# apparmor.d - Full set of apparmor profiles # Copyright (C) 2023-2024 Alexandre Pujol # Copyright (C) 2023 monsieuremre # SPDX-License-Identifier: GPL-2.0-only # Profile for systemd (PID 1), it does not specify an attachment path because # it is directly loaded by systemd. # Only use this profile with a fully configured system. Otherwise it **WILL** # break your computer. See https://apparmor.pujol.io/full-system-policy/. # Distributions and other programs can add rules in the usr/systemd.d directory abi , include profile systemd flags=(attach_disconnected,mediate_deleted) { include include include include include include capability audit_control, capability audit_read, capability audit_write, capability bpf, capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability mknod, capability net_admin, capability perfmon, capability setfcap, capability setgid, capability setpcap, capability setuid, capability sys_admin, capability sys_chroot, capability sys_nice, capability sys_ptrace, capability sys_resource, capability sys_tty_config, network inet dgram, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, mount fstype=autofs systemd-1 -> /efi/, mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, mount options=(rw move) -> @{sys}/fs/fuse/connections/, mount options=(rw move) -> @{sys}/kernel/config/, mount options=(rw move) -> @{sys}/kernel/debug/, mount options=(rw move) -> @{sys}/kernel/tracing/, mount options=(rw move) -> /dev/hugepages/, mount options=(rw move) -> /dev/mqueue/, mount options=(rw move) -> /efi/, mount options=(rw move) -> /tmp/, mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, mount options=(rw rslave) -> /dev/, mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, remount @{run}/systemd/mount-rootfs/{,**}, remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid nodev bind) /dev/hugepages/, remount options=(ro nosuid nodev bind) /var/, remount options=(ro nosuid nodev noexec bind) /boot/, remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, remount options=(ro nosuid nodev noexec bind) /efi/, remount options=(ro nosuid noexec bind) /dev/pts/, umount /, umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, umount @{run}/systemd/mount-rootfs/{,**}, umount @{run}/systemd/namespace-@{rand6}/{,**}, umount @{run}/systemd/unit-root/{,**}, pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, change_profile, signal (receive) set=(rtmin+23) peer=plymouthd, signal (receive) set=(term, hup, cont), signal (send), ptrace (read, readby), unix (send) type=dgram, unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), #aa:dbus own bus=system name=org.freedesktop.systemd1 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser peer=(name=org.freedesktop.DBus, label=dbus-system), @{bin}/systemctl rix, @{bin}/mount rix, @{lib}/systemd/systemd-executor rix, @{lib}/systemd/systemd rpx -> systemd-user, @{bin}/ldconfig rPx -> systemd-service, @{bin}/mandb rPx -> systemd-service, @{bin}/savelog rPx -> systemd-service, @{coreutils_path} rPx -> systemd-service, @{sh_path} rPx -> systemd-service, @{bin}/** Px, @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, /usr/share/*/** Px, #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, @{lib}/ r, / r, /boot/ r, /boot/efi/ r, /efi/ r, /snap/ r, /snap/*/@{int}/ r, /tmp/ r, /usr/ r, /var/cache/*/ r, /var/lib/*/ r, /var/tmp/ r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, /etc/environment r, /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, /tmp/namespace-dev-@{rand6}/{,**} rw, /tmp/systemd-private-*/{,**} rw, @{run}/ rw, @{run}/*/ rw, @{run}/*/* rw, @{run}/auditd.pid r, @{run}/credentials/{,**} rw, @{run}/initctl rw, @{run}/systemd/{,**} rw, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, @{sys}/class/sound/ r, @{sys}/devices/@{pci}/** r, @{sys}/devices/**/net/** r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/coredump_filter r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/gid_map rw, @{PROC}/@{pid}/loginuid rw, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @{PROC}/swaps r, @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/oom_score_adj rw, /dev/autofs r, /dev/kmsg w, owner /dev/console rwk, owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, include if exists include if exists } # vim:syntax=apparmor