feat: prefix variables that refer to a profile

2024-04-02 13:41:08 +01:00 · 2024-04-02 13:41:08 +01:00 · 6dd0c36e9a
commit 6dd0c36e9a
parent 751bc683d9
39 changed files with 57 additions and 49 deletions
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -28,7 +28,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  signal (send) set=(term, cont, kill),
  signal (receive) set=(hup) peer=@{systemd},

-  ptrace (read),
+  ptrace (read),@{p_systemd}

  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -30,7 +30,7 @@ profile dbus-system flags=(attach_disconnected) {
  network bluetooth stream,
  network bluetooth seqpacket,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  dbus bus=system,

--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -22,7 +22,7 @@ profile plymouthd @{exec_path} {
  network netlink raw,

  signal (send) peer=unconfined,
-  signal (send) set=(rtmin+23) peer=@{systemd},
+  signal (send) set=(rtmin+23) peer=@{p_systemd},
  signal (send) set=(rtmin+23) peer=systemd-shutdown,

  ptrace (read) peer=plymouth,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -46,7 +46,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@ -11,14 +11,14 @@ profile gnome-session-ctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>

-  signal (receive) set=(kill) peer=@{systemd},
+  signal (receive) set=(kill) peer=@{p_systemd},

  unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member={StartUnit,StopUnit}
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  dbus send bus=session path=/org/gnome/SessionManager
       interface=org.gnome.SessionManager
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -165,7 +165,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd_user}"),
+       peer=(name=:*, label="@{p_systemd_user}"),

  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -39,7 +39,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  ptrace (read),
  ptrace (trace) peer=@{profile_name},

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},
  signal (send) set=(kill, term) peer=startplasma,
  signal (send) set=(kill, term) peer=xorg,
  signal (send) set=(term) peer=kwin_wayland,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -11,7 +11,7 @@ profile startplasma @{exec_path} {
  include <abstractions/base>
  include <abstractions/kde-strict>

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},
  signal (receive) set=(term) peer=sddm,

  @{exec_path} mr,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  capability sys_nice,
  capability sys_ptrace,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  #aa:dbus own bus=system name=org.freedesktop.nm_dispatcher

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -49,9 +49,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network netlink raw,

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},

-  ptrace (read,trace) peer=@{systemd},
+  ptrace (read,trace) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/sshd/system,

--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -22,7 +22,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  signal send peer=child-pager,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,7 +22,7 @@ profile systemd-analyze @{exec_path} {

  signal (send) peer=child-pager,

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -12,7 +12,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-run
+++ b/apparmor.d/groups/systemd/systemd-generator-run
@ -11,7 +11,7 @@ profile systemd-generator-run @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-generator-veritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup
@ -11,7 +11,7 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -33,7 +33,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=org.freedesktop.login1

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  dbus receive bus=system path=/org/freedesktop/login@{int}{,/seat/auto,session/_@{int}}
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -33,7 +33,7 @@ profile systemd-machined @{exec_path} {

  #aa:dbus own bus=system name=org.freedesktop.machine1

-  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-sulogin-shell
+++ b/apparmor.d/groups/systemd/systemd-sulogin-shell
@ -14,7 +14,7 @@ profile systemd-sulogin-shell @{exec_path} {
  capability net_admin,
  capability sys_resource,

-  signal (receive) set=(hup) peer=@{systemd},
+  signal (receive) set=(hup) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -22,7 +22,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,

  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
-  unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none),
+  unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),

  #aa:dbus own bus=system name=org.freedesktop.timesync1

--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} {

  capability net_admin,

-  ptrace (read) peer=@{systemd},
+  ptrace (read) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@ -14,7 +14,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {

  capability sys_resource,

-  signal (send) peer=@{systemd},
+  signal (send) peer=@{p_systemd},

  @{exec_path} mr,

--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -94,7 +94,7 @@ profile update-notifier @{exec_path} {
    dbus send bus=system path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
         member=GetUnitFileState
-         peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+         peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

    include if exists <local/update-notifier_systemctl>
  }