From 8d5dc16b53ee05f183094369b2e0b431ccfe5111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
Date: Wed, 11 Dec 2019 17:18:17 +0100
Subject: [PATCH] AppArmor: Add systemd-logind profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Move apparmor profile from apertis-customization to the package it is
related to.
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
---
debian/control | 1 +
debian/lib.systemd.systemd-logind | 66 +++++++++++++++++++++++++++++++
debian/rules | 2 +
debian/systemd.install | 1 +
4 files changed, 70 insertions(+)
create mode 100644 debian/lib.systemd.systemd-logind
diff --git a/debian/control b/debian/control
index 03940dea..3f1b0191 100644
--- a/debian/control
+++ b/debian/control
@@ -13,6 +13,7 @@ Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git
Vcs-Browser: https://salsa.debian.org/systemd-team/systemd
Homepage: https://www.freedesktop.org/wiki/Software/systemd
Build-Depends: debhelper (>= 10.4~),
+ dh-apparmor,
pkg-config,
xsltproc,
docbook-xsl,
diff --git a/debian/lib.systemd.systemd-logind b/debian/lib.systemd.systemd-logind
new file mode 100644
index 00000000..60425ad6
--- /dev/null
+++ b/debian/lib.systemd.systemd-logind
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+#
+# Copyright (C) 2015-2017 Collabora Ltd.
+#
+# SPDX-License-Identifier: MPL-2.0
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This profile is fairly permissive: systemd-logind is very much a trusted
+# process anyway (it has CAP_MAC_ADMIN and CAP_SYS_ADMIN) so there's
+# little point in trying to restrict it extensively: it's mainly here so
+# we can identify logind as a D-Bus peer in other profiles.
+#
+# We put it in enforcing mode so that we have a consistent story (saying
+# everything is enforcing is simpler than listing exceptions), and
+# it could potentially also mitigate attacks in which logind could be
+# tricked into reading and trusting files that it shouldn't.
+
+#include <tunables/global>
+
+/lib/systemd/systemd-logind {
+ #include <abstractions/base>
+ #include <abstractions/dbus-strict>
+ #include <abstractions/nameservice>
+
+ capability sys_admin,
+ capability mac_admin,
+ capability audit_control,
+ capability chown,
+ capability kill,
+ capability dac_read_search,
+ capability dac_override,
+ capability fowner,
+ capability sys_tty_config,
+
+ /lib/systemd/systemd-logind mr,
+
+ dbus bind bus=system name=org.freedesktop.login1,
+ dbus (send, receive) bus=system,
+
+ network netlink,
+
+ mount fstype=tmpfs -> /run/user/*/,
+
+ /dev/dri/* rw,
+ /dev/input/* rw,
+ /dev/tty* rw,
+ /etc/systemd/** r,
+ /etc/udev/** r,
+ /proc/** r,
+ /run/systemd/notify w,
+ /run/systemd/seats/{,*} rw,
+ /run/systemd/sessions/{,*} rw,
+ /run/systemd/users/{,*} rw,
+ /run/systemd/inhibit/{,*} rw,
+ /run/nologin rw,
+ "/run/.#nologin*" rw,
+ /run/utmp rwk,
+ /run/systemd/shutdown/scheduled rw,
+ "/run/systemd/shutdown/.#scheduled*" rw,
+ /run/udev/** r,
+ /run/user/*/ w,
+ /var/lib/systemd/linger/{,**} r,
+ /sys/** r,
+}
diff --git a/debian/rules b/debian/rules
index 29fb0c8b..d7b678fc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -269,6 +269,8 @@ ifeq ($(DEB_VENDOR),Ubuntu)
install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/
endif
+ dh_apparmor -psystemd --profile-name=lib.systemd.systemd-logind
+
override_dh_missing:
dh_missing --sourcedir debian/install/deb $(DH_MISSING)
diff --git a/debian/systemd.install b/debian/systemd.install
index 5ad45119..4f58408c 100644
--- a/debian/systemd.install
+++ b/debian/systemd.install
@@ -66,3 +66,4 @@ var/lib
../../extra/units/* lib/systemd/system/
../../extra/dhclient-exit-hooks.d/ etc/dhcp/
../../extra/pam.d etc/
+../../lib.systemd.systemd-logind etc/apparmor.d/
--
GitLab