feat(profile): start implementing systemctl subprofile instead of using child-systemctl.

2024-03-05 17:45:02 +00:00 · 2024-03-05 17:45:02 +00:00 · 70963a50b6
commit 70963a50b6
parent a7e37528d5
11 changed files with 75 additions and 17 deletions
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -104,7 +104,7 @@ profile pacman @{exec_path} {
  @{bin}/setfacl                     rix,
  @{bin}/sync                        rix,
  @{bin}/sysctl                      rPx,
-  @{bin}/systemctl                   rPx -> child-systemctl,
+  @{bin}/systemctl                   rCx -> systemctl,
  @{bin}/systemd-*                   rPx,
  @{bin}/touch                       rix,
  @{bin}/tput                        rix,
@ -203,6 +203,15 @@ profile pacman @{exec_path} {
    include if exists <local/pacman_gpg>
  }

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman_systemctl>
+  }
+
  include if exists <usr/pacman.d>
  include if exists <local/pacman>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@ -19,7 +19,7 @@ profile pacman-hook-systemd @{exec_path} {
  @{bin}/touch rix,

  @{bin}/journalctl             rPx,
-  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemctl              rCx -> systemctl,
  @{bin}/systemd-detect-virt    rPx,
  @{bin}/systemd-hwdb           rPx,
  @{bin}/systemd-sysusers       rPx,
@ -38,5 +38,14 @@ profile pacman-hook-systemd @{exec_path} {
  deny network inet6 stream,
  deny network inet stream,

+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman-hook-systemd_systemctl>
+  }
+
  include if exists <local/pacman-hook-systemd>
 }