From c2076a213b53c09f211c10993c38b433ccd62984 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Feb 2023 20:28:00 +0000 Subject: [PATCH] feat(systemd): add systemd-home{d,work} --- apparmor.d/groups/systemd/systemd-homed | 84 ++++++++++++++++++++++ apparmor.d/groups/systemd/systemd-homework | 22 ++++++ dists/flags/main.flags | 2 + 3 files changed, 108 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-homed create mode 100644 apparmor.d/groups/systemd/systemd-homework diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed new file mode 100644 index 000000000..38aeb3a02 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-homed @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-homed +profile systemd-homed @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + + mount options=(rw, rslave) -> @{run}/, + mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/, + + dbus bind bus=system name=org.freedesktop.home1, + + @{exec_path} mr, + + /{usr/,}lib/systemd/systemd-homework rPx, + /{usr/,}{s,}bin/mkfs.btrfs rPx, + /{usr/,}{s,}bin/mkfs.fat rPx, + /{usr/,}{s,}bin/mke2fs rPx, + + /etc/machine-id r, + /etc/systemd/homed.conf r, + /etc/skel/{,**} r, + + /var/lib/systemd/home/{,**} rw, + + / r, + @{HOMEDIRS}/ r, + @{HOMEDIRS}/* rw, + @{HOMEDIRS}/*.homedir/ rw, + + @{run}/ r, + @{run}/cryptsetup/{,*} rwk, + @{run}/systemd/home/{,**} rw, + @{run}/systemd/userdb/io.systemd.home r, + @{run}/systemd/user-home-mount/{,**} rw, + + @{sys}/bus/ r, + @{sys}/fs/ r, + @{sys}/class/ r, + @{sys}/kernel/uevent_seqnum r, + @{sys}/devices/**/read_ahead_kb r, + + @{PROC}/devices r, + @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop[0-9]* rw, + /dev/mapper/control rw, + /dev/mqueue/ r, + /dev/shm/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework new file mode 100644 index 000000000..aeba866d1 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-homework @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-homework +profile systemd-homework @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + @{run}/systemd/userdb/ r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 88d3bfc9b..7ebf15cae 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -213,6 +213,8 @@ systemd-coredump attach_disconnected,complain systemd-dissect complain systemd-environment-d-generator complain systemd-escape complain +systemd-homed attach_disconnected,complain +systemd-homework complain systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain systemd-id128 complain