From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc5..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa49..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee129..5a6c7c526 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain