feat(fsp): systemd drop in files: configure stacked profile

It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way
2025-05-26 23:31:35 +02:00 · 2025-05-26 23:31:35 +02:00 · 8f3f3816ed
commit 8f3f3816ed
parent 4ffbf84a00
29 changed files with 29 additions and 38 deletions
--- a/systemd/full/system/ModemManager.service
+++ b/systemd/full/system/ModemManager.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&ModemManager
--- a/systemd/full/system/archlinux-keyring-wkd-sync.service
+++ b/systemd/full/system/archlinux-keyring-wkd-sync.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&archlinux-keyring-wkd-sync
--- a/systemd/full/system/dbus-org.freedesktop.hostname1.service
+++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-hostnamed
--- a/systemd/full/system/dbus-org.freedesktop.import1.service
+++ b/systemd/full/system/dbus-org.freedesktop.import1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-importd
--- a/systemd/full/system/dbus-org.freedesktop.locale1.service
+++ b/systemd/full/system/dbus-org.freedesktop.locale1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-localed
--- a/systemd/full/system/dbus-org.freedesktop.login1.service
+++ b/systemd/full/system/dbus-org.freedesktop.login1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-logind
--- a/systemd/full/system/dbus-org.freedesktop.machine1.service
+++ b/systemd/full/system/dbus-org.freedesktop.machine1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-machined
--- a/systemd/full/system/dbus-org.freedesktop.timedate1.service
+++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-timedated
--- a/systemd/full/system/e2scrub@.service
+++ b/systemd/full/system/e2scrub@.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&e2scrub
--- a/systemd/full/system/e2scrub_reap.service
+++ b/systemd/full/system/e2scrub_reap.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&e2scrub_all
--- a/systemd/full/system/fprintd.service
+++ b/systemd/full/system/fprintd.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&fprintd
--- a/systemd/full/system/fwupd-refresh.service
+++ b/systemd/full/system/fwupd-refresh.service
@ -1,4 +1,2 @@
 [Service]
-ProtectKernelModules=no
-RestrictRealtime=no
-ProtectKernelModules=no
+AppArmorProfile=&fwupdmgr
--- a/systemd/full/system/geoclue.service
+++ b/systemd/full/system/geoclue.service
@ -1,6 +1,2 @@
 [Service]
-NoNewPrivileges=no
-MemoryDenyWriteExecute=no
-ProtectKernelTunables=no
-ProtectKernelModules=no
-RestrictRealtime=no
+AppArmorProfile=&geoclue
--- a/systemd/full/system/irqbalance.service
+++ b/systemd/full/system/irqbalance.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&irqbalance
--- a/systemd/full/system/nm-priv-helper.service
+++ b/systemd/full/system/nm-priv-helper.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&nm-priv-helper
--- a/systemd/full/system/polkit.service
+++ b/systemd/full/system/polkit.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&polkitd
--- a/systemd/full/system/rngd.service
+++ b/systemd/full/system/rngd.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&rngd
--- a/systemd/full/system/systemd-homed.service
+++ b/systemd/full/system/systemd-homed.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-homed
--- a/systemd/full/system/systemd-hostnamed.service
+++ b/systemd/full/system/systemd-hostnamed.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-hostnamed
--- a/systemd/full/system/systemd-journald.service
+++ b/systemd/full/system/systemd-journald.service
@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
-ProtectClock=no
+AppArmorProfile=&systemd-journald
--- a/systemd/full/system/systemd-journald@.service
+++ b/systemd/full/system/systemd-journald@.service
@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
-ProtectClock=no
+AppArmorProfile=&systemd-journald
--- a/systemd/full/system/systemd-localed.service
+++ b/systemd/full/system/systemd-localed.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-localed
--- a/systemd/full/system/systemd-logind.service
+++ b/systemd/full/system/systemd-logind.service
@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
-ProtectClock=no
+AppArmorProfile=&systemd-logind
--- a/systemd/full/system/systemd-machined.service
+++ b/systemd/full/system/systemd-machined.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-machined
--- a/systemd/full/system/systemd-networkd.service
+++ b/systemd/full/system/systemd-networkd.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-networkd
--- a/systemd/full/system/systemd-resolved.service
+++ b/systemd/full/system/systemd-resolved.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-resolved
--- a/systemd/full/system/systemd-timedated.service
+++ b/systemd/full/system/systemd-timedated.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-timedated
--- a/systemd/full/system/systemd-userdbd.service
+++ b/systemd/full/system/systemd-userdbd.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-userdbd
--- a/systemd/full/system/upower.service
+++ b/systemd/full/system/upower.service
@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&upowerd