felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/_full/systemd-user
Alexandre Pujol e41779f576
feat(full): add default bwrap profiles. 
On  full system policy, use the new bwrap profile (and bwrap-app) to confine sandboxed application.
It is not enabled by default as the sandbox profile is quite large.

Also integrate with the gnome app that use bwrap as sandbox manager.

Update other related profiles

See Full system policy #252
2023-11-26 23:12:35 +00:00

99 lines
3.1 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-user" exec transitions from the systemd profile.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
# Distributions and other programs can add rules in the usr/systemd-user.d directory
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
profile systemd-user flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
network netlink raw,
ptrace (read),
signal (send) set=(term, cont, kill),
@{exec_path} mr,
@{bin}/systemctl rCx -> systemctl,
audit @{lib}/** Pix,
audit @{bin}/** Pix,
@{bin}/pipewire rPx -> systemd-user//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session,
@{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd-user//&pulseaudio,
@{bin}/wireplumber rPx -> systemd-user//&wireplumber,
/usr/ r,
/etc/systemd/user.conf r,
/etc/systemd/user.conf.d/{,**} r,
/etc/systemd/user/{,**} r,
owner @{user_config_dirs}/systemd/user/{,**} r,
owner @{run}/user/@{uid}/{,*/,*} rw,
owner @{run}/user/@{uid}/*/* rw,
owner @{run}/user/@{uid}/systemd/{,**} rwl,
@{run}/mount/utab r,
@{run}/systemd/notify w,
@{run}/udev/data/* r,
@{run}/udev/tags/systemd/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
@{sys}/module/apparmor/parameters/enabled r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/stat r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/threads-max r,
owner @{PROC}/@{pids}/attr/apparmor/exec w,
owner @{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pids}/oom_score_adj rw,
profile systemctl {
include <abstractions/base>
@{bin}/systemctl mr,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pids}/status r,
include if exists <usr/systemd-user_systemctl.d>
include if exists <local/systemd-user_systemctl>
}
include if exists <usr/systemd-user.d>
include if exists <local/systemd-user>
}
Reference in a new issue View git blame Copy permalink