feat(profile): start implementing systemctl subprofile instead of using child-systemctl.

2024-03-05 17:45:02 +00:00 · 2024-03-05 17:45:02 +00:00 · 70963a50b6
commit 70963a50b6
parent a7e37528d5
11 changed files with 75 additions and 17 deletions
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -94,7 +94,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  @{bin}/kmod                                                rPx,
  @{bin}/netconfig                                          rPUx,
  @{bin}/resolvconf                                          rPx,
-  @{bin}/systemctl                                           rPx -> child-systemctl,
+  @{bin}/systemctl                                           rCx -> systemctl,
  @{lib}/{,NetworkManager/}nm-daemon-helper                  rPx,
  @{lib}/{,NetworkManager/}nm-dhcp-helper                    rPx,
  @{lib}/{,NetworkManager/}nm-dispatcher                     rPx,
@ -153,5 +153,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  /dev/rfkill rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/NetworkManager_systemctl>
+  }
+
  include if exists <local/NetworkManager>
 }
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -49,14 +49,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {

  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/systemctl>

    capability net_admin,

-    @{bin}/systemctl mr,
-
-    owner @{run}/systemd/private rw,
-
    include if exists <local/netplan.script_systemctl>
  }