feat(profiles): general update.

2023-09-01 22:50:43 +01:00 · 2023-09-01 22:50:43 +01:00 · b2fa7bacb8
commit b2fa7bacb8
parent 0c151259d2
19 changed files with 108 additions and 72 deletions
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -16,9 +16,11 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {

  capability dac_override,
  capability dac_read_search,
+  capability mknod,
  capability net_admin,
  capability sys_resource,

+  signal (receive) set=(term) peer=cockpit-bridge,
  signal (send) peer=child-pager,

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
  @{run}/udev/data/c4:@{int} r,           # For TTY devices
  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c108:@{int} r,         # For /dev/ppp
  @{run}/udev/data/c18[8-9]:[0-9]* r,     # USB devices & USB serial converters
  @{run}/udev/data/c29:[0-9]* r,          # For CD-ROM
  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -33,7 +33,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  network inet6 dgram,
  network netlink raw,

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,e}grep          rix,
@ -50,21 +50,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/setfacl           rix,
  @{bin}/snap              rPx,
  @{bin}/unshare           rix,
+  @{bin}/lvm               rPx,
+  @{bin}/touch             rix,

-  @{bin}/*             rpux,
-  audit @{bin}/lvm      rux,
-
-  @{lib}/pm-utils/power.d/*          rPUx,
-  @{lib}/snapd/snap-device-helper     rPx,
-  @{lib}/crda/*                      rPUx,
-  @{lib}/gdm-runtime-config           rPx,
-  @{lib}/systemd/systemd-*            rPx,
-  @{lib}/nfsrahead                    rPUx,
-  @{lib}/udev/*                      rPUx,
+  @{bin}/systemctl rCx -> systemctl,
+  @{lib}/crda/*                           rPUx,
+  @{lib}/gdm-runtime-config               rPx,
+  @{lib}/nfsrahead                        rPUx,
  @{lib}/open-iscsi/net-interface-handler rPUx,
+  @{lib}/pm-utils/power.d/*               rPUx,
+  @{lib}/snapd/snap-device-helper         rPx,
+  @{lib}/systemd/systemd-*                rPx,
+  @{lib}/udev/*                           rPUx,
  /usr/share/hplip/config_usb_printer.py  rPUx,

-  /etc/console-setup/*.sh       rPUx,
+  /etc/console-setup/*.sh            rPUx,
  /etc/network/cloud-ifupdown-helper rPUx,

  /etc/machine-id r,
@ -110,5 +110,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  deny /apparmor/.null rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemd-common>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{bin}/systemctl mr,
+  
+    / r,
+
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+    include if exists <local/systemd-udevd_systemctl>
+  }
+
  include if exists <local/systemd-udevd>
 }