feat(fsp): improve the base systemd profiles.
This commit is contained in:
Alexandre Pujol
parent
71632a6456
commit
da7958a2f9
4 changed files with 35 additions and 7 deletions
|
|
@ -65,14 +65,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
|
mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
|
||||||
mount fstype=autofs systemd-1 -> /efi/,
|
mount fstype=autofs systemd-1 -> /efi/,
|
||||||
mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/,
|
mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
|
||||||
mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/,
|
mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/,
|
||||||
mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/,
|
mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/,
|
||||||
|
mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/,
|
||||||
|
mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/,
|
||||||
|
mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/,
|
||||||
|
mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/,
|
||||||
|
mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/,
|
||||||
mount fstype=tmpfs tmpfs -> /dev/shm/,
|
mount fstype=tmpfs tmpfs -> /dev/shm/,
|
||||||
mount fstype=tmpfs tmpfs -> /tmp/,
|
mount fstype=tmpfs tmpfs -> /tmp/,
|
||||||
mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
|
mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
|
||||||
mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/,
|
mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/,
|
||||||
mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
|
mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
|
||||||
|
mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/,
|
||||||
|
mount fstype=vfat -> /boot/efi/,
|
||||||
|
|
||||||
mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
|
mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
|
||||||
mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
|
mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
|
||||||
|
|
@ -157,8 +164,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
# Unit services
|
# Unit services
|
||||||
@{bin}/mount ix,
|
@{bin}/mount ix,
|
||||||
|
@{bin}/kill ix,
|
||||||
|
|
||||||
# Shell based systemd unit services
|
# Shell based systemd unit services
|
||||||
|
# TODO: create unit profile for all of them
|
||||||
@{bin}/ldconfig Px -> systemd-service,
|
@{bin}/ldconfig Px -> systemd-service,
|
||||||
@{bin}/mandb Px -> systemd-service,
|
@{bin}/mandb Px -> systemd-service,
|
||||||
@{bin}/savelog Px -> systemd-service,
|
@{bin}/savelog Px -> systemd-service,
|
||||||
|
|
@ -187,8 +196,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
/etc/conf.d/{,**} r,
|
/etc/conf.d/{,**} r,
|
||||||
/etc/credstore.encrypted/{,**} r,
|
/etc/credstore.encrypted/{,**} r,
|
||||||
/etc/credstore/{,**} r,
|
/etc/credstore/{,**} r,
|
||||||
|
/etc/default/{,**} r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/modules-load.d/{,**} r,
|
/etc/modules-load.d/{,**} r,
|
||||||
|
/etc/networkd-dispatcher/{,**} r,
|
||||||
/etc/systemd/{,**} r,
|
/etc/systemd/{,**} r,
|
||||||
/etc/udev/hwdb.d/{,**} r,
|
/etc/udev/hwdb.d/{,**} r,
|
||||||
|
|
||||||
|
|
@ -199,6 +210,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
/tmp/systemd-private-*/{,**} rw,
|
/tmp/systemd-private-*/{,**} rw,
|
||||||
|
|
||||||
@{run}/ rw,
|
@{run}/ rw,
|
||||||
|
@{run}/*.socket w,
|
||||||
@{run}/*/ rw,
|
@{run}/*/ rw,
|
||||||
@{run}/*/* rw,
|
@{run}/*/* rw,
|
||||||
@{run}/auditd.pid r,
|
@{run}/auditd.pid r,
|
||||||
|
|
@ -263,6 +275,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
/dev/autofs r,
|
/dev/autofs r,
|
||||||
/dev/kmsg w,
|
/dev/kmsg w,
|
||||||
|
/dev/tty@{int} rw,
|
||||||
owner /dev/console rwk,
|
owner /dev/console rwk,
|
||||||
owner /dev/dri/card@{int} rw,
|
owner /dev/dri/card@{int} rw,
|
||||||
owner /dev/hugepages/ rw,
|
owner /dev/hugepages/ rw,
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@ profile systemd-service flags=(attach_disconnected) {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
capability chown,
|
capability chown,
|
||||||
capability fsetid,
|
capability fsetid,
|
||||||
|
|
||||||
|
|
@ -42,9 +43,13 @@ profile systemd-service flags=(attach_disconnected) {
|
||||||
|
|
||||||
/var/cache/ldconfig/{,**} rw,
|
/var/cache/ldconfig/{,**} rw,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
|
||||||
/boot/grub/grubenv rw,
|
/boot/grub/grubenv rw,
|
||||||
/boot/grub/ w,
|
/boot/grub/ w,
|
||||||
|
|
||||||
|
/var/spool/cron/atjobs/ r,
|
||||||
|
|
||||||
/var/log/ r,
|
/var/log/ r,
|
||||||
/var/log/dmesg rw,
|
/var/log/dmesg rw,
|
||||||
/var/log/dmesg.* rwl -> /var/log/dmesg,
|
/var/log/dmesg.* rwl -> /var/log/dmesg,
|
||||||
|
|
|
||||||
|
|
@ -102,6 +102,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{run}/udev/tags/systemd/ r,
|
@{run}/udev/tags/systemd/ r,
|
||||||
|
|
||||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
|
||||||
@{sys}/devices/**/uevent r,
|
@{sys}/devices/**/uevent r,
|
||||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
|
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
|
||||||
|
|
@ -112,6 +115,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/@{pids}/comm r,
|
@{PROC}/@{pids}/comm r,
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
|
@{PROC}/1/environ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/pressure/* r,
|
@{PROC}/pressure/* r,
|
||||||
@{PROC}/swaps r,
|
@{PROC}/swaps r,
|
||||||
|
|
@ -134,6 +138,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
deny capability bpf,
|
||||||
|
deny capability mknod,
|
||||||
|
deny capability net_admin,
|
||||||
|
deny capability perfmon,
|
||||||
|
deny capability sys_resource,
|
||||||
|
|
||||||
profile systemctl {
|
profile systemctl {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app/systemctl>
|
include <abstractions/app/systemctl>
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ abi <abi/4.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
profile systemd-user-service flags=(complain) {
|
profile systemd-user-service flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue