feat(profile): general update.

2024-02-28 17:17:20 +00:00 · 2024-02-28 17:17:20 +00:00 · 555b5e3c3f
commit 555b5e3c3f
parent 1c999ca921
43 changed files with 142 additions and 124 deletions
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -14,10 +14,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  capability net_admin,
  capability sys_module,
-
-  # Needed? (#FIXME#)
  audit capability sys_resource,

+  ptrace (read) peer=@{systemd},
+
  signal send peer=child-pager,

  network inet dgram,
@ -44,10 +44,13 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  /{run,var}/log/journal/@{md5}/system.journal* r,
  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,

+  @{run}/systemd/netif/leases/@{int} r,
  @{run}/systemd/netif/links/@{int} r,
  @{run}/systemd/netif/state r,
  @{run}/systemd/notify w,

+  @{run}/udev/data/n@{int} r,
+
  @{sys}/devices/**/net/**/uevent r,

        @{PROC}/sys/kernel/random/boot_id r,
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@ -27,7 +27,7 @@ profile systemd-backlight @{exec_path} {
  @{sys}/class/ r,
  @{sys}/class/backlight/ r,

-  @{sys}/devices/pci[0-9]*/*:@{int}.@{int}/**/ r,
+  @{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r,
  @{sys}/devices/@{pci}/ r,
  @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
  @{sys}/devices/@{pci}/backlight/**/{uevent,type} r,
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -20,6 +20,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{run}/host/container-manager r,
+  @{run}/systemd/notify w,

  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/board_vendor r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -18,6 +18,11 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {

  # dbus: own bus=system name=org.freedesktop.hostname1

+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=GetConnectionUnixUser
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
  @{exec_path} mr,

  @{etc_rw}/.#hostname* rw,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -27,6 +27,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {

  network netlink raw,

+  # mqueue r type=posix /,
+
  # dbus: own bus=system name=org.freedesktop.login1

  # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -29,6 +29,15 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {

  # dbus: own bus=system name=org.freedesktop.network1

+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1),
+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed),
+
  @{exec_path} mr,

  /var/lib/dbus/machine-id r,