feat(profiles): general update.

2023-08-17 18:43:56 +01:00 · 2023-08-17 18:43:56 +01:00 · 5d47dfba95
commit 5d47dfba95
parent f7b9ff959a
50 changed files with 174 additions and 50 deletions
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -16,6 +16,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{bin}/* r,
+
  # Config file locations
  /etc/binfmt.d/{,*.conf} r,
  @{run}/binfmt.d/{,*.conf} r,
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -68,6 +68,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/uevent_seqnum r,
  @{sys}/devices/**/read_ahead_kb r,

+  @{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw,
+
        @{PROC}/devices r,
        @{PROC}/sysvipc/{shm,sem,msg} r,
  owner @{PROC}/@{pid}/gid_map w,
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -11,9 +11,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_override,
+
  @{exec_path} mr,

-  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* w,
+  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#[0-9]*,
  @{lib}/udev/hwdb.bin w,

  /etc/udev/.#hwdb.bind* rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} {

  @{run}/log/ rw,
  /{run,var}/log/journal/ rw,
-  /{run,var}/log/journal/@{hex}/{,*} rw,
+  /{run,var}/log/journal/@{hex}/{,*} rwl -> /{run,var}/log/journal/@{hex}/**,

  owner @{run}/systemd/journal/{,**} rw,
  owner @{run}/systemd/notify rw,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -33,7 +33,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {

  /usr/share/kbd/keymaps/{,**} r,
  /usr/share/systemd/*-map r,
-  /usr/share/X11/xkb/rules/evdev r,
+  /usr/share/X11/xkb/{,**} r,

  /etc/.#vconsole.conf* rw,
  /etc/default/.#locale* rw,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -128,6 +128,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  @{sys}/fs/cgroup/memory.max r,
  @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
+  @{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw,
  @{sys}/module/vt/parameters/default_utf8 r,
  @{sys}/power/{state,resume_offset,resume,disk} r,

--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -71,5 +71,7 @@ profile systemd-machined @{exec_path} {
  @{run}/systemd/userdb/io.systemd.Machine rw,
  @{run}/systemd/notify w,

+  @{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw,
+
  include if exists <local/systemd-machined>
 }
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -35,7 +35,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
       peer=(name=org.freedesktop.DBus),

  dbus receive bus=system path=/org/freedesktop/resolve[0-9]
-       interface=org.freedesktop.resolve[0-9].Manager,
+       interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties},

  dbus receive bus=system path=/org/freedesktop/login[0-9]*
       interface=org.freedesktop.login[0-9]*.Manager
@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/resolve/{,**} rw,
  owner @{run}/systemd/journal/socket w,

+  owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
+
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,

--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@ -12,6 +12,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

+  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_ptrace,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -37,6 +37,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {

  owner /var/lib/systemd/timesync/clock rw,

+  @{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw,
+
  owner @{run}/systemd/journal/socket w,
  owner @{run}/systemd/timesync/synchronized rw,
        @{run}/resolvconf/*.conf r,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -12,7 +12,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-#  capability net_admin,
+  audit capability net_admin,

  signal (receive) set=(term cont) peer=logrotate,