From 96ea9d17ae48e526564a7df77a42d2fd3e593165 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:32:57 +0000 Subject: [PATCH] feat(full): disable nnp flag on some services. --- pkg/prebuild/prepare.go | 5 +++++ systemd/full/system/ModemManager.service | 2 ++ systemd/full/system/e2scrub_reap.service | 2 ++ systemd/full/system/fwupd-refresh.service | 3 +++ systemd/full/system/irqbalance.service | 2 ++ systemd/full/system/rngd.service | 2 ++ systemd/full/system/systemd-homed.service | 2 ++ systemd/full/system/systemd-hostnamed.service | 2 ++ systemd/full/system/systemd-journald.service | 3 +++ systemd/full/system/systemd-localed.service | 2 ++ systemd/full/system/systemd-logind.service | 3 +++ systemd/full/system/systemd-timedated.service | 2 ++ systemd/full/system/systemd-userdbd.service | 2 ++ systemd/full/system/upower.service | 2 ++ systemd/full/system/user@.service | 3 +++ 15 files changed, 37 insertions(+) create mode 100644 systemd/full/system/ModemManager.service create mode 100644 systemd/full/system/e2scrub_reap.service create mode 100644 systemd/full/system/fwupd-refresh.service create mode 100644 systemd/full/system/irqbalance.service create mode 100644 systemd/full/system/rngd.service create mode 100644 systemd/full/system/systemd-homed.service create mode 100644 systemd/full/system/systemd-hostnamed.service create mode 100644 systemd/full/system/systemd-journald.service create mode 100644 systemd/full/system/systemd-localed.service create mode 100644 systemd/full/system/systemd-logind.service create mode 100644 systemd/full/system/systemd-timedated.service create mode 100644 systemd/full/system/systemd-userdbd.service create mode 100644 systemd/full/system/upower.service create mode 100644 systemd/full/system/user@.service diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 20c9d9be8..23f862350 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -200,6 +200,11 @@ func SetFullSystemPolicy() error { return err } + // Set systemd unit drop-in files + if err := copyTo(paths.New("systemd/full/"), Root.Join("systemd")); err != nil { + return err + } + logging.Success("Configure AppArmor for full system policy") return nil } diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/ModemManager.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/e2scrub_reap.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service new file mode 100644 index 000000000..b11945a16 --- /dev/null +++ b/systemd/full/system/fwupd-refresh.service @@ -0,0 +1,3 @@ +[Service] +ProtectKernelModules=no +RestrictRealtime=no \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/irqbalance.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/rngd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-homed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-hostnamed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-journald.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-localed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-logind.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-timedated.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-userdbd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/upower.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/user@.service b/systemd/full/system/user@.service new file mode 100644 index 000000000..05023d01d --- /dev/null +++ b/systemd/full/system/user@.service @@ -0,0 +1,3 @@ +# TODO: works as intended on server, does not work on desktop +# [Service] +# AppArmorProfile=systemd-user \ No newline at end of file