felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): systemd: improve some ctl tools.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-04 20:31:10 +02:00
parent 3e0c3067d8
commit 74dcf2defc
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
6 changed files with 43 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/systemd/bootctl
View file

@ -15,6 +15,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability sys_resource,
signal (send) peer=child-pager, signal (send) peer=child-pager,
@ -36,6 +37,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
/{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/entries.srel w,
/{boot,efi}/loader/random-seed w, /{boot,efi}/loader/random-seed w,
/etc/kernel/entry-token r,
/etc/machine-id r, /etc/machine-id r,
/etc/machine-info r, /etc/machine-info r,

13
apparmor.d/groups/systemd/busctl
View file

@ -34,6 +34,19 @@ profile busctl @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Monitoring interface=org.freedesktop.DBus.Monitoring
member=BecomeMonitor member=BecomeMonitor
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionCredentials,ListNames,ListActivatableNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus.Monitoring
member=BecomeMonitor
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionCredentials,ListNames,ListActivatableNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/systemd/coredumpctl
View file

@ -10,8 +10,9 @@ include <tunables/global>
@{exec_path} = @{bin}/coredumpctl @{exec_path} = @{bin}/coredumpctl
profile coredumpctl @{exec_path} flags=(complain) { profile coredumpctl @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,

7
apparmor.d/groups/systemd/localectl
View file

@ -10,9 +10,14 @@ include <tunables/global>
profile localectl @{exec_path} { profile localectl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/systemd> include <abstractions/common/systemd>
include <abstractions/bus-system>
capability net_admin, capability net_admin,
signal send set=cont peer=child-pager,
#aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed
@{exec_path} mr, @{exec_path} mr,
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
@ -20,6 +25,8 @@ profile localectl @{exec_path} {
/usr/share/kbd/keymaps/{,**} r, /usr/share/kbd/keymaps/{,**} r,
owner @{PROC}/@{pid}/cgroup r,
include if exists <local/localectl> include if exists <local/localectl>
} }

18
apparmor.d/groups/systemd/loginctl
View file

@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/loginctl @{exec_path} = @{bin}/loginctl
profile loginctl @{exec_path} flags=(attach_disconnected) { profile loginctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/common/systemd> include <abstractions/common/systemd>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability net_admin, capability net_admin,
@ -26,6 +27,21 @@ profile loginctl @{exec_path} flags=(attach_disconnected) {
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
@{bin}/ssh rPx, @{bin}/ssh rPx,
/etc/machine-id r,
@{run}/log/journal/ r,
/var/lib/systemd/catalog/database r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
@{PROC}/sys/fs/nr_open r, @{PROC}/sys/fs/nr_open r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,

2
apparmor.d/groups/systemd/resolvectl
View file

@ -13,6 +13,8 @@ profile resolvectl @{exec_path} {
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/common/systemd> include <abstractions/common/systemd>
signal send set=cont peer=child-pager,
#aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
@{exec_path} mr, @{exec_path} mr,