From ea45cec24d5cbf9c66feb859740b802cf46ececf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 19:43:02 +0200
Subject: [PATCH] feat(fsp): improve fsp profiles.

---
 apparmor.d/groups/_full/sd           | 24 ++++++------------------
 apparmor.d/groups/_full/sdu          |  2 ++
 apparmor.d/groups/_full/systemd      |  5 ++++-
 apparmor.d/groups/_full/systemd-user |  2 +-
 4 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd
index 48172638e..da14cabf3 100644
--- a/apparmor.d/groups/_full/sd
+++ b/apparmor.d/groups/_full/sd
@@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   umount /,
   umount /dev/shm/,
   umount @{run}/systemd/mount-rootfs/{,**},
-
-  # mount tmpfs -> @{run}/lock/,
-  # mount tmpfs -> @{sys}/fs/cgroup/,
-  # mount cgroup -> @{sys}/fs/cgroup/systemd/,
-  # audit mount                                                             /dev/** -> /boot/{,efi/},
-  # audit mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
-  # audit mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
-
-  # audit remount                                        @{run}/systemd/unit-root/{,**},
-  # audit remount options=(ro noexec noatime bind)       /var/snap/{,**},
-  # audit remount options=(ro nosuid nodev bind)         /var/,
-  # audit remount options=(ro nosuid nodev noexec bind)  /boot/,
-
-  # audit umount @{PROC}/sys/fs/binfmt_misc/,
-  # audit umount @{run}/systemd/namespace-@{rand6}/{,**},
-  # audit umount @{run}/systemd/unit-root/{,**},
+  umount @{run}/systemd/namespace-@{rand6}/{,**},
 
   pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
 
@@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   @{bin}/true                                      ix,
 
   # Required due to stacked profiles
-  @{sbin}/grpck                                    ix,
+  @{bin}/find                                      ix,
   @{bin}/gzip                                      ix,
   @{bin}/install                                   ix,
-  @{sbin}/pwck                                     ix,
   @{bin}/readlink                                  ix,
   @{lib}/colord-sane                               ix,
   @{lib}/systemd/systemd-nsresourcework            ix,
   @{lib}/systemd/systemd-userwork                  ix,
+  @{sbin}/grpck                                    ix,
+  @{sbin}/pwck                                     ix,
 
   / r,
   @{att}/ r,
   @{bin}/{,**} r,
   @{lib}/{,**} r,
   @{sbin}/{,*} r,
+  /usr/local/{,**} r,
   /usr/share/** r,
   /etc/*/ w,
   /etc/** rk,
@@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   /var/lib/*/ rw,
   /var/lib/*/** rwk,
   /var/lib/systemd/*/ r,
+  /var/log/ r,
   /var/log/** rw,
   /var/log/journal/** rwl -> /var/log/journal/**,
 
diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu
index c9338fd22..80d8c1fb9 100644
--- a/apparmor.d/groups/_full/sdu
+++ b/apparmor.d/groups/_full/sdu
@@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  deny capability net_admin,
+
   profile shell flags=(attach_disconnected,mediate_deleted,complain) {
     include <abstractions/base>
 
diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index b7c12c6bd..184084fed 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -50,7 +50,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd
-profile systemd flags=(attach_disconnected,mediate_deleted) {
+profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/disks-read>
@@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
   @{etc_ro}/environment r,
   @{etc_ro}/environment.d/{,**} r,
+  /etc/acpi/events/{,**} r,
   /etc/binfmt.d/{,**} r,
   /etc/conf.d/{,**} r,
   /etc/default/{,**} r,
+  /etc/machine-id r,
   /etc/modules-load.d/{,**} r,
   /etc/networkd-dispatcher/{,**} r,
   /etc/systemd/{,**} r,
@@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/tty/console/active r,
+  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
   @{sys}/fs/cgroup/{,**} rw,
   @{sys}/fs/fuse/connections/ r,
   @{sys}/fs/pstore/ r,
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index ed531c58b..a5bb4d926 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -16,7 +16,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd
-profile systemd-user flags=(attach_disconnected,mediate_deleted) {
+profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>