network1,

@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {

        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
+        @{run}/systemd/notify rw,
  owner @{run}/systemd/netif/.#state rw,
  owner @{run}/systemd/netif/.#state* rw,
  owner @{run}/systemd/netif/leases/.#* rw,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>

@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,

+  dbus bind bus=system
+       name=org.freedesktop.timesync1,
+
  @{exec_path} mr,

  /etc/adjtime r,
@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/netif/state r,
        @{run}/systemd/notify rw,

-  # dbus-stricter
-  @{run}/dbus/system_bus_socket rw,
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={Hello,RequestName}
-       peer=(name=org.freedesktop.DBus),
-
-  dbus bind
-       bus=system
-       name=org.freedesktop.timesync1,
-
  include if exists <local/systemd-timesyncd>
 }