From d9430c68c190f26cca9a2291c74b4f9bba4617c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:55:48 +0200 Subject: [PATCH 01/49] build: improve error message in the stack direcive. --- pkg/prebuild/directive/stack.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index f80689827..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -55,7 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) From 780ca65953a726133f412e61020e749ca99d0850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:57:37 +0200 Subject: [PATCH 02/49] build(fsp): set stacked variables. --- pkg/prebuild/prepare/fsp.go | 77 ++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 0d4c23076..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } - // Set systemd profile name + // Set profile name for FSP path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") - out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") - out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") - out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } From c07c5838e4855d97bf98f65496c302bbd305e71c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:00:08 +0200 Subject: [PATCH 03/49] build: add RBAC filter to the only/exclude directive. --- pkg/prebuild/cli/cli.go | 1 + pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 779cd5c0c..51636f848 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -80,6 +80,7 @@ func Configure() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index a6513f37e..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,6 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index d5d5a7266..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Either or not RBAC is enabled + RBAC = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From f717ea7383ea32abde752af3a88dd1bf87709a25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:01:08 +0200 Subject: [PATCH 04/49] feat(aa): add a mount flag. --- pkg/aa/mount.go | 2 +- pkg/aa/util.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index bbf66b577..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..5a7049d69 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { From 04b6cade644c0adfdb4b0a9bdc4f71bff78bc8ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:17:14 +0200 Subject: [PATCH 05/49] feat(profile): use profile variable in rules such as in dbus, ptrace, unix... --- apparmor.d/abstractions/app/sudo | 4 ++-- apparmor.d/abstractions/base.d/complete | 2 +- .../abstractions/bus/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/net.reactivated.Fprint | 6 +++--- apparmor.d/abstractions/bus/org.a11y | 10 +++++----- apparmor.d/abstractions/bus/org.bluez | 14 +++++++------- .../abstractions/bus/org.freedesktop.Accounts | 10 +++++----- .../abstractions/bus/org.freedesktop.Avahi | 10 +++++----- .../bus/org.freedesktop.ColorManager | 8 ++++---- .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++++----- .../bus/org.freedesktop.ModemManager1 | 6 +++--- .../abstractions/bus/org.freedesktop.PolicyKit1 | 8 ++++---- .../bus/org.freedesktop.RealtimeKit1 | 6 +++--- .../abstractions/bus/org.freedesktop.UPower | 8 ++++---- .../bus/org.freedesktop.UPower.PowerProfiles | 2 +- .../abstractions/bus/org.freedesktop.hostname1 | 2 +- .../abstractions/bus/org.freedesktop.locale1 | 2 +- .../abstractions/bus/org.freedesktop.login1 | 8 ++++---- .../bus/org.freedesktop.login1.Session | 8 ++++---- .../abstractions/bus/org.freedesktop.network1 | 2 +- .../abstractions/bus/org.freedesktop.resolve1 | 4 ++-- .../abstractions/bus/org.freedesktop.timedate1 | 2 +- .../abstractions/bus/org.gnome.ArchiveManager1 | 4 ++-- apparmor.d/abstractions/mapping/login | 2 +- apparmor.d/abstractions/mapping/sshd | 4 ++-- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-resolve | 4 ++-- apparmor.d/groups/bluetooth/bluetoothctl | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/filesystem/udisksd | 4 ++-- apparmor.d/groups/flatpak/flatpak | 4 ++-- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-control-center | 16 ++++++++-------- apparmor.d/groups/gnome/gnome-firmware | 4 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++------ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 8 ++++---- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 7 +------ apparmor.d/groups/gnome/loupe | 5 +++++ apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/homectl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/utils/chsh | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/tunables/multiarch.d/profiles | 6 +++--- 72 files changed, 152 insertions(+), 151 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 333cbddbd..1286b1571 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,8 @@ network netlink raw, # PAM - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 230e0c9d5..06b413342 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -18,7 +18,7 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 63f224c42..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 2f3660082..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 018109a62..ef0e15707 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,27 +9,27 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 296965691..201d3998c 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,37 +4,37 @@ abi , - #aa:dbus common bus=system name=org.bluez label=bluetoothd + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 2ad151c45..d15288d46 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index e3128f984..38e05f48c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 27776b776..3a63d95dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index feaced7c3..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,26 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 41e03f325..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,17 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index b770cdbb1..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 0c6abbdbe..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -15,12 +15,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index ec0a2b15b..69218b619 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles index 3d3980f81..45e88b103 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index e6182bead..0a8d86be1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 511a44dd6..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 7f9fc5fb7..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 23ec52c8e..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index be11a7ceb..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 8c7670382..e2c4b3886 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 83f85c678..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index ce572e9cd..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 54a8c1c7f..7ccc2d678 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -25,7 +25,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=ReleaseSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{etc_ro}/security/group.conf r, @{etc_ro}/security/limits.conf r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index bb0064956..97f0b077e 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -28,7 +28,7 @@ network inet6 stream, network netlink raw, - signal receive set=exists peer=systemd-journald, + signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/sshd/system, @@ -36,7 +36,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), /etc/motd r, /etc/locale.conf r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index e408b94b9..0b075581b 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, - #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..5c1a7633e 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6f66ec9b2..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + signal receive set=kill peer=@{p_systemd_user}, signal receive set=term peer=ibus-daemon, dbus receive bus=session diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index f671ce6e9..78e7883cb 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d4febb1f..1ff219bbe 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c958bd2cd..52e9e32ef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..fab642571 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 00e277f1f..12c82aea3 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=ReleaseControl - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e35d165a2..435d055fa 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 1a05892b6..a5dac16fa 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c81e591cf..235c0ce9e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1f0b6239e..1007d55e2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,18 +45,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c62175c85..37b3b7892 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 027a1ab96..dc9b6812e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bfd695959..6c781e204 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 92cf3fa0a..2fe22305b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9dec92df4..b8da39a4d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1ae8e2ada..2a2ea034f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0d09a0e9c..a330b76ce 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e5489c2b4..4fece3366 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,12 +36,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4ee0d9268..6f783627e 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,6 +21,11 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b4111d6d0..396f256cc 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 008b6bd31..85257c89d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -46,7 +46,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -60,12 +60,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index f593db162..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e663c299e..5799ced5b 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0481af5de..1add6c1c4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -55,7 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fe5a6f1cd..4b99aafd6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d64..3a78c531e 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index dcbe9a46f..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index b49065fd7..f9a3625ef 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index c65bb4edd..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -20,7 +20,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0163f2258..5b4b3e6b5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -26,7 +26,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 5c436f6c1..1ef3404d9 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -15,7 +15,7 @@ profile resolvectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3d6c3a4b7..df1e74048 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -42,7 +42,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b2411..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index bbd4b7438..30d30b295 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,7 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index 73f097a94..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,7 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6968be40e..6227f4fc5 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -34,7 +34,7 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7b087309..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..3c9b0a3a9 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,7 +27,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7fa668a71..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -34,7 +34,7 @@ profile qemu-ga @{exec_path} { unix type=stream addr=@@{udbus}/bus/shutdown/system, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" include if exists } diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index ec1eff79c..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,10 +8,10 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined -@{p_systemd_executor}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined -@{p_systemd_user_executor}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility From 217448d09a5259492a143f99808bc79213d75eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:18:11 +0200 Subject: [PATCH 06/49] doc: improve documentation on the use of some special abstraction. --- apparmor.d/abstractions/attached/base | 3 ++- apparmor.d/abstractions/attached/consoles | 3 ++- apparmor.d/abstractions/bus/own-accessibility | 3 ++- apparmor.d/abstractions/bus/own-session | 3 ++- apparmor.d/abstractions/bus/own-system | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 6a7486cf8..4c35d915d 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index dd2275a03..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility index 94968258c..cd8e42e52 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session index 8186f34cb..91515adb0 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/own-session @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system index f2ee3219c..d48931f4f 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/own-system @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus From 4ffbf84a0094e6c51933070b27a5c58628ec2ea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:20:37 +0200 Subject: [PATCH 07/49] feat(fsp): remove the default profiles. --- apparmor.d/groups/_full/bwrap | 56 ------------ apparmor.d/groups/_full/bwrap-app | 36 -------- apparmor.d/groups/_full/default | 122 --------------------------- apparmor.d/groups/_full/default-sudo | 42 --------- dists/flags/main.flags | 4 - 5 files changed, 260 deletions(-) delete mode 100644 apparmor.d/groups/_full/bwrap delete mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default delete mode 100644 apparmor.d/groups/_full/default-sudo diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e27c76bc2..a73fee129 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,10 +1,6 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain From 8f3f3816edd40839b0832cc67546b08eae09314e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:31:35 +0200 Subject: [PATCH 08/49] feat(fsp): systemd drop in files: configure stacked profile It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way --- systemd/full/system/ModemManager.service | 2 +- systemd/full/system/archlinux-keyring-wkd-sync.service | 2 +- systemd/full/system/dbus-org.freedesktop.hostname1.service | 2 +- systemd/full/system/dbus-org.freedesktop.import1.service | 2 +- systemd/full/system/dbus-org.freedesktop.locale1.service | 2 +- systemd/full/system/dbus-org.freedesktop.login1.service | 2 +- systemd/full/system/dbus-org.freedesktop.machine1.service | 2 +- systemd/full/system/dbus-org.freedesktop.timedate1.service | 2 +- systemd/full/system/e2scrub@.service | 2 +- systemd/full/system/e2scrub_reap.service | 2 +- systemd/full/system/fprintd.service | 2 +- systemd/full/system/fwupd-refresh.service | 4 +--- systemd/full/system/geoclue.service | 6 +----- systemd/full/system/irqbalance.service | 2 +- systemd/full/system/nm-priv-helper.service | 2 +- systemd/full/system/polkit.service | 2 +- systemd/full/system/rngd.service | 2 +- systemd/full/system/systemd-homed.service | 2 +- systemd/full/system/systemd-hostnamed.service | 2 +- systemd/full/system/systemd-journald.service | 3 +-- systemd/full/system/systemd-journald@.service | 3 +-- systemd/full/system/systemd-localed.service | 2 +- systemd/full/system/systemd-logind.service | 3 +-- systemd/full/system/systemd-machined.service | 2 +- systemd/full/system/systemd-networkd.service | 2 +- systemd/full/system/systemd-resolved.service | 2 +- systemd/full/system/systemd-timedated.service | 2 +- systemd/full/system/systemd-userdbd.service | 2 +- systemd/full/system/upower.service | 2 +- 29 files changed, 29 insertions(+), 38 deletions(-) diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd From 47bafeb67bacc6abb89eb74f9a7044cfdfae0cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:06:52 +0200 Subject: [PATCH 09/49] feat(fsp): rewrite the systemd profile. --- apparmor.d/groups/_full/systemd | 251 +++++++++++--------------------- 1 file changed, 88 insertions(+), 163 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e1a9918e1..eec9b33d9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include +@{exec_path} = @{lib}/systemd/systemd profile systemd flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - mount /dev/** -> /boot/{,efi/}, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/{,efi/}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, - - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + umount @{run}/credentials/*/, mqueue (read getattr) type=posix /, - change_profile, - - signal receive set=(rtmin+23) peer=plymouthd, - signal receive set=(term hup cont), signal send, ptrace (read, readby), - unix send type=dgram, - - unix receive type=dgram peer=(label=systemd-timesyncd), - unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - # For stacked profiles - #aa:dbus own bus=system name=org.freedesktop.network1 - #aa:dbus own bus=system name=org.freedesktop.oom1 - #aa:dbus own bus=system name=org.freedesktop.resolve1 - #aa:dbus own bus=system name=org.freedesktop.timesync1 + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - @{bin}/kill ix, - - # Shell based systemd unit services - # TODO: create unit profile for all of them - @{sbin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, /etc/default/{,**} r, - /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /etc/systemd/system/multi-user.target.wants/{,*} w, - /var/log/dmesg rw, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, - - @{att}/@{run}/systemd/journal/socket r, @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, @@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -280,32 +205,32 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, /dev/input/ r, /dev/kmsg w, + /dev/tty rw, /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } From 3dc8a74ec09ceb8f18c6a69e7d6b61f8b40f81f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:16:26 +0200 Subject: [PATCH 10/49] feat(fsp): rewrite the systemd-user profile. --- apparmor.d/groups/_full/systemd-user | 85 ++++++---------------------- 1 file changed, 17 insertions(+), 68 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b0b3272a1..3b0d01709 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,8 +11,6 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, - ptrace read peer=@{p_systemd}, + ptrace read, + + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -124,20 +89,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - /dev/kmsg w, - /dev/tty rw, deny capability bpf, deny capability dac_override, @@ -149,16 +108,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability sys_boot, deny capability sys_resource, - profile systemctl { - include - include - - deny capability net_admin, - - include if exists - include if exists - } - include if exists include if exists } From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH 11/49] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc5..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa49..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee129..5a6c7c526 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain From 5940f0117b85538f3f91840a58a7583dbcc579bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:37:56 +0200 Subject: [PATCH 12/49] feat(fsp): add the new sdu profile as service and stacked profile manager for user. --- apparmor.d/groups/_full/sdu | 124 ++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 apparmor.d/groups/_full/sdu diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..5ceb669f0 --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c116:@{int} r, # for ALSA + + @{sys}/bus/ r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + audit capability net_admin, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From 9125686973a11c2a297d16621ec2859a061bf8bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:44:00 +0200 Subject: [PATCH 13/49] feat(fsp): add the new sdu profile as service and stacked profile manager for system. --- apparmor.d/groups/_full/sd | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 apparmor.d/groups/_full/sd diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..974bc3544 --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,246 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/grpck ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/pwck ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/share/** r, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/* r, + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From a194f28c21f15ee0ffd693eb5612ce198bcc75ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:59:02 +0200 Subject: [PATCH 14/49] feat(fsp): add sd-mount. --- apparmor.d/groups/_full/sd-mount | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-mount diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..7f7dede60 --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 8ff829542d4fea4e9366e7ed03a387637eb24c95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:13:04 +0200 Subject: [PATCH 15/49] feat(profile): add profile for some named minimal systemd service. --- .../cloud-init-hotplugd.service | 22 +++++++ .../systemd-service/debug-shell.service | 19 ++++++ .../groups/systemd-service/dmesg.service | 62 +++++++++++++++++++ .../systemd-service/grub-common.service | 28 +++++++++ .../groups/systemd-service/ldconfig.service | 23 +++++++ .../groups/systemd-service/man-db.service | 39 ++++++++++++ .../systemd-service/secureboot-db.service | 27 ++++++++ .../groups/systemd-service/shadow.service | 23 +++++++ .../snapd.system-shutdown.service | 28 +++++++++ .../system-update-cleanup.service | 22 +++++++ .../systemd-service/usb_modeswitch.service | 17 +++++ 11 files changed, 310 insertions(+) create mode 100644 apparmor.d/groups/systemd-service/cloud-init-hotplugd.service create mode 100644 apparmor.d/groups/systemd-service/debug-shell.service create mode 100644 apparmor.d/groups/systemd-service/dmesg.service create mode 100644 apparmor.d/groups/systemd-service/grub-common.service create mode 100644 apparmor.d/groups/systemd-service/ldconfig.service create mode 100644 apparmor.d/groups/systemd-service/man-db.service create mode 100644 apparmor.d/groups/systemd-service/secureboot-db.service create mode 100644 apparmor.d/groups/systemd-service/shadow.service create mode 100644 apparmor.d/groups/systemd-service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/systemd-service/system-update-cleanup.service create mode 100644 apparmor.d/groups/systemd-service/usb_modeswitch.service diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..4c67f680a --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..4abd74fb1 --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + /boot/grub/ w, + /boot/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..24b34fc25 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..e8939006e --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + audit @{bin}/cp ix, + audit @{bin}/mkdir ix, + audit @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor From 1aa0142a6aa0b31732fdf286fea14e3600b2f76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:20:32 +0200 Subject: [PATCH 16/49] feat(fsp): add/update systemd drop in files with AppArmorProfile set to the target profile. --- systemd/full/system/apport-coredump-hook@.service | 2 ++ systemd/full/system/apt-news.service | 2 ++ systemd/full/system/bluetooth.service | 2 +- systemd/full/system/cloud-init-hotplugd.service | 2 ++ systemd/full/system/colord.service | 2 ++ systemd/full/system/debug-shell.service | 2 ++ systemd/full/system/dmesg.service | 2 ++ systemd/full/system/fwupd.service | 2 ++ systemd/full/system/grub-common.service | 2 ++ systemd/full/system/ldconfig.service | 2 ++ systemd/full/system/logrotate.service | 2 ++ systemd/full/system/low-memory-monitor.service | 3 --- systemd/full/system/man-db.service | 2 ++ systemd/full/system/paccache.service | 2 -- systemd/full/system/passim.service | 2 -- systemd/full/system/pcscd.service | 2 ++ systemd/full/system/power-profiles-daemon.service | 2 ++ systemd/full/system/reflector.service | 2 -- systemd/full/system/rsyslog.service | 2 ++ systemd/full/system/secureboot-db.service | 2 ++ systemd/full/system/shadow.service | 3 +-- systemd/full/system/snapd.system-shutdown.service | 2 ++ systemd/full/system/system-update-cleanup.service | 2 ++ systemd/full/system/systemd-coredump@.service | 2 ++ systemd/full/system/systemd-initctl.service | 2 ++ systemd/full/system/systemd-journal-remote.service | 2 ++ systemd/full/system/systemd-nsresourced.service | 2 ++ systemd/full/system/systemd-oomd.service | 2 ++ systemd/full/system/systemd-rfkill.service | 2 ++ systemd/full/system/systemd-timesyncd.service | 2 ++ systemd/full/system/usb_modeswitch@.service | 2 ++ 31 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 systemd/full/system/apport-coredump-hook@.service create mode 100644 systemd/full/system/apt-news.service create mode 100644 systemd/full/system/cloud-init-hotplugd.service create mode 100644 systemd/full/system/colord.service create mode 100644 systemd/full/system/debug-shell.service create mode 100644 systemd/full/system/dmesg.service create mode 100644 systemd/full/system/fwupd.service create mode 100644 systemd/full/system/grub-common.service create mode 100644 systemd/full/system/ldconfig.service create mode 100644 systemd/full/system/logrotate.service delete mode 100644 systemd/full/system/low-memory-monitor.service create mode 100644 systemd/full/system/man-db.service delete mode 100644 systemd/full/system/paccache.service delete mode 100644 systemd/full/system/passim.service create mode 100644 systemd/full/system/pcscd.service create mode 100644 systemd/full/system/power-profiles-daemon.service delete mode 100644 systemd/full/system/reflector.service create mode 100644 systemd/full/system/rsyslog.service create mode 100644 systemd/full/system/secureboot-db.service create mode 100644 systemd/full/system/snapd.system-shutdown.service create mode 100644 systemd/full/system/system-update-cleanup.service create mode 100644 systemd/full/system/systemd-coredump@.service create mode 100644 systemd/full/system/systemd-initctl.service create mode 100644 systemd/full/system/systemd-journal-remote.service create mode 100644 systemd/full/system/systemd-nsresourced.service create mode 100644 systemd/full/system/systemd-oomd.service create mode 100644 systemd/full/system/systemd-rfkill.service create mode 100644 systemd/full/system/systemd-timesyncd.service create mode 100644 systemd/full/system/usb_modeswitch@.service diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file From d5a65ba8319d63faa358abfc55c51e5fd77bc3f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:26:18 +0200 Subject: [PATCH 17/49] feat(profile): add a few small profile needed by fsp. --- apparmor.d/profiles-a-f/e2scrub | 18 ++++++++++++++++ .../open-iscsi-net-interface-handler | 19 +++++++++++++++++ apparmor.d/profiles-s-z/u-d-c-print-pci-ids | 19 +++++++++++++++++ .../udev-bridge-network-interface | 21 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 apparmor.d/profiles-a-f/e2scrub create mode 100644 apparmor.d/profiles-m-r/open-iscsi-net-interface-handler create mode 100644 apparmor.d/profiles-s-z/u-d-c-print-pci-ids create mode 100644 apparmor.d/profiles-s-z/udev-bridge-network-interface diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor From 3984cf8accfaf48badb6f6ad9916a392bde499d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:27:55 +0200 Subject: [PATCH 18/49] feat(profile): initial profile for pollinate. --- apparmor.d/profiles-m-r/pollinate | 48 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pollinate diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5a6c7c526..2736540a8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -266,6 +266,7 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain ptyxis complain ptyxis-agent complain pycompile complain From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:29:52 +0200 Subject: [PATCH 19/49] feat(profile): integrate fsp with apt and ubuntu. --- apparmor.d/groups/apt/apt-methods-http | 5 +++-- apparmor.d/groups/apt/dpkg-script-apparmor | 1 + apparmor.d/groups/apt/dpkg-script-systemd | 3 +++ apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/ubuntu/cron-ubuntu-fan | 8 +------- apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0b375c8f8..7fb3a2cc4 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, signal receive peer=apt, signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, signal receive peer=role_*, signal receive peer=synaptic, signal receive peer=ubuntu-advantage, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 73b14390a..e9a03f282 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} { /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 4acafd139..8ca92515c 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} { /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 4fb4d04c4..3102b23bb 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, @@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} { include include + capability dac_read_search, + dbus send bus=system path=/ interface=org.freedesktop.DBus member=ReloadConfig diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 95b8b2760..c2d94e25a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, signal send peer=apt-methods-http, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 8f5952d9b..3ca55909d 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rix, - @{bin}/flock rix, + @{sbin}/fanctl rPx, @{bin}/grep rix, - @{bin}/id rix, @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index b3cbf7f07..3ad03eb05 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} { @{exec_path} mr, + @{bin}/systemctl Cx -> systemctl, + /usr/share/apport/apport-checkreports Px, + profile systemctl { + include + include + + include if exists + } + include if exists } From 38c6e35a1b0e5af40b06a50484e4b95a86f45581 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:33:37 +0200 Subject: [PATCH 20/49] feat(profile): add some ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apt_news | 39 +++++++++++++++++++++++++ apparmor.d/groups/ubuntu/fanctl | 33 +++++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-fan-net | 24 +++++++++++++++ dists/flags/ubuntu.flags | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt_news create mode 100644 apparmor.d/groups/ubuntu/fanctl create mode 100644 apparmor.d/groups/ubuntu/ubuntu-fan-net diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..faf15dfbe --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..f9d7c01f5 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain From 28d9d48de457eb5d2db6a065d1341386479bc27f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:39:35 +0200 Subject: [PATCH 21/49] feat(profile): small update to systemd profiles. --- apparmor.d/groups/systemd/bootctl | 25 ++++++++----------- apparmor.d/groups/systemd/homectl | 2 +- .../systemd/systemd-generator-ds-identify | 4 +-- apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-networkd-wait-online | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 7 ++++-- 6 files changed, 20 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 9508cfcf2..f7d001c70 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected) { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, @{efi}/ r, - @{efi}/EFI/{,**} r, - @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - @{efi}/EFI/BOOT/BOOTX64.EFI w, - @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - @{efi}/EFI/systemd/systemd-boot*.efi w, - @{efi}/loader/.#bootctlrandom-seed@{hex} rw, - @{efi}/loader/.#entries.srel* w, - @{efi}/loader/{,**} r, - @{efi}/loader/entries.srel w, - @{efi}/loader/random-seed w, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, - /etc/kernel/entry-token r, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3a78c531e..3c962e309 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 346e7d94e..ba6141d86 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..b1869b16b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index d1beae428..97dcb3b05 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} { +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include include @@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} { @{exec_path} mr, - @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + @{lib}/systemd/systemd-nsresourcework ix, # no new privs @{run}/systemd/nsresource/ rw, @{run}/systemd/nsresource/** rw, @@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} { @{sys}/kernel/btf/vmlinux r, @{sys}/kernel/security/lsm r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } From 581a55c7269cccd518baf9f65c5078edecaffcb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:40:49 +0200 Subject: [PATCH 22/49] feat(profile): update systemd-homework/homed as they get stacked. --- apparmor.d/groups/systemd/systemd-homed | 20 ++++++-- apparmor.d/groups/systemd/systemd-homework | 58 +++++++++++++++++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a89cd90f8..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,16 +35,24 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, @{sbin}/mke2fs rPx, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } From 9325dd5ca0cb1f37bda1d2abd90333cacb2d9958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:43:19 +0200 Subject: [PATCH 23/49] feat(profile): revisit systemd-udevd and ensure most program get transitionned confined. --- apparmor.d/groups/systemd/systemd-udevd | 66 ++++++++++++++----------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3861056b8..9c993e0d5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,44 +37,45 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{sbin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{sbin}/dmsetup rPx, - @{sbin}/ethtool rix, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPUx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{sbin}/lvm rPx, - @{bin}/mknod rix, - @{sbin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, - @{bin}/vmmouse_detect rPUx, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, @@ -120,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -127,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } From 32a9806219898f6c5a25b7efb3a15320ff7af24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:52:40 +0200 Subject: [PATCH 24/49] feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile. --- systemd/full/user/filter-chain.service | 2 ++ systemd/full/user/pipewire-media-session.service | 5 ----- systemd/full/user/pipewire-pulse.service | 2 ++ systemd/full/user/pipewire.service | 2 ++ systemd/full/user/wireplumber.service | 2 ++ systemd/full/user/wireplumber@.service | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 systemd/full/user/filter-chain.service delete mode 100644 systemd/full/user/pipewire-media-session.service create mode 100644 systemd/full/user/pipewire-pulse.service create mode 100644 systemd/full/user/pipewire.service create mode 100644 systemd/full/user/wireplumber.service create mode 100644 systemd/full/user/wireplumber@.service diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file From 60b91279162036a7d1a55df72d40977387fe1336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:53:47 +0200 Subject: [PATCH 25/49] feat(profile): update pipewire profiles. --- apparmor.d/groups/freedesktop/pipewire-pulse | 8 +++++++- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/wireplumber | 4 ++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..fddbe02f7 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index fab642571..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa6928298..0925bad91 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -75,6 +75,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, From d9cfef3e5d5a0bc035383e82d4cc69a9a25c0435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:03:11 +0200 Subject: [PATCH 26/49] refractor(profile): move systemd generators to their own group --- .../{systemd => systemd-generators}/systemd-generator-bless-boot | 0 .../{systemd => systemd-generators}/systemd-generator-cloud-init | 0 .../{systemd => systemd-generators}/systemd-generator-cryptsetup | 0 .../{systemd => systemd-generators}/systemd-generator-debug | 0 .../{systemd => systemd-generators}/systemd-generator-ds-identify | 0 .../systemd-generator-environment-arch | 0 .../systemd-generator-environment-flatpak | 0 .../systemd-generator-friendly-recovery | 0 .../{systemd => systemd-generators}/systemd-generator-fstab | 0 .../{systemd => systemd-generators}/systemd-generator-getty | 0 .../{systemd => systemd-generators}/systemd-generator-gpt-auto | 0 .../systemd-generator-hibernate-resume | 0 .../systemd-generator-integritysetup | 0 .../{systemd => systemd-generators}/systemd-generator-ostree | 0 .../{systemd => systemd-generators}/systemd-generator-rc-local | 0 .../groups/{systemd => systemd-generators}/systemd-generator-run | 0 .../{systemd => systemd-generators}/systemd-generator-snapd | 0 .../{systemd => systemd-generators}/systemd-generator-sshd-socket | 0 .../systemd-generator-system-update | 0 .../groups/{systemd => systemd-generators}/systemd-generator-sysv | 0 .../systemd-generator-user-autostart | 0 .../systemd-generator-user-environment | 0 .../{systemd => systemd-generators}/systemd-generator-veritysetup | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-bless-boot (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cloud-init (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cryptsetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-debug (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ds-identify (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-arch (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-flatpak (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-friendly-recovery (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-fstab (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-getty (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-gpt-auto (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-hibernate-resume (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-integritysetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ostree (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-rc-local (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-run (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-snapd (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sshd-socket (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-system-update (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sysv (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-autostart (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-environment (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-veritysetup (100%) diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-friendly-recovery rename to apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-rc-local rename to apparmor.d/groups/systemd-generators/systemd-generator-rc-local diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-snapd rename to apparmor.d/groups/systemd-generators/systemd-generator-snapd diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sshd-socket rename to apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sysv rename to apparmor.d/groups/systemd-generators/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup From 3d76c98c4b65355203da9ffc4d1693b174d79163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:05:34 +0200 Subject: [PATCH 27/49] feat(profile): add more systemd-generator profiles. --- .../systemd-generator-environment-snapd | 18 +++++++ .../systemd-generator-import | 31 ++++++++++++ .../systemd-generator-openvpn | 27 +++++++++++ .../systemd-generators/systemd-generator-ssh | 48 +++++++++++++++++++ .../systemd-generators/systemd-generator-tpm2 | 30 ++++++++++++ dists/flags/main.flags | 9 +++- 6 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-import create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-openvpn create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-ssh create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-tpm2 diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd new file mode 100644 index 000000000..b18bd6bd5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..36ff4e5ff --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + / r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..efb56468e --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..4d601d0f9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2736540a8..6a030fe63 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,19 +329,24 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain @@ -350,8 +355,8 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-nsresourced complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain systemd-resolve complain From 89a17146103cadf12e83543d1f5cc3504fcca2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:14:54 +0200 Subject: [PATCH 28/49] fix(profile): a few linting fixes. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/sd-mount | 2 +- apparmor.d/groups/_full/sdu | 2 +- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 1 - 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 974bc3544..106e36817 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -131,10 +131,10 @@ profile sd flags=(attach_disconnected,mediate_deleted) { @{bin}/true ix, # Required due to stacked profiles - @{bin}/grpck ix, + @{sbin}/grpck ix, @{bin}/gzip ix, @{bin}/install ix, - @{bin}/pwck ix, + @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 7f7dede60..1572a8f6d 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -36,7 +36,7 @@ profile sd-mount flags=(complain) { mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount options=(rw move) -> @{efi}, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 5ceb669f0..411a8c3ad 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -98,7 +98,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted,complain) { include - + @{sh_path} mr, @{bin}/systemctl Px -> sdu//systemctl, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63..deee33daf 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 3ad03eb05..dee094aa1 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -19,7 +19,7 @@ profile update-notifier-crash @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 7aa812f79..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/wsdd +@{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 805ab8bf1..676bc4d56 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1016,7 +1016,6 @@ wpa_supplicant wqlat-bpfcc writeback.bt wrmsr -wsdd xfs_admin xfs_bmap xfs_copy From e771ef77b8c9343f29a07c32c7d3955620a12169 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:18:39 +0200 Subject: [PATCH 29/49] tests(packer): update base images content. --- .../cloud-init/archlinux-gnome.user-data.yml | 35 +------- tests/cloud-init/archlinux-kde.user-data.yml | 37 +-------- tests/cloud-init/archlinux.yml | 82 ++++++++++++++++--- tests/cloud-init/debian.yml | 32 ++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 9 ++ tests/cloud-init/ubuntu.yml | 39 ++++++++- 6 files changed, 150 insertions(+), 84 deletions(-) create mode 100644 tests/cloud-init/debian13-gnome.user-data.yml diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c292993c1..d33f685b6 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,39 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte +packages: *gnome-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index c89b3a25c..cb4c4d3b0 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,41 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular +packages: *kde-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d860f1a1e..5299efda0 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -1,37 +1,93 @@ #cloud-config -# Core packages for Archlinux core-packages: &core-packages - # Install core packages - apparmor - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - bash-completion + - docker - git - htop + - just - man - pass - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent - vim - wget -# Core desktop packages for Archlinux -desktop-packages: &desktop-packages - # Install basic services +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux - networkmanager - cups - cups-pdf - system-config-printer - - # Install Applications - - firefox - chromium + - firefox + - spice-vdagent - terminator + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index cead162a4..ea3012ad2 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -3,45 +3,77 @@ # Core packages for Debian core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim gnome-packages: &desktop-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Gnome packages for Debian - spice-vdagent - task-gnome-desktop - terminator + - loupe + - ptyxis kde-packages: &kubuntu-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # KDE packages for Debian diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index ba640e3af..14db33251 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,50 +1,81 @@ #cloud-config -# Core packages for Ubuntu core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim desktop-packages: &desktop-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu - spice-vdagent - terminator - ubuntu-desktop + - loupe + - ptyxis kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu @@ -74,3 +105,9 @@ desktop-runcmd: &desktop-runcmd # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket From d9e6e686e0186d94fab9a9fdecc7d2c48255d3d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 01:44:09 +0200 Subject: [PATCH 30/49] build: ignore all rule in abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..5fba837d5 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, }) ) From 2282128cbddc1017740071b8058c54bf7868e90c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:43:57 +0200 Subject: [PATCH 31/49] feat(fsp): setup RBAC mapping in auth enabled profiles. --- apparmor.d/groups/ssh/sshd | 15 ++++++++------- apparmor.d/groups/utils/chfn | 1 + apparmor.d/groups/utils/chsh | 1 + apparmor.d/groups/utils/login | 3 ++- apparmor.d/groups/utils/su | 5 +++-- apparmor.d/mappings/sudo/base | 30 ++++++++++++++++++++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/mappings/sudo/base diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4b99aafd6..cc12a9eec 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{sbin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/{openssh,ssh}/sftp-server rPx, - @{lib}/{openssh,ssh}/sshd-auth rPx, - @{lib}/{openssh,ssh}/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session ix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 45b50c7ad..824d92bf4 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,6 +15,7 @@ profile chfn @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index e3581be31..a630a7733 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,6 +15,7 @@ profile chsh @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6227f4fc5..c35001498 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 81e299d23..c4e83ddfa 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,6 +12,7 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal @@ -21,8 +22,8 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/@{shells} rUx, - @{sbin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 6c6e1c3456fce34164cf54189dc23080db02b54c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:49:16 +0200 Subject: [PATCH 32/49] feat(profile): minor fsp related improvment. --- apparmor.d/groups/freedesktop/colord | 5 +++-- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/tailscaled | 2 +- .../groups/systemd-service/snapd.system-shutdown.service | 6 +++--- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/profiles-g-l/ischroot | 2 +- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 031ba0605..ee2cdf42e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c4c24efc9..de8643100 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index fa6cd8ddd..bb877ec1a 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index e8939006e..ce819a791 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -13,9 +13,9 @@ include profile snapd.system-shutdown.service { include - audit @{bin}/cp ix, - audit @{bin}/mkdir ix, - audit @{bin}/mount ix, + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, @{lib}/snapd/system-shutdown r, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index deee33daf..ef278da63 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index c5b848bab..4e087343a 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} { +profile ischroot @{exec_path} flags=(attach_disconnected) { include include From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:50:20 +0200 Subject: [PATCH 33/49] feat(profile): add initial profile for systemd-initctl. --- apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-initctl diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a030fe63..e73dd4cd5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain From af82a9caa6358a64d0037761a40e286d6018f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:52:42 +0200 Subject: [PATCH 34/49] feat(profile): add profiles for whoopsie. --- apparmor.d/profiles-s-z/whoopsie | 31 ++++++++++++++++++ apparmor.d/profiles-s-z/whoopsie-preferences | 34 ++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whoopsie create mode 100644 apparmor.d/profiles-s-z/whoopsie-preferences diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..16a0e5a5e --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e73dd4cd5..77ea8761f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -404,6 +404,8 @@ waybar attach_disconnected,complain wechat attach_disconnected,complain wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain From 8452eb44f18e96aa9de83c74e0902aabdcad336d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:48:38 +0200 Subject: [PATCH 35/49] feat(abs): minor improvement & cosmetic. --- apparmor.d/abstractions/app/kmod | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/sudo | 4 +++- apparmor.d/abstractions/base.d/complete | 6 ++++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- apparmor.d/abstractions/consoles.d/complete | 7 +++++++ apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/vulkan.d/complete | 1 + apparmor.d/abstractions/webkit | 2 +- apparmor.d/abstractions/zsh | 1 + 11 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 86bb7d78a..6c889bd60 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,9 +7,9 @@ include + @{bin}/kmod mr, @{sbin}/depmod mr, @{sbin}/insmod mr, - @{bin}/kmod mr, @{sbin}/lsmod mr, @{sbin}/modinfo mr, @{sbin}/modprobe mr, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 3be45b4dd..1557b78ef 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -12,7 +12,7 @@ capability dac_override, capability dac_read_search, - signal (receive) set=(stop, cont, term, kill), + signal receive set=(stop, cont, term, kill), @{bin}/ r, @{pager_path} mrix, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1286b1571..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,6 +24,8 @@ network netlink raw, # PAM + unix type=stream addr=@@{udbus}/bus/sudo/system, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 06b413342..ecfe09bb5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 38e05f48c..b002d6fa4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -9,7 +9,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..ce7bb73ba --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..220883c29 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 71e76f9da..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,7 +6,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 9481d4fec..c9a275250 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ff90849c0..02eacfb62 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -12,6 +12,7 @@ /usr/local/share/zsh/{,**} r, /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, /etc/zsh/* r, From 86202b0fbf9502671d5e053da7d55699127501c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:53:37 +0200 Subject: [PATCH 36/49] feat(fsp): small fsp improvement. --- apparmor.d/groups/_full/sd | 21 ++++++++++++++++++++- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 106e36817..44b3a9b7d 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -18,7 +18,7 @@ abi , include @{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted) { +profile sd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability net_bind_service, capability net_raw, capability perfmon, capability setfcap, @@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, capability syslog, + network alg seqpacket, + network bluetooth, network inet dgram, network inet stream, network inet6 dgram, @@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) { umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, + # mount tmpfs -> @{run}/lock/, + # mount tmpfs -> @{sys}/fs/cgroup/, + # mount cgroup -> @{sys}/fs/cgroup/systemd/, + # audit mount /dev/** -> /boot/{,efi/}, + # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + + # audit remount @{run}/systemd/unit-root/{,**}, + # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, + # audit remount options=(ro nosuid nodev bind) /var/, + # audit remount options=(ro nosuid nodev noexec bind) /boot/, + + # audit umount @{PROC}/sys/fs/binfmt_misc/, + # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, + # audit umount @{run}/systemd/unit-root/{,**}, + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, change_profile, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eec9b33d9..b7c12c6bd 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/dri/card@{int} rw, + /dev/initctl w, /dev/input/ r, /dev/kmsg w, /dev/tty rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3b0d01709..ed531c58b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index bb824c7cb..a816e58b8 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH 37/49] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07..1355aa22b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337..641862965 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835e..a43168866 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e2..2f9077d19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6..104d95fb3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e204..1099f254d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b..56445aeac 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece3366..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344..ebf975673 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368..a6f7e5b63 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f21..ce60a26c3 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d..9af8be00a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH 38/49] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 8 ++++---- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 13 insertions(+), 34 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..3ee530970 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d2..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor From 71a473712c15ee71fe39ce021577b052fea2528f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:58:02 +0200 Subject: [PATCH 39/49] tests: rewrite and expand the profile check to more files. Rewrite: Speed up the checking by not using grep anymore and only using bash, also make it parallel Revisit the way result are shown. Expand: Also scan for mapping files and abstaction completion. Adapt the scan accordingly. --- tests/check.sh | 378 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 259 insertions(+), 119 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 02ae71812..25c82e3d1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Usage: make check @@ -8,101 +8,250 @@ set -eu -o pipefail -readonly APPARMORD="apparmor.d" -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +readonly MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local type="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local type="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" } -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 fi done + return 1 } -_ensure_indentation() { +_is_enabled() { + _in_array "$1" "${WITH_CHECK[@]}" +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_check() { local file="$1" - local in_profile=false - local first_line_after_profile=true local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header fi + _check_tabs + _check_trailing + _check_indentation + _check_vim - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true + done <"$file" - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err guideline "$file" "missing 'abi ,'" + fi +} - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" =~ ^.*"${include}"$ ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err guideline "$file" "missing '$include'" + fi +} - if ! $ok; then - _die "$file:$line_number: invalid indentation." +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err guideline "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err style "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err style "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err style "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err style "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err style "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" -} - -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" fi } -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + + fi fi } +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err guideline "$file" "$msg" + done +} -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -117,69 +266,60 @@ check_sbin() { } check_profiles() { - echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m ⋅ \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" - ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + jobs=0 + WITH_CHECK=(abi include header tabs trailing indentation vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" + find "$APPARMORD/mappings" -type f + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=(header tabs trailing indentation vim) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi From fff0df39ba61e862e7d62897b0126e0c2eb91835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:59:14 +0200 Subject: [PATCH 40/49] tests: add more check for sbin path Also look for path that should not use sbin. --- tests/check.sh | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 25c82e3d1..09a2e105b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -256,13 +256,39 @@ _res_vim() { } check_sbin() { - echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:" - while IFS= read -r name; do - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) - for file in "${files[@]}"; do - _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - done Date: Mon, 2 Jun 2025 20:41:20 +0200 Subject: [PATCH 41/49] test: add some security checks. --- tests/check.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 09a2e105b..59463246e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,7 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK -readonly MAX_JOBS APPARMORD="apparmor.d" +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -58,6 +58,12 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + # Guidelines check _check_abi _check_include @@ -84,13 +90,82 @@ _check() { _res_vim } +# Rules checks: security, compatibility and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory_mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname"* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too_wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _err security "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false readonly ABI_SYNTAX='abi ,' _check_abi() { _is_enabled abi || return 0 - if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + if [[ "$line" == *"$ABI_SYNTAX" ]]; then RES_ABI=true fi } @@ -104,7 +179,7 @@ _res_abi() { RES_INCLUDE=false _check_include() { _is_enabled include || return 0 - if [[ "$line" =~ ^.*"${include}"$ ]]; then + if [[ "$line" == *"${include}"* ]]; then RES_INCLUDE=true fi } From c8f2a435f877367866fa811d4d897238c0d6108b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Jun 2025 23:59:41 +0200 Subject: [PATCH 42/49] tests: remove symbolic link from sbin. --- tests/sbin.list | 288 +++++------------------------------------------- 1 file changed, 30 insertions(+), 258 deletions(-) diff --git a/tests/sbin.list b/tests/sbin.list index 676bc4d56..d2b5c44bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -21,7 +21,6 @@ acpid acpidump add-shell addgnupghome -addgroup addpart adduser agetty @@ -31,24 +30,15 @@ alsa-info.sh alsa-init alsabat-test alsactl -alternatives anacron +apache2 apparmor_parser apparmor_status applygnupgdefaults aptd argdist-bpfcc -arp arpd -arptables -arptables-nft -arptables-nft-restore -arptables-nft-save -arptables-restore -arptables-save -arptables-translate aspell-autobuildhash -atd audisp-af_unix audisp-filter audisp-syslog @@ -90,26 +80,18 @@ blockdev blogctl blogd blogger -bluetoothd bpflist-bpfcc bpftool brctl bridge -brltty brltty-setup btrfs btrfs-convert +btrfs-find-root btrfs-image -btrfsck btrfsdist-bpfcc btrfsslower-bpfcc btrfstune -cache_check -cache_dump -cache_metadata_size -cache_repair -cache_restore -cache_writeback cachestat-bpfcc cachetop-bpfcc capable-bpfcc @@ -120,7 +102,6 @@ cgdisk chat chcpu check_mail_queue -check-bios-nx checkproc chgpasswd chkstat-polkit @@ -135,7 +116,6 @@ coldreboot compactsnoop-bpfcc complain config.postfix -cpgr cppw cpudist-bpfcc cpuunclaimed-bpfcc @@ -153,17 +133,13 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel -ctstat cups-browsed cups-genppd.5.3 cups-genppdupdate cupsaccept cupsctl cupsd -cupsdisable -cupsenable cupsfilter -cupsreject dbslower-bpfcc dbstat-bpfcc dcb @@ -173,14 +149,9 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs -debugfs.reiserfs -debugreiserfs decode -defrag.f2fs -delgroup delpart deluser -depmod devlink dhcpcd dirtop-bpfcc @@ -192,7 +163,6 @@ dmfilemapd dmidecode dmraid dmsetup -dmstats dnsmasq dosfsck dosfslabel @@ -213,34 +183,37 @@ e2undo e4crypt e4defrag eapol_test -ebtables -ebtables-nft -ebtables-nft-restore -ebtables-nft-save -ebtables-restore -ebtables-save -ebtables-translate ec_access efibootdump efibootmgr enforce -era_check -era_dump -era_invalidate -era_restore ethtool eventlogadm -exec execsnoop-bpfcc execsnoop.bt exfat2img exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm exitsnoop-bpfcc +exiwhat ext4dist-bpfcc ext4slower-bpfcc -f2fs_io -f2fscrypt -f2fslabel f2fsslower-bpfcc faillock fanatic @@ -251,7 +224,6 @@ fatresize fbtest fdformat fdisk -fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -270,7 +242,6 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 -fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -295,7 +266,6 @@ gethostlatency-bpfcc gethostlatency.bt getpcaps getsysinfo -getty getweb gnome-menus-blacklist gpart @@ -308,7 +278,6 @@ groupmod grpck grpconv grpunconv -grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -328,62 +297,30 @@ grub2-reboot grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg -halt hardirqs-bpfcc -hc-ifscan hdparm hwclock hwinfo iconvconfig -ifconfig ifrename ifstat import-openSUSE-build-key -init inject-bpfcc inputattach -insmod install_acx100_firmware install_intersil_firmware install-sgmlcatalog installkernel integritysetup invoke-rc.d -ip -ip6tables -ip6tables-apply -ip6tables-legacy ip6tables-legacy-batch -ip6tables-legacy-restore -ip6tables-legacy-save -ip6tables-nft -ip6tables-nft-restore -ip6tables-nft-save -ip6tables-restore -ip6tables-restore-translate -ip6tables-save -ip6tables-translate -ipmaddr ipp-usb ippevepcl ippeveprinter ippeveps ipset -ipset-translate -iptables iptables-apply -iptables-legacy iptables-legacy-batch -iptables-legacy-restore -iptables-legacy-save -iptables-nft -iptables-nft-restore -iptables-nft-save -iptables-restore -iptables-restore-translate -iptables-save -iptables-translate -iptunnel irqbalance irqbalance-ui isadump @@ -397,8 +334,6 @@ isosize ispell-autobuildhash isserial issue-generator -iucode_tool -iucode-tool iw iwconfig iwevent @@ -427,7 +362,6 @@ killsnoop.bt klockstat-bpfcc klogd kpartx -kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -449,29 +383,11 @@ lpadmin lpc lpinfo lpmove -lsmod -lspcmcia luksformat -lvchange -lvconvert -lvcreate -lvdisplay -lvextend lvm lvm_import_vdo -lvmconfig -lvmdevices -lvmdiskscan lvmdump lvmpolld -lvmsadc -lvmsar -lvreduce -lvremove -lvrename -lvresize -lvs -lvscan lwepgen lxc lxd @@ -484,7 +400,6 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc -mii-tool mk_isdnhwdb mkdict mkdosfs @@ -500,10 +415,6 @@ mkfs.ext4 mkfs.f2fs mkfs.fat mkfs.minix -mkfs.msdos -mkfs.ntfs -mkfs.reiserfs -mkfs.vfat mkfs.xfs mkhomedir_helper mkill @@ -515,8 +426,6 @@ mkreiserfs mksubvolume mkswap ModemManager -modinfo -modprobe mount.cifs mount.ddi mount.fuse @@ -533,12 +442,9 @@ mpathpersist multipath multipathc multipathd -mysqld mysqld_qslower-bpfcc -nameif naptime.bt needrestart -netplan netqtop-bpfcc NetworkManager newusers @@ -574,7 +480,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -583,13 +488,11 @@ pam_timestamp_check pam-auth-update pam-config paperconfig -parse.f2fs parted partprobe partx pbl pccardctl -pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -598,11 +501,9 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc -pidofproc pidpersec-bpfcc pidpersec.bt pivot_root -plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -618,7 +519,7 @@ postmap postmulti postqueue postsuper -poweroff +posttls-finger ppchcalls-bpfcc pppd pppdump @@ -627,15 +528,6 @@ pppstats pptp pptpsetup profile-bpfcc -pvchange -pvck -pvcreate -pvdisplay -pvmove -pvremove -pvresize -pvs -pvscan pwck pwconv pwhistory_helper @@ -647,108 +539,30 @@ pythongc-bpfcc pythonstat-bpfcc qemu-ga qmqp-source -rarp -rcapparmor -rcauditd -rcautofs -rcavahi-daemon -rcavahi-dnsconfd -rcblk-availability -rcbolt -rcbtrfsmaintenance-refresh -rcca-certificates -rcchrony-wait -rcchronyd -rccolord -rccron -rccups -rccups-browsed -rccups-lpd -rcdbus -rcdisplay-manager -rcdm-event -rcdnsmasq -rcfancontrol +qshape rcfirewalld -rcflatpak-system-helper -rcfstrim -rcfwupd -rcfwupd-offline-update -rcfwupd-refresh -rcgpm -rcirqbalance -rcissue-add-ssh-keys -rcissue-generator -rckexec-load -rclm_sensors -rclogrotate -rclvm2-lvmpolld -rclvm2-monitor -rcmariadb -rcmcelog -rcmdmonitor -rcModemManager -rcmultipathd -rcmysql -rcnetwork -rcnfs-client -rcnmb rcopenvpn -rcostree-prepare-root -rcostree-remount -rcpackagekit -rcpackagekit-offline-update rcpcscd -rcpkcs11_eventmgr -rcpostfix -rcrng-tools -rcrpcbind -rcrsyncd -rcrtkit-daemon -rcsddm -rcsmartd -rcsmb -rcsnmpd -rcsnmptrapd -rcspeech-dispatcherd -rcspice-vdagentd -rcsshd -rctuned -rcudisks2 -rcupower -rcusbmuxd -rcwpa_supplicant -rcwsdd rcxdm rcxvnc rdma rdmaucma-bpfcc -rdmsr readahead-bpfcc readprofile -reboot -refresh_initrd +realm regdbdump -reiserfsck -reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc -resize_reiserfs -resize.f2fs resize2fs resizepart -resolvconf rfkill -rmmod -rmt rmt-tar rndc rndc-confgen rngd -route routel rpc.gssd rpc.idmapd @@ -757,7 +571,6 @@ rpc.svcgssd rpcbind rpcctl rpcdebug -rpcinfo rpmconfigcheck rsyncd rsyslogd @@ -765,14 +578,12 @@ rtacct rtcwake rtkitctl rtmon -rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc runc -runlevel runqlat-bpfcc runqlat.bt runqlen-bpfcc @@ -792,8 +603,6 @@ sensors-detect service set_polkit_default_privs setcap -setconsole -setpci setuids.bt setup-nsssysinit.sh setvesablank @@ -805,12 +614,9 @@ shim-install shmsnoop-bpfcc showconsole showmount -shutdown skdump sktest slabratetop-bpfcc -slattach -sload.f2fs sm-notify smart_agetty smartctl @@ -828,12 +634,12 @@ spice-vdagentd ss sshd sshd-gen-keys-start +sshd.hmac ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc -start_daemon start-statd start-stop-daemon startproc @@ -855,6 +661,7 @@ sysconf_addword syscount-bpfcc syscount.bt sysctl +syslog2eximlog sysusers2shadow tarcat tc @@ -881,33 +688,20 @@ tcpsynbl-bpfcc tcpsynbl.bt tcptop-bpfcc tcptracer-bpfcc -tcptraceroute tcptraceroute.db -telinit thermald -thin_check -thin_delta -thin_dump -thin_ls -thin_metadata_size -thin_repair -thin_restore -thin_rmap -thin_trim threadsnoop-bpfcc threadsnoop.bt tipc tlp tplist-bpfcc trace-bpfcc -traceroute tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs tuned tuned-adm -tunefs.reiserfs tunelp u-d-c-print-pci-ids ucalls @@ -923,21 +717,21 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-bootloader +update-alternatives update-ca-certificates update-catalog update-cracklib -update-default-aspell update-default-ispell update-default-wordlist update-dictcommon-aspell update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template update-fonts-alias update-fonts-dir update-fonts-scale update-grub update-grub-gfxpayload -update-grub2 update-gsfontmap update-icon-caches update-ieee-data @@ -973,30 +767,10 @@ vfscount-bpfcc vfscount.bt vfsstat-bpfcc vfsstat.bt -vgcfgbackup -vgcfgrestore -vgchange -vgck -vgconvert -vgcreate -vgdisplay -vgexport -vgextend -vgimport -vgimportclone -vgimportdevices -vgmerge -vgmknodes -vgreduce -vgremove -vgrename -vgs -vgscan -vgsplit vhangup -vigr vipw virt-what +virt-what-cvm virtiostat-bpfcc virtlockd virtlogd @@ -1015,7 +789,6 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt -wrmsr xfs_admin xfs_bmap xfs_copy @@ -1032,6 +805,7 @@ xfs_metadump xfs_mkfile xfs_ncheck xfs_property +xfs_protofile xfs_quota xfs_repair xfs_rtcp @@ -1043,9 +817,7 @@ xfsdist.bt xfsslower-bpfcc xkbctrl xtables-legacy-multi -xtables-monitor xtables-nft-multi -yast yast2 zdump zerofree From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH 43/49] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd60..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d42..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c..ab230a43b 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac82..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d7..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f51..6eeeaa414 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26..57a0baa20 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce53..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d..6431ee98a 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276c..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c88..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a9..1f1fc66eb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..6cf3b824c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781..ce41d6ae8 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909d..9fd065db3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2..916279378 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4a..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a3..4d730602d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd..aea3cbf01 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3a..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d..bb7dfd3b8 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a7..3505126ad 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff86..9a7e77902 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf8..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea062..133cf8ae7 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f4..aeb125ef2 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b..485520ca0 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c..e23d4db43 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a0..023644eb0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc..15373846c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy From f0355f36b9fd74725e086790db305de6c25edafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:36:30 +0200 Subject: [PATCH 44/49] tests: show error line in sbin check. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 59463246e..add9b0685 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -338,7 +338,7 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done @@ -349,7 +349,7 @@ check_sbin() { local pattern='[[:alnum:]_.-]+' # Pattern for valid file names jobs=0 - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do ( while read -r match; do @@ -359,7 +359,7 @@ check_sbin() { _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "$file") + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & _wait jobs done From edcbaa1b94f511e4b3db9642718887dc98f93511 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:01:24 +0200 Subject: [PATCH 45/49] fix: add gpartedbin back to sbin.list. --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 15373846c..a17f15448 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -275,6 +275,7 @@ getweb gnome-menus-blacklist gpart gparted +gpartedbin gpm groupadd groupdel From 65f96447530dccb2928b682d76c37cfb0164a76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:37:59 +0200 Subject: [PATCH 46/49] fix: linter check. --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/profiles-g-l/hw-probe | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0064d682b..209971ac2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -34,7 +34,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{sbin}/wsdd rPx, + @{bin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 11e863972..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{sbin}/lspci rCx -> lspci, + @{bin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{sbin}/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index fc6b8775b..f518a18f0 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, From a4737546f76fe1f4aaa65d2ad7d5663c3a317c5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:58:24 +0200 Subject: [PATCH 47/49] tests: update sbin.list --- apparmor.d/profiles-g-l/haveged | 2 +- tests/sbin.list | 43 ++++++++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..5773a73fb 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include diff --git a/tests/sbin.list b/tests/sbin.list index a17f15448..1adc90ee8 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1,3 +1,5 @@ +a2enmod +a2query aa-audit aa-autodep aa-cleanprof @@ -32,6 +34,7 @@ alsabat-test alsactl anacron apache2 +apache2ctl apparmor_parser apparmor_status applygnupgdefaults @@ -65,7 +68,6 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode -biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -103,6 +105,7 @@ cfdisk cgdisk chat chcpu +check_forensic check_mail_queue check-bios-nx checkproc @@ -164,7 +167,6 @@ dmevent_tool dmeventd dmfilemapd dmidecode -dmidecode dmraid dmsetup dnsmasq @@ -191,6 +193,8 @@ ec_access efibootdump efibootmgr enforce +ephemeral-disk-warning +escapesrc ethtool eventlogadm execsnoop-bpfcc @@ -264,8 +268,12 @@ g13-syshelp gdisk gdm gdm3 +genccode +gencmn genl +gennorm2 genprof +gensprep getcap gethostlatency-bpfcc gethostlatency.bt @@ -304,10 +312,19 @@ grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc +haveged hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon hwclock hwinfo iconvconfig +icupkg ifconfig ifrename ifstat @@ -321,6 +338,7 @@ installkernel integritysetup invoke-rc.d ip6tables-legacy-batch +ipmaddr ipp-usb ippevepcl ippeveprinter @@ -328,6 +346,7 @@ ippeveps ipset iptables-apply iptables-legacy-batch +iptunnel irqbalance irqbalance-ui isadump @@ -392,6 +411,7 @@ lpadmin lpc lpinfo lpmove +lsvmbus luksformat lvm lvm_import_vdo @@ -410,6 +430,7 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc +mii-tool mk_isdnhwdb mkdict mkdosfs @@ -453,7 +474,9 @@ mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc +nameif naptime.bt needrestart netqtop-bpfcc @@ -468,6 +491,7 @@ nfsiostat nfsslower-bpfcc nfsstat nft +nginx nmbd nodegc-bpfcc nodestat-bpfcc @@ -480,6 +504,7 @@ ntfscp ntfslabel ntfsresize ntfsundelete +nvme offcputime-bpfcc offwaketime-bpfcc on_ac_power @@ -491,7 +516,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -510,12 +534,17 @@ pdata_tools perlcalls-bpfcc perlflow-bpfcc perlstat-bpfcc +pg_updatedicts +php-fpm8.3 phpcalls-bpfcc +phpenmod phpflow-bpfcc +phpquery phpstat-bpfcc pidpersec-bpfcc pidpersec.bt pivot_root +plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -552,6 +581,7 @@ pythonstat-bpfcc qemu-ga qmqp-source qshape +rarp rcfirewalld rcopenvpn rcpcscd @@ -632,6 +662,7 @@ showmount skdump sktest slabratetop-bpfcc +slattach sm-notify smart_agetty smartctl @@ -646,6 +677,7 @@ sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +split-logfile ss sshd sshd-gen-keys-start @@ -754,6 +786,7 @@ update-inetd update-info-dir update-initramfs update-java-alternatives +update-language update-locale update-mime update-passwd @@ -762,6 +795,9 @@ update-rc.d update-secureboot-policy update-shells update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile update-xmlcatalog upgrade-from-grub-legacy usb_modeswitch @@ -793,7 +829,6 @@ visudo vmcore-dmesg vncsession vpddecode -vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc From e3bd48bd758601e17cef0d6825268e4cad55ead8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:55:17 +0200 Subject: [PATCH 48/49] build: justfile: add group. --- Justfile | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 825097a1b..4021b0e5a 100644 --- a/Justfile +++ b/Justfile @@ -64,24 +64,34 @@ help: @just --list --unsorted @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." +[group('build')] [doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +[group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild +[group('build')] [doc('Prebuild the profiles in complain mode')] complain: build @./{{build}}/prebuild --complain +[group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build @./{{build}}/prebuild --complain --full -[doc('Install the profiles')] +[group('build')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -108,26 +118,31 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +[group('packages')] [doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +[group('packages')] [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +[group('tests')] [doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +[group('linter')] [doc('Run the linters')] lint: golangci-lint run @@ -138,18 +153,22 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +[group('linter')] [doc('Run style checks on the profiles')] check: @bash tests/check.sh +[group('docs')] [doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +[group('docs')] [doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +[group('docs')] [doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @@ -160,6 +179,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +[group('packages')] [doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash @@ -175,6 +195,7 @@ package dist: fi bash dists/docker.sh $dist $version +[group('vm')] [doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} @@ -192,6 +213,7 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +[group('vm')] [doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @@ -211,33 +233,40 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +[group('vm')] [doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +[group('vm')] [doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] [doc('List the machines')] list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +[group('vm')] [doc('List the VM images')] images: #!/usr/bin/env bash @@ -254,6 +283,7 @@ images: } ' +[group('vm')] [doc('List the VM images that can be created')] available: #!/usr/bin/env bash @@ -270,6 +300,8 @@ available: } ' + +[group('tests')] [doc('Run the integration tests on the machine')] integration dist flavor: @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @@ -280,12 +312,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ - +[group('internal')] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' +[group('internal')] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From 3291d9a370f5972f67ba5d524f90312f7fbd49eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:56:18 +0200 Subject: [PATCH 49/49] fix: use mappings/sudo in su. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index c4e83ddfa..866da3d6a 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,7 +12,7 @@ profile su @{exec_path} { include include include - include #aa:only RBAC + include #aa:only RBAC capability chown, # pseudo-terminal