diff --git a/Makefile b/Makefile index 8575a9f38..ea9c30bcc 100644 --- a/Makefile +++ b/Makefile @@ -33,11 +33,11 @@ install: @for file in ${PROFILES}; do \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ done; - @for file in systemd/system/*; do \ + @for file in ${BUILD}/systemd/system/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ done; - @for file in systemd/user/*; do \ + @for file in ${BUILD}/systemd/user/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ done diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 083bb16c8..0507fd862 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -31,6 +31,8 @@ include include + # userns, + capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index d8b2f4a38..7c0394ca6 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -3,12 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only # Extra Mesa rules for GDM - /var/lib/gdm/.cache/ w, - /var/lib/gdm/.cache/mesa_shader_cache/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/index rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, + /var/lib/gdm{3,}/.cache/ w, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, # Extra Mesa rules for SDDM /var/lib/sddm/.cache/ w, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9f057e79d..bcec1d2f1 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/cache/apt/ r, + /var/cache/apt/ rw, /var/cache/apt/** rwk, /var/crash/{,*.@{uid}.crash} rw, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index f7ffc320f..406e6891e 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -69,6 +69,7 @@ profile child-open { @{bin}/engrampa rPx, @{bin}/eog rPUx, @{bin}/evince rPx, + @{bin}/extension-manager rPx, @{bin}/file-roller rPUx, @{bin}/filezilla rPx, @{bin}/flameshot rPx, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ab83a7ffc..0b490b8aa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/colord/colord-sane rPx, - @{lib}/colord-sane rPx, + @{lib}/{,colord/}colord-sane rPx, /etc/machine-id r, /etc/udev/hwdb.bin r, @@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, + @{run}/udev/data/+pci:* r, @{run}/udev/data/c81:@{int} r, # For video4linux @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 4126867ec..fb5b210fe 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,polkit-1/}polkitd -profile polkitd @{exec_path} { +profile polkitd @{exec_path} flags=(attach_disconnected) { include include include @@ -58,8 +58,8 @@ profile polkitd @{exec_path} { /usr/share/polkit-1/actions/*.policy r, /usr/share/polkit-1/actions/*.policy.choice r, - owner /var/lib/polkit{,-1}/.cache/ rw, /var/lib/polkit{,-1}/localauthority/{,**} r, + owner /var/lib/polkit{,-1}/.cache/ rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 46735b405..096c44a66 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, + owner @{user_share_dirs}/.mimeinfo.cache.* rw, + owner @{user_share_dirs}/{,**/} r, + owner @{user_share_dirs}/**.desktop r, + owner @{user_share_dirs}/mimeinfo.cache w, + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a259bbe35..a7a684f8e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9a2d133d9..3abee2900 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, capability dac_read_search, capability ipc_owner, capability perfmon, @@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_rawio, - # These can be denied? - #audit capability dac_override, - #audit capability sys_nice, - #capability sys_tty_config, - signal (send) set=(usr1), signal (receive) peer=lightdm, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index db6a8d349..cd6d9eaf4 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/Xorg rPx, + @{bin}/dbus-daemon rPx, @{bin}/dbus-run-session rPx, - /etc/gdm{3,}/Xsession rPx, + @{bin}/Xorg rPx, /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Xsession rPx, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index c756b5fac..da4a54784 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.local/share/applications/{,**} r, - /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, + /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw, /var/lib/gdm{3,}/.local/share/icc/{,*} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 76db087c0..3979cbcc7 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} { @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm3/greeter-dconf-defaults r, owner @{user_cache_dirs}/mesa_shader_cache/index rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index acec19ade..6c73607ba 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -93,6 +93,8 @@ profile pacman @{exec_path} { @{bin}/perl rix, @{bin}/pkgfile rPUx, @{bin}/pkill rix, + @{bin}/mkdir rix, + @{bin}/setfacl rix, @{bin}/pwd rix, @{bin}/rm rix, @{bin}/rsync rix, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 648ac7329..071ad9147 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -44,14 +44,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) { # but will fall back to a non-privileged version if it fails. deny capability net_admin, - ptrace (read,trace) peer=unconfined, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal (receive) set=(hup) peer=@{systemd}, + + ptrace (read,trace) peer=@{systemd}, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={CreateSession,ReleaseSession} diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 7791871a4..b5ef540dd 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,41 +11,40 @@ include profile sshfs @{exec_path} flags=(complain) { include - @{exec_path} mr, + mount fstype=fuse.sshfs -> @{HOME}/*/, + mount fstype=fuse.sshfs -> @{HOME}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + @{exec_path} mr, + @{bin}/ssh rPx, @{bin}/fusermount{,3} rCx -> fusermount, - /dev/fuse rw, - - mount fstype=fuse.sshfs -> @{HOME}/*/, - mount fstype=fuse.sshfs -> @{HOME}/*/*/, - @{PROC}/sys/fs/pipe-max-size r, + /dev/fuse rw, profile fusermount flags=(complain) { include include - # To mount anything: capability sys_admin, + mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, + mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), @{bin}/fusermount{,3} mr, - mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, - mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, - /etc/fuse.conf r, - /dev/fuse rw, - @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 4c09badd1..130162662 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, + @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, + @{PROC}/pressure/* r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 490ab3caf..4c8609f99 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname + dbus bind bus=system name=org.freedesktop.hostname1, + + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.hostname1 + member=SetHostname + peer=(name=:*, label=systemd//&systemd-networkd), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName,GetConnectionUnixUser} @@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { member=Set*Hostname peer=(name=:*, label=hostnamectl), - dbus bind bus=system - name=org.freedesktop.hostname[0-9], - @{exec_path} mr, @{etc_rw}/.#hostname* rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b168c5f4c..4899546ae 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/module/printk/parameters/time r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, /dev/kmsg rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a7d3fa06e..925ad73be 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/sleep.conf r, /etc/systemd/logind.conf.d/{,**} r, + / r, /boot/{,**} r, /swap/swapfile r, /swapfile r, @@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, + @{PROC}/pressure/* r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 6d8160834..07268038d 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 880077159..5b6499bfb 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4637e76a2..2cf7ecf28 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, owner @{run}/systemd/journal/socket w, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index d9324bdb4..f6e9dddab 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus bind bus=system name=org.freedesktop.timesync1, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus bind bus=system name=org.freedesktop.timesync1, - @{exec_path} mr, @{etc_rw}/adjtime r, @@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - owner @{run}/systemd/journal/socket w, - owner @{run}/systemd/timesync/synchronized rw, @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, + owner @{run}/systemd/timesync/synchronized rw, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 7ae92f1e5..0ac7717cb 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/** rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, @{PROC}/driver/nvidia/gpus/ r, @{PROC}/driver/nvidia/gpus/*/information r, + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, /dev/ rw, diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e497a5544..bd9a0d077 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} { capability net_admin, - ptrace (read) peer=unconfined, + ptrace (read) peer=@{systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9037b9928..18166ec90 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 3ef93d22e..d4b2ddda8 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/userdb/{,**} rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index a3b5b1fad..4d2b26de7 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -14,9 +14,12 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { capability sys_resource, + signal (send) peer=@{systemd}, + @{exec_path} mr, /etc/machine-id r, + /etc/shadow r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 1eef05080..ac0ea5a4d 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -10,6 +10,8 @@ include profile virtiofsd @{exec_path} { include + # userns, + capability chown, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index fcb9bc5aa..fad365165 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx@{int}.efi rw, - @{lib}/fwupd/efi/fwupdx@{int}.efi r, + @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index da4bc0a78..48d3dd08e 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -25,8 +25,8 @@ profile haveged @{exec_path} { @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, - @{sys}/devices/system/cpu/cpu*/cache/ r, - @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, + @{sys}/devices/system/cpu/cpu@{int}/cache/ r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 37b888313..4c4d3374f 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/irqbalance -profile irqbalance @{exec_path} { +profile irqbalance @{exec_path} flags=(attach_disconnected) { include capability setpcap, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index b6fdeced8..1760ae92c 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{etc_rw}/lvm/** rwkl, + @{run}/lock/ rw, @{run}/lock/lvm/ rw, @{run}/lock/lvm/* rwk, @{run}/lvm/** rwk, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 94949bdd1..c5b8b6de6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/appstreamcli rPx, @{bin}/arch-audit rPx, # only: arch @{bin}/dpkg rPx -> child-dpkg, # only: dpkg + @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, + @{bin}/install-info rPx, @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, # only: dpkg @{lib}/cnf-update-db rPx, @{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile - /usr/share/libalpm/scripts/* rPx, + /usr/share/libalpm/scripts/* rPx, # Install/update packages / r, @@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, + owner /tmp/alpm_*/{,**} rw, owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner /tmp/packagekit* rw, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 46fdf3d77..4f7462b91 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} { network inet6 stream, network netlink raw, - ptrace peer=unconfined, + ptrace (read) peer=@{systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 41de3f474..aa702237b 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -8,13 +8,14 @@ abi , include @{exec_path} = @{bin}/rngd -profile rngd @{exec_path} { +profile rngd @{exec_path} flags=(attach_disconnected) { include include include include capability dac_read_search, + capability net_admin, capability sys_admin, capability sys_nice, diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 94dd1b3ed..46b559da0 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -10,6 +10,8 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include + # userns, + capability net_admin, capability setpcap, capability sys_admin, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 84d34247d..db5e33157 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -44,7 +44,7 @@ profile snapd @{exec_path} { umount /snap/*/*/, ptrace (read) peer=snap, - ptrace (read) peer=unconfined, + ptrace (read) peer=@{systemd}, dbus (send) bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index fefe8a10a..487cdf072 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -94,7 +94,7 @@ profile sudo @{exec_path} { @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, # interactive login - /dev/ptmx rw, + /dev/ptmx rwk, owner /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 0a5cd08fc..511343b61 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -35,6 +35,8 @@ profile thunderbird @{exec_path} { include include + # userns, + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index ab62573b1..8cbd08508 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -54,6 +54,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom[0-9]/, + signal (receive) set=(int) peer=@{systemd}, + dbus (send,receive) bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect, diff --git a/apparmor.d/tunables/multiarch.d/apparmor.d b/apparmor.d/tunables/multiarch.d/apparmor.d index 70e16dcc8..c9c8c5ad7 100644 --- a/apparmor.d/tunables/multiarch.d/apparmor.d +++ b/apparmor.d/tunables/multiarch.d/apparmor.d @@ -53,3 +53,6 @@ # Common places for binaries and libraries across distributions @{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} + +# Name of the systemd profile: unconfined || systemd +@{systemd}=unconfined diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 2ebd2c222..f7767c63c 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -47,6 +47,8 @@ func aaPrebuild() error { if full { prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy) + } else { + prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd) } if complain { prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain) diff --git a/debian/control b/debian/control index 47f4f479f..46452332a 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,6 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, - rsync, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 7fcbf4a79..4eae77d04 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -16,7 +16,6 @@ Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release BuildRequires: golang-packaging -BuildRequires: rsync %description AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. @@ -48,6 +47,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %dir /usr/lib/systemd/system/systemd-journald.service.d %dir /usr/lib/systemd/system/systemd-networkd.service.d %dir /usr/lib/systemd/system/systemd-timesyncd.service.d +%dir /usr/lib/systemd/system/systemd-userdbd.service.d %dir /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d %dir /usr/share/zsh %dir /usr/share/zsh/site-functions @@ -58,6 +58,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: /usr/lib/systemd/system/systemd-journald.service.d/apparmor.conf /usr/lib/systemd/system/systemd-networkd.service.d/apparmor.conf /usr/lib/systemd/system/systemd-timesyncd.service.d/apparmor.conf +/usr/lib/systemd/system/systemd-userdbd.service.d/apparmor.conf /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d/apparmor.conf /usr/share/bash-completion/completions/aa-log /usr/share/zsh/site-functions/_aa-log.zsh diff --git a/docs/development/structure.md b/docs/development/structure.md index 0d1889016..0e1c0659e 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -69,9 +69,9 @@ It creates even more issues when we want to use this profile in other profiles. **What if I still want to protect these programs?** -You do not protect this program. *Protect the usage you have of these tools*. +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your development's terminal in a -sandbox managed with [Toolbox] +sandbox managed with [Toolbox]. !!! example "To sum up" @@ -100,7 +100,7 @@ include ## Children profiles -Usually, a child profile is in the [`children`][children] group. They have the following note: +Usually, a child profile is in the [`children`][children] group. They have the following note: !!! quote @@ -165,6 +165,17 @@ Special care must be given as sometimes udev numbers are allocated dynamically b [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt +## No New Privileges + +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly-started program to get more privileges that its parent. So it is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transition to other profile because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). + +The possible solutions are: + +* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). +* Inherit the current confinement (`ix`) +* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) + + ## Full system policy !!! quote @@ -176,22 +187,60 @@ Special care must be given as sometimes udev numbers are allocated dynamically b *Source: [AppArmor Wiki][apparmor-wiki]* -This feature is only enabled when the profiles are built with `make full`. The profiles for full system policies are maintained in the **[`_full`][full]** group. It consists of two extra main profiles: - -1. **`init`**: For systemd as PID 1 -2. **`systemd`**: For systemd as user - -All core required applications that need to be started by systemd (both as user or root) need to be present in these profiles. - -Early policy load should also be enabled. In `/etc/apparmor/parser.conf` -``` -cache-loc /etc/apparmor/earlypolicy/ -``` +### Enable !!! danger Full system policy is still under early development, do not run it outside a development VM! **You have been warned!!!** +This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load must be enabled, in `/etc/apparmor/parser.conf` ensure you have: +``` +write-cache +cache-loc /etc/apparmor/earlypolicy/ +``` + +### Structure + +The profiles for full system policies are maintained in the **[`_full`][full]** group. + +**systemd** + +In addition to systemd services (`systemd-*`) that have their own profiles, systemd itself, is confined using: + +- [x] **`systemd`**: For systemd as PID 1, designed such as: + - It allows internal systemd access, + - It allows starting all common root services. +- [ ] **`systemd-user`**: For `systemd --user`, designed such as: + - It allows internal systemd user access, + - It allows starting all common user services. + +These profiles are only intended to confine themselves. Any services started by systemd must have their corresponding profile. It means that for a given distribution, the following services must have profiles: + +- [ ] For `systemd`: +```sh +/usr/lib/systemd/system-generators/* +/usr/lib/systemd/system-environment-generators/* +/usr/lib/systemd/system/*.service +``` + +- [ ] For `systemd-user` +```sh +/usr/lib/systemd/user-environment-generators/* +/usr/lib/systemd/user-generators/* +/usr/lib/systemd/user/*.service +``` + +To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: +``` + @{lib}/foo rPx -> systemd//&foo, + ... +``` + +**Fallback** + +!!! warning "Work in Progress" + +In addition to systemd profiles, a full system policy needs to ensure that no program run in an unconfined state at any time. When full policy mode is enabled, special fallback profiles `default` and `default-user` are used to ensure this. PAM rule can be used to configure it further. [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full diff --git a/docs/install.md b/docs/install.md index 0bec02c21..da2ea17ce 100644 --- a/docs/install.md +++ b/docs/install.md @@ -24,7 +24,6 @@ Please note that Wayland has a better support than Xorg. **Build dependencies** * Go >= 1.18 -* Rsync ## :material-arch: Archlinux diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 0af3dede6..9b548306c 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -87,15 +87,16 @@ func (p *AppArmorProfile) AddRule(log map[string]string) { case "net": p.Rules = append(p.Rules, NetworkFromLog(log)) case "mount": - p.Rules = append(p.Rules, MountFromLog(log)) - case "remount": - p.Rules = append(p.Rules, RemountFromLog(log)) - case "umount": - p.Rules = append(p.Rules, UmountFromLog(log)) - case "pivot_root": - p.Rules = append(p.Rules, PivotRootFromLog(log)) - case "change_profile": - p.Rules = append(p.Rules, RemountFromLog(log)) + switch log["operation"] { + case "mount": + p.Rules = append(p.Rules, MountFromLog(log)) + case "umount": + p.Rules = append(p.Rules, UmountFromLog(log)) + case "remount": + p.Rules = append(p.Rules, RemountFromLog(log)) + case "pivotroot": + p.Rules = append(p.Rules, PivotRootFromLog(log)) + } case "mqueue": p.Rules = append(p.Rules, MqueueFromLog(log)) case "signal": @@ -107,7 +108,11 @@ func (p *AppArmorProfile) AddRule(log map[string]string) { case "unix": p.Rules = append(p.Rules, UnixFromLog(log)) case "file": - p.Rules = append(p.Rules, FileFromLog(log)) + if log["operation"] == "change_onexec" { + p.Rules = append(p.Rules, ChangeProfileFromLog(log)) + } else { + p.Rules = append(p.Rules, FileFromLog(log)) + } default: if strings.Contains(log["operation"], "dbus") { p.Rules = append(p.Rules, DbusFromLog(log)) diff --git a/pkg/aa/template.go b/pkg/aa/template.go index e80ef52d7..b61366355 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -33,6 +33,7 @@ var ( // TODO: Should be a map of slice, not exhaustive yet maskToAccess = map[string]string{ "a": "w", + "ac": "w", "c": "w", "d": "w", "k": "k", diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go index add73dfc6..0cdb64c6f 100644 --- a/pkg/prebuild/build.go +++ b/pkg/prebuild/build.go @@ -22,11 +22,9 @@ var ( regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) regProfileHeader = regexp.MustCompile(` {`) - regAbi4To3 = util.ToRegexRepl([]string{ - `abi/4.0`, `abi/3.0`, - `(?m)^.*mqueue.*$`, ``, - `(?m)^.*userns.*$`, ``, - `(?m)^.*io_uring.*$`, ``, + regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 + `abi/3.0`, `abi/4.0`, + `# userns,`, `userns,`, }) ) diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 289c873bd..207cf8e6f 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -7,7 +7,6 @@ package prebuild import ( "fmt" "os" - "os/exec" "path/filepath" "strings" @@ -28,15 +27,14 @@ type PrepareFunc func() error // Initialize a new clean apparmor.d build directory func Synchronise() error { - dirs := paths.PathList{RootApparmord, Root.Join("root")} + dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")} for _, dir := range dirs { if err := dir.RemoveAll(); err != nil { return err } } - for _, path := range []string{"./apparmor.d", "./root"} { - cmd := exec.Command("rsync", "-a", path, Root.String()) - if err := cmd.Run(); err != nil { + for _, name := range []string{"apparmor.d", "root"} { + if err := copyTo(paths.New(name), Root.Join(name)); err != nil { return err } } @@ -173,15 +171,38 @@ func SetFlags() error { return nil } +// Set systemd unit drop in files to ensure some service start after apparmor +func SetDefaultSystemd() error { + return copyTo(paths.New("systemd/default/"), Root.Join("systemd")) +} + // Set AppArmor for (experimental) full system policy. // See https://apparmor.pujol.io/development/structure/#full-system-policy func SetFullSystemPolicy() error { + // Install full system policy profiles for _, name := range []string{"systemd", "systemd-user"} { err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name)) if err != nil { return err } } + + // Set systemd profile name + path := paths.New("apparmor.d/tunables/multiarch.d/apparmor.d") + content, err := path.ReadFile() + if err != nil { + return err + } + res := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) + if err := path.WriteFile([]byte(res)); err != nil { + return err + } + + // Set systemd unit drop-in files + if err := copyTo(paths.New("systemd/full/"), Root.Join("systemd")); err != nil { + return err + } + logging.Success("Configure AppArmor for full system policy") return nil } diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go index 688788737..54b34ef49 100644 --- a/pkg/prebuild/tools.go +++ b/pkg/prebuild/tools.go @@ -61,7 +61,7 @@ func getSupportedDistribution() string { } func copyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) if err != nil { return err } @@ -71,6 +71,9 @@ func copyTo(src *paths.Path, dst *paths.Path) error { return err } destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } if err := file.CopyTo(destination); err != nil { return err } diff --git a/systemd/system/haveged.service b/systemd/default/system/haveged.service similarity index 100% rename from systemd/system/haveged.service rename to systemd/default/system/haveged.service diff --git a/systemd/system/multipathd.service b/systemd/default/system/multipathd.service similarity index 100% rename from systemd/system/multipathd.service rename to systemd/default/system/multipathd.service diff --git a/systemd/system/pcscd.service b/systemd/default/system/pcscd.service similarity index 100% rename from systemd/system/pcscd.service rename to systemd/default/system/pcscd.service diff --git a/systemd/system/systemd-journald.service b/systemd/default/system/systemd-journald.service similarity index 100% rename from systemd/system/systemd-journald.service rename to systemd/default/system/systemd-journald.service diff --git a/systemd/system/systemd-networkd.service b/systemd/default/system/systemd-networkd.service similarity index 100% rename from systemd/system/systemd-networkd.service rename to systemd/default/system/systemd-networkd.service diff --git a/systemd/system/systemd-timesyncd.service b/systemd/default/system/systemd-timesyncd.service similarity index 100% rename from systemd/system/systemd-timesyncd.service rename to systemd/default/system/systemd-timesyncd.service diff --git a/systemd/default/system/systemd-userdbd.service b/systemd/default/system/systemd-userdbd.service new file mode 100644 index 000000000..cd2840571 --- /dev/null +++ b/systemd/default/system/systemd-userdbd.service @@ -0,0 +1,2 @@ +[Unit] +After=apparmor.service \ No newline at end of file diff --git a/systemd/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service similarity index 100% rename from systemd/user/org.freedesktop.IBus.session.GNOME.service rename to systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/ModemManager.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/e2scrub_reap.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service new file mode 100644 index 000000000..b11945a16 --- /dev/null +++ b/systemd/full/system/fwupd-refresh.service @@ -0,0 +1,3 @@ +[Service] +ProtectKernelModules=no +RestrictRealtime=no \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/irqbalance.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/rngd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-homed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-hostnamed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-journald.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-localed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-logind.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-timedated.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-userdbd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/upower.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/user@.service b/systemd/full/system/user@.service new file mode 100644 index 000000000..05023d01d --- /dev/null +++ b/systemd/full/system/user@.service @@ -0,0 +1,3 @@ +# TODO: works as intended on server, does not work on desktop +# [Service] +# AppArmorProfile=systemd-user \ No newline at end of file