felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/_full/systemd
Alexandre Pujol ea45cec24d
feat(fsp): improve fsp profiles.
2025-06-21 19:43:02 +02:00

242 lines
8.8 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2023 monsieuremre <https://github.com/monsieuremre>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for systemd (PID 1), it does not specify an attachment path because
# it is directly loaded by systemd.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
# Distributions and other programs can add rules in the usr/systemd.d directory
# Overall architecture of the systemd profiles:
# systemd # PID 1, entrypoint, requires "Early policy"
# ├── systemd # To restart itself
# ├── systemd-generators-* # Systemd system and environment generators
# └── sd # Internal service starter and config handler, handles all services
# ├── Px or px, # Any service with profile
# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd)
# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd)
# ├── sd-mount # Handles all mounts from services
# ├── sd//systemctl # Internal system systemctl
# └── systemd-user # Profile for 'systemd --user'
# ├── systemd-user # To restart itself
# ├── systemd-user-generators-* # Systemd user and environment generators
# └── sdu # Handles all user services
# ├── Px or px, # Any user service with profile
# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd)
# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd)
# └── sdu//systemctl # Internal user systemctl
# Advantages:
# - Differentiate systemd (PID 1) and `system --user`
# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles.
# - Allow the executor profiles to handled stacked profiles.
# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`.
# - Dedicated `sd-mount` profile for most mount from the unit services.
# TODO: rework this to get a controlled environment:
# - No global allow anymore: in high security environments, we must manage the list
# of program/service that can be started by systemd and ensure that they are all
# listed and confined. Programs not listed will not be able to start.
# - Outside common systemd service, the list may have to be automatically
# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_control,
capability audit_read,
capability audit_write,
capability bpf,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability perfmon,
capability setpcap,
capability sys_admin,
capability sys_boot,
capability sys_ptrace,
capability sys_resource,
capability sys_tty_config,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network vsock stream,
mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
mount fstype=autofs systemd-1 -> @{efi}/,
mount fstype=tmpfs tmpfs -> /tmp/,
mount options=(rw rslave) -> /,
remount @{HOME}/{,**},
remount @{HOMEDIRS}/,
remount @{MOUNTDIRS}/,
remount @{MOUNTS}/{,**},
remount /snap/{,**},
remount options=(ro bind nodev noexec nosuid) /dev/mqueue/,
remount options=(ro bind nodev nosuid) /dev/hugepages/,
remount options=(ro bind noexec nosuid) /dev/pts/,
remount options=(ro bind nosuid) /dev/,
remount options=(ro bind) @{efi}/,
remount options=(ro bind) /,
umount @{PROC}/sys/fs/binfmt_misc/,
umount @{run}/credentials/*/,
mqueue (read getattr) type=posix /,
signal send,
ptrace (read, readby),
unix type=dgram,
unix type=stream,
#aa:dbus own bus=system name=org.freedesktop.systemd1
@{exec_path} mrix,
@{sh_path} mr,
# Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
@{lib}/systemd/systemd-executor mPx -> sd,
# Systemd system generators. Profiles must exist
@{lib}/netplan/generate mPx,
@{lib}/systemd/system-environment-generators/* mPx,
@{lib}/systemd/system-generators/* mPx,
@{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r,
/etc/acpi/events/{,**} r,
/etc/binfmt.d/{,**} r,
/etc/conf.d/{,**} r,
/etc/default/{,**} r,
/etc/machine-id r,
/etc/modules-load.d/{,**} r,
/etc/networkd-dispatcher/{,**} r,
/etc/systemd/{,**} r,
/etc/systemd/system/** w,
/etc/udev/hwdb.d/{,**} r,
#aa:only pacman
# It is unclear why this is needed here and not in sd
/etc/pacman.d/gnupg/S.dirmngr w,
/etc/pacman.d/gnupg/S.gpg-agent w,
/etc/pacman.d/gnupg/S.gpg-agent.browser w,
/etc/pacman.d/gnupg/S.gpg-agent.extra w,
/etc/pacman.d/gnupg/S.gpg-agent.ssh w,
/etc/pacman.d/gnupg/S.keyboxd w,
@{efi}/ r,
/snap/*/@{int}/ r,
/tmp/ r,
/var/tmp/ r,
owner /tmp/systemd-private-*/{,**} rw,
owner /var/tmp/systemd-private-*/{,**} rw,
@{att}/@{run}/systemd/journal/dev-log r,
@{att}/@{run}/systemd/journal/socket r,
@{att}/@{run}/systemd/notify r,
@{run}/ rw,
@{run}/* rw,
@{run}/*/ rw,
@{run}/*/* rw,
@{run}/credentials/{,**} rw,
@{run}/systemd/{,**} rw,
@{run}/udev/data/+module:configfs r,
@{run}/udev/data/+module:fuse r,
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r,
@{run}/udev/tags/systemd/ r,
@{sys}/**/uevent r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/fs/fuse/connections/ r,
@{sys}/fs/pstore/ r,
@{sys}/kernel/**/ r,
@{sys}/module/apparmor/parameters/enabled r,
@{sys}/module/vt/parameters/default_utf8 r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/fs/binfmt_misc/ r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/* r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sysvipc/msg r,
@{PROC}/sysvipc/sem r,
@{PROC}/sysvipc/shm r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/1/coredump_filter r,
owner @{PROC}/1/fdinfo/@{int} r,
owner @{PROC}/1/gid_map r,
owner @{PROC}/1/oom_score_adj rw,
owner @{PROC}/1/setgroups r,
owner @{PROC}/1/uid_map r,
/dev/autofs r,
/dev/dri/card@{int} rw,
/dev/initctl w,
/dev/input/ r,
/dev/kmsg w,
/dev/tty rw,
/dev/tty@{int} rw,
owner /dev/console rwk,
owner /dev/hugepages/ rw,
owner /dev/input/event@{int} rw,
owner /dev/mqueue/ rw,
owner /dev/rfkill rw,
owner /dev/shm/ r,
owner /dev/ttyS@{int} rwk,
include if exists <usr/systemd.d>
include if exists <local/systemd>
}
# vim:syntax=apparmor
Reference in a new issue View git blame Copy permalink