From da7958a2f9a02e86df049d3b2a5760d99b045d92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:00:24 +0100 Subject: [PATCH] feat(fsp): improve the base systemd profiles. --- apparmor.d/groups/_full/systemd | 25 +++++++++++++++----- apparmor.d/groups/_full/systemd-service | 5 ++++ apparmor.d/groups/_full/systemd-user | 10 ++++++++ apparmor.d/groups/_full/systemd-user-service | 2 +- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d71647705..0206b0189 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -65,14 +65,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + mount fstype=vfat -> /boot/efi/, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, @@ -157,8 +164,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Unit services @{bin}/mount ix, + @{bin}/kill ix, # Shell based systemd unit services + # TODO: create unit profile for all of them @{bin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @@ -187,8 +196,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, @@ -199,6 +210,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /tmp/systemd-private-*/{,**} rw, @{run}/ rw, + @{run}/*.socket w, @{run}/*/ rw, @{run}/*/* rw, @{run}/auditd.pid r, @@ -263,6 +275,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/kmsg w, + /dev/tty@{int} rw, owner /dev/console rwk, owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index e6c4a4b7b..dfe3000bc 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -17,6 +17,7 @@ profile systemd-service flags=(attach_disconnected) { include include + capability dac_read_search, capability chown, capability fsetid, @@ -42,9 +43,13 @@ profile systemd-service flags=(attach_disconnected) { /var/cache/ldconfig/{,**} rw, + / r, + /boot/grub/grubenv rw, /boot/grub/ w, + /var/spool/cron/atjobs/ r, + /var/log/ r, /var/log/dmesg rw, /var/log/dmesg.* rwl -> /var/log/dmesg, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 919c53457..401e73bd9 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -102,6 +102,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, @@ -112,6 +115,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -134,6 +138,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { /dev/tty rw, + deny capability bpf, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_resource, + profile systemctl { include include diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service index d65846f82..0cb9efa49 100644 --- a/apparmor.d/groups/_full/systemd-user-service +++ b/apparmor.d/groups/_full/systemd-user-service @@ -12,7 +12,7 @@ abi , include -profile systemd-user-service flags=(complain) { +profile systemd-user-service flags=(attach_disconnected) { include include