From 2e5c8f2f72762eacc65cce38a35b0848947e8ddb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 15 Apr 2021 22:52:14 +0100 Subject: [PATCH] Add more systemd profiles. --- .../systemd/systemd-environment-d-generator | 22 ++++++++++++++++ apparmor.d/groups/systemd/systemd-random-seed | 24 ++++++++++++++++++ apparmor.d/groups/systemd/systemd-remount-fs | 17 +++++++++++++ .../systemd/systemd-xdg-autostart-generator | 25 +++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-environment-d-generator create mode 100644 apparmor.d/groups/systemd/systemd-random-seed create mode 100644 apparmor.d/groups/systemd/systemd-remount-fs create mode 100644 apparmor.d/groups/systemd/systemd-xdg-autostart-generator diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator new file mode 100644 index 000000000..d0d51f23e --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/user-environment-generators/* +profile systemd-environment-d-generator @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/environment r, + + owner @{user_config_dirs}/environment.d/{,*.conf} r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed new file mode 100644 index 000000000..3fb6943d6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-random-seed +profile systemd-random-seed @{exec_path} { + include + include + + capability net_admin, + + @{exec_path} mr, + + /var/lib/systemd/ r, + /var/lib/systemd/random-seed rw, + + @{PROC}/sys/kernel/random/poolsize r, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs new file mode 100644 index 000000000..7438d547f --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-remount-fs +profile systemd-remount-fs @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator new file mode 100644 index 000000000..7f494d3a1 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/user-generators/systemd-xdg-autostart-generator +profile systemd-xdg-autostart-generator @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/xdg/autostart/{,*.desktop} r, + + owner @{user_config_dirs}/autostart/{,*.desktop} r, + owner @{run}/user/@{pid}/systemd/generator.late/{,**} rw, + + owner @{PROC}/@{pid}/cgroup r, + + include if exists +}