From 4e21ef53e655db487bded716efde11251a3f604a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:01:28 +0200 Subject: [PATCH] feat(profile): systemd: add nsresourced. --- apparmor.d/groups/systemd/systemd-fsckd | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 38 +++++++++++++++++++ .../groups/systemd/systemd-nsresourcework | 22 +++++++++++ .../groups/systemd/systemd-stdio-bridge | 22 +++++++++++ dists/flags/main.flags | 2 + 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/systemd/systemd-nsresourced create mode 100644 apparmor.d/groups/systemd/systemd-nsresourcework create mode 100644 apparmor.d/groups/systemd/systemd-stdio-bridge diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 33a433a09..7abde7c90 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 000000000..d1beae428 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 000000000..734717c44 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 000000000..5f3bc2e36 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2d1f96c1f..3a0b70264 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -346,6 +346,8 @@ systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator complain +systemd-nsresourced complain +systemd-nsresourcework complain systemd-portabled complain systemd-remount-fs complain systemd-resolve complain