feat(fsp): small fsp improvement.

2025-06-01 15:53:37 +02:00 · 2025-06-01 15:53:37 +02:00 · 86202b0fbf
commit 86202b0fbf
parent 8452eb44f1
4 changed files with 23 additions and 2 deletions
--- a/apparmor.d/groups/_full/sd
+++ b/apparmor.d/groups/_full/sd
@ -18,7 +18,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/systemd-executor
-profile sd flags=(attach_disconnected,mediate_deleted) {
+profile sd flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
  capability linux_immutable,
  capability mknod,
  capability net_admin,
+  capability net_bind_service,
  capability net_raw,
  capability perfmon,
  capability setfcap,
@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
  capability sys_tty_config,
  capability syslog,

+  network alg seqpacket,
+  network bluetooth,
  network inet dgram,
  network inet stream,
  network inet6 dgram,
@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
  umount /dev/shm/,
  umount @{run}/systemd/mount-rootfs/{,**},

+  # mount tmpfs -> @{run}/lock/,
+  # mount tmpfs -> @{sys}/fs/cgroup/,
+  # mount cgroup -> @{sys}/fs/cgroup/systemd/,
+  # audit mount                                                             /dev/** -> /boot/{,efi/},
+  # audit mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
+  # audit mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
+
+  # audit remount                                        @{run}/systemd/unit-root/{,**},
+  # audit remount options=(ro noexec noatime bind)       /var/snap/{,**},
+  # audit remount options=(ro nosuid nodev bind)         /var/,
+  # audit remount options=(ro nosuid nodev noexec bind)  /boot/,
+
+  # audit umount @{PROC}/sys/fs/binfmt_misc/,
+  # audit umount @{run}/systemd/namespace-@{rand6}/{,**},
+  # audit umount @{run}/systemd/unit-root/{,**},
+
  pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,

  change_profile,
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {

        /dev/autofs r,
        /dev/dri/card@{int} rw,
+        /dev/initctl w,
        /dev/input/ r,
        /dev/kmsg w,
        /dev/tty rw,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/kernel/threads-max r,
+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/gid_map r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/flatpak/flatpak-app
+++ b/apparmor.d/groups/flatpak/flatpak-app
@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {

  @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
  @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
-  @{sbin}/update-mime-database         rPx -> flatpak-app//&update-mime-database,
+  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
  @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,

  @{lib}/kf5/kioslave5                 rPx,