felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-21 00:21:49 +02:00 committed by Alex
parent fd0092d431
commit c09b5d85a4
11 changed files with 80 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

71
Justfile
View file

@ -2,18 +2,8 @@
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Usage: # Usage: `just`
# just # See https://apparmor.pujol.io/development/ for more information.
# just img ubuntu24 server
# just vm ubuntu24 server
# just up ubuntu24 server
# just ssh ubuntu24 server
# just halt ubuntu24 server
# just destroy ubuntu24 server
# just list
# just images
# just available
# just clean
# Build setings # Build setings
destdir := "/" destdir := "/"
@ -125,7 +115,7 @@ install:
[group('install')] [group('install')]
[doc('Locally install prebuild profiles')] [doc('Locally install prebuild profiles')]
local +args: local +names:
#!/usr/bin/env bash #!/usr/bin/env bash
set -eu -o pipefail set -eu -o pipefail
install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
@ -138,7 +128,7 @@ local +args:
install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file"
done; done;
echo "Warning: profile dependencies fallback to unconfined." echo "Warning: profile dependencies fallback to unconfined."
for file in {{args}}; do for file in {{names}}; do
grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true
sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file"
install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
@ -336,15 +326,52 @@ available:
[group('tests')] [group('tests')]
[doc('Run the integration tests on the machine')] [doc('Install dependencies for the integration tests')]
integration dist flavor: init:
@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @bash tests/requirements.sh
cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects
@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \
sudo umount /home/user/Projects/apparmor.d
@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \
@bats --recursive --timing --print-output-on-failure Projects/integration/
[group('tests')]
[doc('Run the integration tests')]
integration:
bats --recursive --pretty --timing --print-output-on-failure tests/integration
[group('tests')]
[doc('Install dependencies for the integration tests (machine)')]
tests-init dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
[group('tests')]
[doc('Synchronize the integration tests (machine)')]
tests-sync dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
[group('tests')]
[doc('Re-synchronize the integration tests (machine)')]
tests-resync dist flavor: (tests-mount dist flavor) \
(tests-sync dist flavor) \
(tests-umount dist flavor)
[group('tests')]
[doc('Unmout the integration tests (machine)')]
tests-umount dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
sudo umount /home/{{username}}/Projects/apparmor.d
[group('tests')]
[doc('Run the integration tests (machine)')]
tests-run dist flavor name="":
ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
TERM=xterm \
bats --recursive --pretty --timing --print-output-on-failure \
/home/{{username}}/Projects/tests/integration/{{name}}
[group('tests')]
[doc('Mount integration tests (machine)')]
tests-mount dist flavor:
@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4
[private] [private]
get_ip dist flavor: get_ip dist flavor:

7
apparmor.d/groups/systemd/bootctl
View file

@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/common/systemd> include <abstractions/common/systemd>
capability linux_immutable,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability sys_resource, capability sys_resource,
@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw,
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

7
apparmor.d/groups/systemd/busctl
View file

@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) {
member={GetConnectionCredentials,ListNames,ListActivatableNames} member={GetConnectionCredentials,ListNames,ListActivatableNames}
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
dbus send bus=system
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus send bus=system
interface=org.freedesktop.DBus.Properties
member={GetAll,Get},
@{exec_path} mr, @{exec_path} mr,
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,

3
apparmor.d/groups/systemd/journalctl
View file

@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
@{bin}/* r,
@{sbin}/* r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,

3
apparmor.d/groups/systemd/networkctl
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile networkctl @{exec_path} flags=(attach_disconnected) { profile networkctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/nameservice-strict>
capability net_admin, capability net_admin,
capability sys_module, capability sys_module,
@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
@{att}/@{run}/systemd/netif/io.systemd.Network rw, @{att}/@{run}/systemd/netif/io.systemd.Network rw,
@{run}/systemd/netif/links/ r,
@{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/leases/@{int} r,
@{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/links/@{int} r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,

4
apparmor.d/groups/systemd/systemd-localed
View file

@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
/etc/default/locale rw, /etc/default/locale rw,
/etc/locale.conf rw, /etc/locale.conf rw,
/etc/vconsole.conf rw, /etc/vconsole.conf rw,
/etc/X11/xorg.conf.d/ r, /etc/X11/xorg.conf.d/ rw,
/etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw,
/etc/X11/xorg.conf.d/*.conf rw, /etc/X11/xorg.conf.d/*.conf rw,
@{att}/@{run}/systemd/notify rw, @{att}/@{run}/systemd/notify rw,

3
apparmor.d/groups/systemd/systemd-machined
View file

@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
ptrace read peer=systemd-nspawn, ptrace read peer=systemd-nspawn,
unix type=stream addr=@@{udbus}/bus/systemd-machine/system,
#aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus own bus=system name=org.freedesktop.machine1
#aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
/dev/ptmx rw, /dev/ptmx rw,
/dev/pts/@{int} rw, /dev/pts/@{int} rw,
/dev/pts/ptmx rw, /dev/pts/ptmx rw,
/dev/vsock r,
include if exists <local/systemd-machined> include if exists <local/systemd-machined>
} }

4
apparmor.d/groups/systemd/systemd-networkd
View file

@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
@{att}/@{run}/systemd/notify rw, @{att}/@{run}/systemd/notify rw,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/resolve/resolv.conf r,
owner @{att}/var/lib/systemd/network/ r, owner @{att}/var/lib/systemd/network/ r,
owner /var/lib/systemd/network/ rw,
owner /var/lib/systemd/network/** rwk,
@{run}/systemd/network/ r, @{run}/systemd/network/ r,
@{run}/systemd/network/*.network r, @{run}/systemd/network/*.network r,
owner @{run}/systemd/netif/** rw, owner @{run}/systemd/netif/** rw,

2
apparmor.d/groups/systemd/systemd-nsresourcework
View file

@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{run}/systemd/nsresource/registry/ r,
include if exists <local/systemd-nsresourcework> include if exists <local/systemd-nsresourcework>
} }

1
apparmor.d/groups/systemd/systemd-userwork
View file

@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/gshadow r,
/etc/machine-id r, /etc/machine-id r,
/etc/shadow r, /etc/shadow r,

3
apparmor.d/groups/systemd/userdbctl
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/userdbctl @{exec_path} = @{bin}/userdbctl
profile userdbctl @{exec_path} { profile userdbctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -29,6 +29,7 @@ profile userdbctl @{exec_path} {
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/gid_map r,
owner @{PROC}/@{pid}/setgroups r,
owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
include if exists <local/userdbctl> include if exists <local/userdbctl>