Merge branch 'roddhjav:main' into main

Makefile

@@ -33,11 +33,11 @@ install:
 	@for file in ${PROFILES}; do \
 		install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
 	done;
-	@for file in systemd/system/*; do \
+	@for file in ${BUILD}/systemd/system/*; do \
 		service="$$(basename "$$file")"; \
 		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
 	done;
-	@for file in systemd/user/*; do \
+	@for file in ${BUILD}/systemd/user/*; do \
 		service="$$(basename "$$file")"; \
 		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
 	done

apparmor.d/abstractions/chromium

@@ -31,6 +31,8 @@
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability setgid,
   capability setuid,
   capability sys_admin,

apparmor.d/abstractions/mesa.d/complete

@@ -3,12 +3,12 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   # Extra Mesa rules for GDM
-  /var/lib/gdm/.cache/ w,
+  /var/lib/gdm{3,}/.cache/ w,
-  /var/lib/gdm/.cache/mesa_shader_cache/ rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/index rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
 
   # Extra Mesa rules for SDDM
   /var/lib/sddm/.cache/ w,

apparmor.d/groups/apt/apt

@@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  /var/cache/apt/ r,
+  /var/cache/apt/ rw,
   /var/cache/apt/** rwk,
 
   /var/crash/{,*.@{uid}.crash} rw,

apparmor.d/groups/children/child-open

@@ -69,6 +69,7 @@ profile child-open {
   @{bin}/engrampa          rPx,
   @{bin}/eog              rPUx,
   @{bin}/evince            rPx,
+  @{bin}/extension-manager rPx,
   @{bin}/file-roller      rPUx,
   @{bin}/filezilla         rPx,
   @{bin}/flameshot         rPx,

apparmor.d/groups/freedesktop/colord

@@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{lib}/colord/colord-sane  rPx,
+  @{lib}/{,colord/}colord-sane  rPx,
-  @{lib}/colord-sane          rPx,
 
   /etc/machine-id r,
   /etc/udev/hwdb.bin r,
@@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/sessions/* r,
 
+  @{run}/udev/data/+pci:* r,
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
 
   @{sys}/class/drm/ r,
   @{sys}/class/video4linux/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/colord>
 }

apparmor.d/groups/freedesktop/polkitd

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/{,polkit-1/}polkitd
-profile polkitd @{exec_path} {
+profile polkitd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
@@ -58,8 +58,8 @@ profile polkitd @{exec_path} {
   /usr/share/polkit-1/actions/*.policy r,
   /usr/share/polkit-1/actions/*.policy.choice r,
 
-  owner /var/lib/polkit{,-1}/.cache/ rw,
         /var/lib/polkit{,-1}/localauthority/{,**} r,
+  owner /var/lib/polkit{,-1}/.cache/ rw,
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,

apparmor.d/groups/freedesktop/update-desktop-database

@@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
   /var/lib/snapd/desktop/applications/mimeinfo.cache w,
 
+  owner @{user_share_dirs}/.mimeinfo.cache.* rw,
+  owner @{user_share_dirs}/{,**/} r,
+  owner @{user_share_dirs}/**.desktop r,
+  owner @{user_share_dirs}/mimeinfo.cache w,
+
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/nvidia>
   include <abstractions/user-download>
   include <abstractions/vulkan>

apparmor.d/groups/freedesktop/xorg

@@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/opencl>
   include <abstractions/vulkan>
 
+  capability dac_override,
   capability dac_read_search,
   capability ipc_owner,
   capability perfmon,
@@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_rawio,
 
-  # These can be denied?
-  #audit capability dac_override,
-  #audit capability sys_nice,
-  #capability sys_tty_config,
-
   signal (send) set=(usr1),
 
   signal (receive) peer=lightdm,

apparmor.d/groups/gnome/gdm-x-session

@@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/Xorg              rPx,
+  @{bin}/dbus-daemon       rPx,
   @{bin}/dbus-run-session  rPx,
-  /etc/gdm{3,}/Xsession         rPx,
+  @{bin}/Xorg              rPx,
   /etc/gdm{3,}/Prime/Default    rix,
+  /etc/gdm{3,}/Xsession         rPx,
 
   /usr/share/gdm/gdm.schemas r,
 

apparmor.d/groups/gnome/gnome-shell

@@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/.config/pulse/client.conf r,
   /var/lib/gdm{3,}/.config/pulse/cookie rwk,
   /var/lib/gdm{3,}/.local/share/applications/{,**} r,
-  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
+  /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw,
   /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
 
   /var/lib/gdm{3,}/greeter-dconf-defaults r,

apparmor.d/groups/gnome/gsd-xsettings

@@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} {
   @{etc_ro}/xdg/Xwayland-session.d/ r,
   @{etc_ro}/xdg/Xwayland-session.d/* rix,
 
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
   /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm3/greeter-dconf-defaults r,
 
   owner @{user_cache_dirs}/mesa_shader_cache/index rw,
 

apparmor.d/groups/pacman/pacman

@@ -93,6 +93,8 @@ profile pacman @{exec_path} {
   @{bin}/perl                        rix,
   @{bin}/pkgfile                     rPUx,
   @{bin}/pkill                       rix,
+  @{bin}/mkdir                       rix,
+  @{bin}/setfacl                     rix,
   @{bin}/pwd                         rix,
   @{bin}/rm                          rix,
   @{bin}/rsync                       rix,

apparmor.d/groups/ssh/sshd

@@ -44,14 +44,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   # but will fall back to a non-privileged version if it fails.
   deny capability net_admin,
 
-  ptrace (read,trace) peer=unconfined,
-
   network inet  stream,
   network inet6 stream,
   network inet  dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal (receive) set=(hup) peer=@{systemd},
+
+  ptrace (read,trace) peer=@{systemd},
+
   dbus send bus=system path=/org/freedesktop/login[0-9]
     interface=org.freedesktop.login[0-9].Manager
     member={CreateSession,ReleaseSession}

apparmor.d/groups/ssh/sshfs

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,41 +11,40 @@ include <tunables/global>
 profile sshfs @{exec_path} flags=(complain) {
   include <abstractions/base>
 
-  @{exec_path} mr,
+  mount fstype=fuse.sshfs -> @{HOME}/*/,
+  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
 
   unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
 
+  @{exec_path} mr,
+
   @{bin}/ssh            rPx,
   @{bin}/fusermount{,3} rCx -> fusermount,
 
-  /dev/fuse rw,
-
-  mount fstype=fuse.sshfs -> @{HOME}/*/,
-  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
-
   @{PROC}/sys/fs/pipe-max-size r,
 
+  /dev/fuse rw,
 
   profile fusermount flags=(complain) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    # To mount anything:
     capability sys_admin,
 
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
+
     unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
 
     @{bin}/fusermount{,3} mr,
 
-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
-
     /etc/fuse.conf r,
 
-    /dev/fuse rw,
-
     @{PROC}/@{pid}/mounts r,
 
+    /dev/fuse rw,
+
+    include if exists <local/sshfs_fusermount>
   }
 
   include if exists <local/sshfs>

apparmor.d/groups/systemd/systemd-homed

@@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/uevent_seqnum r,
   @{sys}/devices/**/read_ahead_kb r,
 
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/devices r,
+        @{PROC}/pressure/* r,
         @{PROC}/sysvipc/{shm,sem,msg} r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   capability sys_admin,  # To set a hostname
 
+  dbus bind bus=system name=org.freedesktop.hostname1,
+
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname 
+       peer=(name=:*, label=systemd//&systemd-networkd),
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName,GetConnectionUnixUser}
@@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
        member=Set*Hostname
        peer=(name=:*, label=hostnamectl),
 
-  dbus bind bus=system
-       name=org.freedesktop.hostname[0-9],
-
   @{exec_path} mr,
 
   @{etc_rw}/.#hostname* rw,

apparmor.d/groups/systemd/systemd-journald

@@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} {
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/module/printk/parameters/time r,
 
-  @{PROC}/@{pids}/comm r,
-  @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/attr/current r,
-  @{PROC}/@{pids}/sessionid r,
-  @{PROC}/@{pids}/loginuid r,
   @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
 
   /dev/kmsg rw,

apparmor.d/groups/systemd/systemd-logind

@@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/sleep.conf r,
   /etc/systemd/logind.conf.d/{,**} r,
 
+  / r,
   /boot/{,**} r,
   /swap/swapfile r,
   /swapfile r,
@@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{PROC}/@{pid}/sessionid r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/1/cmdline r,
+  @{PROC}/pressure/* r,
   @{PROC}/swaps r,
   @{PROC}/sysvipc/{shm,sem,msg} r,
 

apparmor.d/groups/systemd/systemd-modules-load

@@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} {
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
+  @{sys}/module/compression r,
+
   include if exists <local/systemd-modules-load>
 }

apparmor.d/groups/systemd/systemd-networkd

@@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/net/ipv{4,6}/** rw,
 
   include if exists <local/systemd-networkd>

apparmor.d/groups/systemd/systemd-resolved

@@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/resolve/{,**} rw,
   owner @{run}/systemd/journal/socket w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 

apparmor.d/groups/systemd/systemd-timesyncd

@@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  dbus bind bus=system name=org.freedesktop.timesync1,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus bind bus=system name=org.freedesktop.timesync1,
-
   @{exec_path} mr,
 
   @{etc_rw}/adjtime r,
@@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/systemd/timesync/clock rw,
 
-  owner @{run}/systemd/journal/socket w,
-  owner @{run}/systemd/timesync/synchronized rw,
         @{run}/resolvconf/*.conf r,
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/timesync/synchronized rw,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
 
   include if exists <local/systemd-timesyncd>
 }

apparmor.d/groups/systemd/systemd-udevd

@@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   @{sys}/** rw,
 
+        @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/devices r,
         @{PROC}/driver/nvidia/gpus/ r,
         @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
-        @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
   /dev/ rw,

apparmor.d/groups/systemd/systemd-update-done

@@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} {
 
   capability net_admin,
 
-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-user-runtime-dir

@@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} {
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
-  dbus send bus=system path=/org/freedesktop/login[0-9]
+  dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login1),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-userdbd

@@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/userdb/{,**} rw,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
+
   include if exists <local/systemd-userdbd>
 }

apparmor.d/groups/systemd/systemd-userwork

@@ -14,9 +14,12 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
 
   capability sys_resource,
 
+  signal (send) peer=@{systemd},
+
   @{exec_path} mr,
 
   /etc/machine-id r,
+  /etc/shadow r,
 
   @{run}/systemd/userdb/ r,
 

apparmor.d/groups/virt/virtiofsd

@@ -10,6 +10,8 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
+  # userns,
+
   capability chown,
   capability dac_override,
   capability dac_read_search,

apparmor.d/profiles-a-f/fwupd

@@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /boot/EFI/*/.goutputstream-@{rand6} rw,
   /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
   /boot/EFI/*/fwupdx@{int}.efi rw,
-  @{lib}/fwupd/efi/fwupdx@{int}.efi r,
+  @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/profiles-g-l/haveged

@@ -25,8 +25,8 @@ profile haveged @{exec_path} {
   @{PROC}/sys/kernel/random/write_wakeup_threshold w,
   /dev/random w,
 
-  @{sys}/devices/system/cpu/cpu*/cache/ r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
-  @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
 
   include if exists <local/haveged>
 }

apparmor.d/profiles-g-l/irqbalance

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/irqbalance
-profile irqbalance @{exec_path} {
+profile irqbalance @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability setpcap,

apparmor.d/profiles-g-l/lvm

@@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   @{etc_rw}/lvm/** rwkl,
 
+  @{run}/lock/ rw,
   @{run}/lock/lvm/ rw,
   @{run}/lock/lvm/* rwk,
   @{run}/lvm/** rwk,

apparmor.d/profiles-m-r/packagekitd

@@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   @{bin}/appstreamcli                rPx,
   @{bin}/arch-audit                  rPx, # only: arch
   @{bin}/dpkg                        rPx -> child-dpkg, # only: dpkg
+  @{bin}/fc-cache                    rPx,
   @{bin}/glib-compile-schemas        rPx,
+  @{bin}/install-info                rPx,
   @{bin}/systemd-inhibit             rPx,
   @{bin}/update-desktop-database     rPx,
   @{lib}/apt/methods/*               rPx, # only: dpkg
   @{lib}/cnf-update-db               rPx,
   @{lib}/update-notifier/update-motd-updates-available  rPx,
   @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
-  /usr/share/libalpm/scripts/*            rPx,
+  /usr/share/libalpm/scripts/*       rPx,
 
   # Install/update packages
   / r,
@@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
 
         /tmp/apt-changelog-@{rand6}/ w,
         /tmp/apt-changelog-@{rand6}/*.changelog rw,
+  owner /tmp/alpm_*/{,**} rw,
   owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
   owner /tmp/packagekit* rw,
 

apparmor.d/profiles-m-r/qemu-ga

@@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
-  ptrace peer=unconfined,
+  ptrace (read) peer=@{systemd},
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager

apparmor.d/profiles-m-r/rngd

@@ -8,13 +8,14 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/rngd
-profile rngd @{exec_path} {
+profile rngd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
   capability dac_read_search,
+  capability net_admin,
   capability sys_admin,
   capability sys_nice,
 

apparmor.d/profiles-s-z/slirp4netns

@@ -10,6 +10,8 @@ include <tunables/global>
 profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  # userns,
+
   capability net_admin,
   capability setpcap,
   capability sys_admin,

apparmor.d/profiles-s-z/snapd

@@ -44,7 +44,7 @@ profile snapd @{exec_path} {
   umount /snap/*/*/,
 
   ptrace (read) peer=snap,
-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},
 
   dbus (send) bus=system path=/org/freedesktop/
          interface=org.freedesktop.login1.Manager

apparmor.d/profiles-s-z/sudo

@@ -94,7 +94,7 @@ profile sudo @{exec_path} {
   @{PROC}/sys/kernel/seccomp/actions_avail r,
 
         /dev/ r,    # interactive login
-        /dev/ptmx rw,
+        /dev/ptmx rwk,
   owner /dev/tty@{int} rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/profiles-s-z/thunderbird

@@ -35,6 +35,8 @@ profile thunderbird @{exec_path} {
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
 

apparmor.d/profiles-s-z/udisksd

@@ -54,6 +54,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/udisks2/temp-mount-*/,
   umount /media/cdrom[0-9]/,
 
+  signal (receive) set=(int) peer=@{systemd},
+
   dbus (send,receive) bus=system path=/
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect,

apparmor.d/tunables/multiarch.d/apparmor.d

@@ -53,3 +53,6 @@
 # Common places for binaries and libraries across distributions
 @{bin}=/{,usr/}{,s}bin
 @{lib}=/{,usr/}lib{,exec,32,64}
+
+# Name of the systemd profile: unconfined || systemd
+@{systemd}=unconfined

cmd/prebuild/main.go

@@ -47,6 +47,8 @@ func aaPrebuild() error {
 
 	if full {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+	} else {
+		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd)
 	}
 	if complain {
 		prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain)

debian/control

@@ -6,7 +6,6 @@ Build-Depends: debhelper (>= 13.4),
                debhelper-compat (= 13),
                golang-any,
                config-package-dev,
-               rsync,
 Homepage: https://github.com/roddhjav/apparmor.d
 Vcs-Browser: https://github.com/roddhjav/apparmor.d
 Vcs-Git: https://github.com/roddhjav/apparmor.d.git

dists/apparmor.d.spec

@@ -16,7 +16,6 @@ Source0:        %{name}-%{version}.tar.gz
 Requires:       apparmor-profiles
 BuildRequires:  distribution-release
 BuildRequires:  golang-packaging
-BuildRequires:  rsync
 
 %description
 AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
@@ -48,6 +47,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||:
 %dir /usr/lib/systemd/system/systemd-journald.service.d
 %dir /usr/lib/systemd/system/systemd-networkd.service.d
 %dir /usr/lib/systemd/system/systemd-timesyncd.service.d
+%dir /usr/lib/systemd/system/systemd-userdbd.service.d
 %dir /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d
 %dir /usr/share/zsh
 %dir /usr/share/zsh/site-functions
@@ -58,6 +58,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||:
 /usr/lib/systemd/system/systemd-journald.service.d/apparmor.conf
 /usr/lib/systemd/system/systemd-networkd.service.d/apparmor.conf
 /usr/lib/systemd/system/systemd-timesyncd.service.d/apparmor.conf
+/usr/lib/systemd/system/systemd-userdbd.service.d/apparmor.conf
 /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d/apparmor.conf
 /usr/share/bash-completion/completions/aa-log
 /usr/share/zsh/site-functions/_aa-log.zsh

docs/development/structure.md

@@ -69,9 +69,9 @@ It creates even more issues when we want to use this profile in other profiles.
 
 **What if I still want to protect these programs?**
 
-You do not protect this program. *Protect the usage you have of these tools*.
+You do not protect these programs. *Protect the usage you have of these programs*.
 In practice, it means that you should put your development's terminal in a
-sandbox managed with [Toolbox]
+sandbox managed with [Toolbox].
 
 !!! example "To sum up"
 
@@ -100,7 +100,7 @@ include <abstractions/user-download-strict>
 
 ## Children profiles
 
-Usually, a child profile is in the [`children`][children] group. They have  the following note:
+Usually, a child profile is in the [`children`][children] group. They have the following note:
 
 !!! quote
 
@@ -165,6 +165,17 @@ Special care must be given as sometimes udev numbers are allocated dynamically b
 [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
 
 
+## No New Privileges
+
+[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly-started program to get more privileges that its parent. So it is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transition to other profile because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed).
+
+The possible solutions are:
+
+* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)).
+* Inherit the current confinement (`ix`)
+* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking)
+
+
 ## Full system policy
 
 !!! quote
@@ -176,22 +187,60 @@ Special care must be given as sometimes udev numbers are allocated dynamically b
 
     *Source: [AppArmor Wiki][apparmor-wiki]*
 
-This feature is only enabled when the profiles are built with `make full`. The profiles for full system policies are maintained in the **[`_full`][full]** group. It consists of two extra main profiles:
+### Enable
-
-1. **`init`**: For systemd as PID 1
-2. **`systemd`**: For systemd as user
-
-All core required applications that need to be started by systemd (both as user or root) need to be present in these profiles.
-
-Early policy load should also be enabled. In `/etc/apparmor/parser.conf`
-```
-cache-loc /etc/apparmor/earlypolicy/
-```
 
 !!! danger
 
     Full system policy is still under early development, do not run it outside a development VM! **You have been warned!!!**
 
+This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load must be enabled, in `/etc/apparmor/parser.conf` ensure you have:
+```
+write-cache
+cache-loc /etc/apparmor/earlypolicy/
+```
+
+### Structure
+
+The profiles for full system policies are maintained in the **[`_full`][full]** group.
+
+**systemd**
+
+In addition to systemd services (`systemd-*`) that have their own profiles, systemd itself, is confined using:
+
+- [x] **`systemd`**: For systemd as PID 1, designed such as:
+     - It allows internal systemd access,
+     - It allows starting all common root services.
+- [ ] **`systemd-user`**: For `systemd --user`, designed such as:
+     - It allows internal systemd user access,
+     - It allows starting all common user services.
+
+These profiles are only intended to confine themselves. Any services started by systemd must have their corresponding profile. It means that for a given distribution, the following services must have profiles:
+
+- [ ] For `systemd`:
+```sh
+/usr/lib/systemd/system-generators/*
+/usr/lib/systemd/system-environment-generators/*
+/usr/lib/systemd/system/*.service
+```
+
+- [ ] For `systemd-user`
+```sh
+/usr/lib/systemd/user-environment-generators/*
+/usr/lib/systemd/user-generators/*
+/usr/lib/systemd/user/*.service
+```
+
+To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
+```
+  @{lib}/foo rPx -> systemd//&foo,
+  ...
+```
+
+**Fallback**
+
+!!! warning "Work in Progress"
+
+In addition to systemd profiles, a full system policy needs to ensure that no program run in an unconfined state at any time. When full policy mode is enabled, special fallback profiles `default` and `default-user` are used to ensure this. PAM rule can be used to configure it further.
 
 [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
 [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full

docs/install.md

@@ -24,7 +24,6 @@ Please note that Wayland has a better support than Xorg.
 **Build dependencies**
 
 * Go >= 1.18
-* Rsync
 
 ## :material-arch: Archlinux
 

pkg/aa/profile.go

@@ -87,15 +87,16 @@ func (p *AppArmorProfile) AddRule(log map[string]string) {
 	case "net":
 		p.Rules = append(p.Rules, NetworkFromLog(log))
 	case "mount":
-		p.Rules = append(p.Rules, MountFromLog(log))
+		switch log["operation"] {
-	case "remount":
+		case "mount":
-		p.Rules = append(p.Rules, RemountFromLog(log))
+			p.Rules = append(p.Rules, MountFromLog(log))
-	case "umount":
+		case "umount":
-		p.Rules = append(p.Rules, UmountFromLog(log))
+			p.Rules = append(p.Rules, UmountFromLog(log))
-	case "pivot_root":
+		case "remount":
-		p.Rules = append(p.Rules, PivotRootFromLog(log))
+			p.Rules = append(p.Rules, RemountFromLog(log))
-	case "change_profile":
+		case "pivotroot":
-		p.Rules = append(p.Rules, RemountFromLog(log))
+			p.Rules = append(p.Rules, PivotRootFromLog(log))
+		}
 	case "mqueue":
 		p.Rules = append(p.Rules, MqueueFromLog(log))
 	case "signal":
@@ -107,7 +108,11 @@ func (p *AppArmorProfile) AddRule(log map[string]string) {
 	case "unix":
 		p.Rules = append(p.Rules, UnixFromLog(log))
 	case "file":
-		p.Rules = append(p.Rules, FileFromLog(log))
+		if log["operation"] == "change_onexec" {
+			p.Rules = append(p.Rules, ChangeProfileFromLog(log))
+		} else {
+			p.Rules = append(p.Rules, FileFromLog(log))
+		}
 	default:
 		if strings.Contains(log["operation"], "dbus") {
 			p.Rules = append(p.Rules, DbusFromLog(log))

pkg/aa/template.go

@@ -33,6 +33,7 @@ var (
 	// TODO: Should be a map of slice, not exhaustive yet
 	maskToAccess = map[string]string{
 		"a":            "w",
+		"ac":           "w",
 		"c":            "w",
 		"d":            "w",
 		"k":            "k",

pkg/prebuild/build.go

@@ -22,11 +22,9 @@ var (
 	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
 	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
 	regProfileHeader = regexp.MustCompile(` {`)
-	regAbi4To3       = util.ToRegexRepl([]string{
+	regAbi4To3       = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
-		`abi/4.0`, `abi/3.0`,
+		`abi/3.0`, `abi/4.0`,
-		`(?m)^.*mqueue.*$`, ``,
+		`# userns,`, `userns,`,
-		`(?m)^.*userns.*$`, ``,
-		`(?m)^.*io_uring.*$`, ``,
 	})
 )
 

pkg/prebuild/prepare.go

@@ -7,7 +7,6 @@ package prebuild
 import (
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -28,15 +27,14 @@ type PrepareFunc func() error
 
 // Initialize a new clean apparmor.d build directory
 func Synchronise() error {
-	dirs := paths.PathList{RootApparmord, Root.Join("root")}
+	dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")}
 	for _, dir := range dirs {
 		if err := dir.RemoveAll(); err != nil {
 			return err
 		}
 	}
-	for _, path := range []string{"./apparmor.d", "./root"} {
+	for _, name := range []string{"apparmor.d", "root"} {
-		cmd := exec.Command("rsync", "-a", path, Root.String())
+		if err := copyTo(paths.New(name), Root.Join(name)); err != nil {
-		if err := cmd.Run(); err != nil {
 			return err
 		}
 	}
@@ -173,15 +171,38 @@ func SetFlags() error {
 	return nil
 }
 
+// Set systemd unit drop in files to ensure some service start after apparmor
+func SetDefaultSystemd() error {
+	return copyTo(paths.New("systemd/default/"), Root.Join("systemd"))
+}
+
 // Set AppArmor for (experimental) full system policy.
 // See https://apparmor.pujol.io/development/structure/#full-system-policy
 func SetFullSystemPolicy() error {
+	// Install full system policy profiles
 	for _, name := range []string{"systemd", "systemd-user"} {
 		err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name))
 		if err != nil {
 			return err
 		}
 	}
+
+	// Set systemd profile name
+	path := paths.New("apparmor.d/tunables/multiarch.d/apparmor.d")
+	content, err := path.ReadFile()
+	if err != nil {
+		return err
+	}
+	res := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1)
+	if err := path.WriteFile([]byte(res)); err != nil {
+		return err
+	}
+
+	// Set systemd unit drop-in files
+	if err := copyTo(paths.New("systemd/full/"), Root.Join("systemd")); err != nil {
+		return err
+	}
+
 	logging.Success("Configure AppArmor for full system policy")
 	return nil
 }

pkg/prebuild/tools.go

@@ -61,7 +61,7 @@ func getSupportedDistribution() string {
 }
 
 func copyTo(src *paths.Path, dst *paths.Path) error {
-	files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories())
+	files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md"))
 	if err != nil {
 		return err
 	}
@@ -71,6 +71,9 @@ func copyTo(src *paths.Path, dst *paths.Path) error {
 			return err
 		}
 		destination = dst.JoinPath(destination)
+		if err := destination.Parent().MkdirAll(); err != nil {
+			return err
+		}
 		if err := file.CopyTo(destination); err != nil {
 			return err
 		}

systemd/default/system/systemd-userdbd.service

@@ -0,0 +1,2 @@
+[Unit]
+After=apparmor.service

systemd/full/system/ModemManager.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/e2scrub_reap.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/fwupd-refresh.service

@@ -0,0 +1,3 @@
+[Service]
+ProtectKernelModules=no
+RestrictRealtime=no

systemd/full/system/irqbalance.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/rngd.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-homed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-hostnamed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-journald.service

@@ -0,0 +1,3 @@
+[Service]
+NoNewPrivileges=no
+ProtectClock=no

systemd/full/system/systemd-localed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-logind.service

@@ -0,0 +1,3 @@
+[Service]
+NoNewPrivileges=no
+ProtectClock=no

systemd/full/system/systemd-timedated.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-userdbd.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/upower.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/user@.service

@@ -0,0 +1,3 @@
+# TODO: works as intended on server, does not work on desktop
+# [Service]
+# AppArmorProfile=systemd-user