AppArmor: Add systemd-logind profile

Move apparmor profile from apertis-customization to the package it is related to. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

AppArmor: Add systemd-logind profile
Move apparmor profile from apertis-customization to the package it is related to. Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
8d5dc16b · Frederic Danis · 4b6e091f · 8d5dc16b · 8d5dc16b · 8d5dc16b
Commit 8d5dc16b authored 5 years ago by Frederic Danis
--- a/debian/control
+++ b/debian/control
@@ -13,6 +13,7 @@ Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git
 Vcs-Browser: https://salsa.debian.org/systemd-team/systemd
 Homepage: https://www.freedesktop.org/wiki/Software/systemd
 Build-Depends: debhelper (>= 10.4~),
+               dh-apparmor,
               pkg-config,
               xsltproc,
               docbook-xsl,

--- a/debian/lib.systemd.systemd-logind
+++ b/debian/lib.systemd.systemd-logind
+# vim:syntax=apparmor
+#
+# Copyright (C) 2015-2017 Collabora Ltd.
+#
+# SPDX-License-Identifier: MPL-2.0
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This profile is fairly permissive: systemd-logind is very much a trusted
+# process anyway (it has CAP_MAC_ADMIN and CAP_SYS_ADMIN) so there's
+# little point in trying to restrict it extensively: it's mainly here so
+# we can identify logind as a D-Bus peer in other profiles.
+#
+# We put it in enforcing mode so that we have a consistent story (saying
+# everything is enforcing is simpler than listing exceptions), and
+# it could potentially also mitigate attacks in which logind could be
+# tricked into reading and trusting files that it shouldn't.
+
+#include <tunables/global>
+
+/lib/systemd/systemd-logind {
+  #include <abstractions/base>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/nameservice>
+
+  capability sys_admin,
+  capability mac_admin,
+  capability audit_control,
+  capability chown,
+  capability kill,
+  capability dac_read_search,
+  capability dac_override,
+  capability fowner,
+  capability sys_tty_config,
+
+  /lib/systemd/systemd-logind mr,
+
+  dbus bind bus=system name=org.freedesktop.login1,
+  dbus (send, receive) bus=system,
+
+  network netlink,
+
+  mount fstype=tmpfs -> /run/user/*/,
+
+  /dev/dri/* rw,
+  /dev/input/* rw,
+  /dev/tty* rw,
+  /etc/systemd/** r,
+  /etc/udev/** r,
+  /proc/** r,
+  /run/systemd/notify w,
+  /run/systemd/seats/{,*} rw,
+  /run/systemd/sessions/{,*} rw,
+  /run/systemd/users/{,*} rw,
+  /run/systemd/inhibit/{,*} rw,
+  /run/nologin rw,
+  "/run/.#nologin*" rw,
+  /run/utmp rwk,
+  /run/systemd/shutdown/scheduled rw,
+  "/run/systemd/shutdown/.#scheduled*" rw,
+  /run/udev/** r,
+  /run/user/*/ w,
+  /var/lib/systemd/linger/{,**} r,
+  /sys/** r,
+}
--- a/debian/rules
+++ b/debian/rules
@@ -269,6 +269,8 @@ ifeq ($(DEB_VENDOR),Ubuntu)
 	install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/
 endif

+	dh_apparmor -psystemd --profile-name=lib.systemd.systemd-logind
+
 override_dh_missing:
 	dh_missing --sourcedir debian/install/deb $(DH_MISSING)


--- a/debian/systemd.install
+++ b/debian/systemd.install
@@ -66,3 +66,4 @@ var/lib
 ../../extra/units/* lib/systemd/system/
 ../../extra/dhclient-exit-hooks.d/ etc/dhcp/
 ../../extra/pam.d etc/
+../../lib.systemd.systemd-logind etc/apparmor.d/