diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index a400b7ab4..07c24fb42 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -44,6 +44,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/su rPx -> default-sudo, @{bin}/sudo rPx -> default-sudo, @{bin}/systemctl rix, + @{coreutils_path} rix, + @{shells_path} rix, @{bin}/less rPx -> child-pager, @{bin}/more rPx -> child-pager, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 97ffb7aad..0117b4122 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -93,20 +93,18 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # dbus: own bus=system name=org.freedesktop.systemd1 @{bin}/systemctl rix, - @{bin}/true rix, - @{lib}/systemd/systemd rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE - @{bin}/{,ba,da}sh rPx -> systemd.service, - @{bin}/chgrp rPx -> systemd.service, - @{bin}/chmod rPx -> systemd.service, - @{bin}/cp rPx -> systemd.service, - @{bin}/find rPx -> systemd.service, - @{bin}/install rPx -> systemd.service, + @{lib}/systemd/systemd-executor rix, + @{lib}/systemd/systemd rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE + # Maybe: rPx -> systemd-user-gdm (in user@120.service.d)? + @{bin}/ldconfig rPx -> systemd.service, @{bin}/mandb rPx -> systemd.service, - @{bin}/mkdir rPx -> systemd.service, @{bin}/mount rPx -> systemd.service, @{bin}/savelog rPx -> systemd.service, + @{coreutils_path} rPx -> systemd.service, + @{shells_path} rPx -> systemd.service, + audit @{bin}/** Pix, audit @{lib}/** Pix, @@ -193,6 +191,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/fs/**/ r, @{sys}/fs/cgroup/{,**} rw, @{sys}/kernel/**/ r, + @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/{uid_map,gid_map} r, @@ -203,6 +202,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/coredump_filter r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/gid_map w, @{PROC}/@{pid}/loginuid rw, @{PROC}/@{pid}/mountinfo r, @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/* r, @{PROC}/sys/kernel/random/* rw, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/oom_score_adj rw, /dev/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b39607253..6ae11c7cb 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -27,10 +27,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace (read), signal (send) set=(term, cont, kill), + signal (receive) set=(hup) peer=@{systemd}, + @{exec_path} mr, @{bin}/systemctl rCx -> systemctl, + @{lib}/systemd/systemd-executor rix, audit @{lib}/** Pix, audit @{bin}/** Pix, @@ -76,6 +79,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pids}/attr/apparmor/exec w, owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/mountinfo r,