felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(fsp): improve fsp profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-21 19:43:02 +02:00
parent bb6ca01718
commit ea45cec24d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 13 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

24
apparmor.d/groups/_full/sd
View file

@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
umount /, umount /,
umount /dev/shm/, umount /dev/shm/,
umount @{run}/systemd/mount-rootfs/{,**}, umount @{run}/systemd/mount-rootfs/{,**},
umount @{run}/systemd/namespace-@{rand6}/{,**},
# mount tmpfs -> @{run}/lock/,
# mount tmpfs -> @{sys}/fs/cgroup/,
# mount cgroup -> @{sys}/fs/cgroup/systemd/,
# audit mount /dev/** -> /boot/{,efi/},
# audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
# audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**},
# audit remount @{run}/systemd/unit-root/{,**},
# audit remount options=(ro noexec noatime bind) /var/snap/{,**},
# audit remount options=(ro nosuid nodev bind) /var/,
# audit remount options=(ro nosuid nodev noexec bind) /boot/,
# audit umount @{PROC}/sys/fs/binfmt_misc/,
# audit umount @{run}/systemd/namespace-@{rand6}/{,**},
# audit umount @{run}/systemd/unit-root/{,**},
pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
@{bin}/true ix, @{bin}/true ix,
# Required due to stacked profiles # Required due to stacked profiles
@{sbin}/grpck ix, @{bin}/find ix,
@{bin}/gzip ix, @{bin}/gzip ix,
@{bin}/install ix, @{bin}/install ix,
@{sbin}/pwck ix,
@{bin}/readlink ix, @{bin}/readlink ix,
@{lib}/colord-sane ix, @{lib}/colord-sane ix,
@{lib}/systemd/systemd-nsresourcework ix, @{lib}/systemd/systemd-nsresourcework ix,
@{lib}/systemd/systemd-userwork ix, @{lib}/systemd/systemd-userwork ix,
@{sbin}/grpck ix,
@{sbin}/pwck ix,
/ r, / r,
@{att}/ r, @{att}/ r,
@{bin}/{,**} r, @{bin}/{,**} r,
@{lib}/{,**} r, @{lib}/{,**} r,
@{sbin}/{,*} r, @{sbin}/{,*} r,
/usr/local/{,**} r,
/usr/share/** r, /usr/share/** r,
/etc/*/ w, /etc/*/ w,
/etc/** rk, /etc/** rk,
@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
/var/lib/*/ rw, /var/lib/*/ rw,
/var/lib/*/** rwk, /var/lib/*/** rwk,
/var/lib/systemd/*/ r, /var/lib/systemd/*/ r,
/var/log/ r,
/var/log/** rw, /var/log/** rw,
/var/log/journal/** rwl -> /var/log/journal/**, /var/log/journal/** rwl -> /var/log/journal/**,

2
apparmor.d/groups/_full/sdu
View file

@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny capability net_admin,
profile shell flags=(attach_disconnected,mediate_deleted,complain) { profile shell flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>

5
apparmor.d/groups/_full/systemd
View file

@ -50,7 +50,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd @{exec_path} = @{lib}/systemd/systemd
profile systemd flags=(attach_disconnected,mediate_deleted) { profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/disks-read> include <abstractions/disks-read>
@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r, @{etc_ro}/environment.d/{,**} r,
/etc/acpi/events/{,**} r,
/etc/binfmt.d/{,**} r, /etc/binfmt.d/{,**} r,
/etc/conf.d/{,**} r, /etc/conf.d/{,**} r,
/etc/default/{,**} r, /etc/default/{,**} r,
/etc/machine-id r,
/etc/modules-load.d/{,**} r, /etc/modules-load.d/{,**} r,
/etc/networkd-dispatcher/{,**} r, /etc/networkd-dispatcher/{,**} r,
/etc/systemd/{,**} r, /etc/systemd/{,**} r,
@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
@{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/{,**} rw,
@{sys}/fs/fuse/connections/ r, @{sys}/fs/fuse/connections/ r,
@{sys}/fs/pstore/ r, @{sys}/fs/pstore/ r,

2
apparmor.d/groups/_full/systemd-user
View file

@ -16,7 +16,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd @{exec_path} = @{lib}/systemd/systemd
profile systemd-user flags=(attach_disconnected,mediate_deleted) { profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus-system> include <abstractions/bus-system>