Commit 44be3372 authored by Simon McVittie's avatar Simon McVittie

AppArmor: Make logind's AppArmor profile enforcing

"Everything must be enforcing" is an easier check than "Everything
except systemd-logind must be enforcing".
Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
Reviewed-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D6854
parent 55df508c
......@@ -4,13 +4,17 @@
# This profile is fairly permissive: systemd-logind is very much a trusted
# process anyway (it has CAP_MAC_ADMIN and CAP_SYS_ADMIN) so there's
# little point in trying to restrict it, or put this profile in enforcing
# mode. It's mainly here so we can identify logind as a D-Bus peer in
# other profiles.
# little point in trying to restrict it extensively: it's mainly here so
# we can identify logind as a D-Bus peer in other profiles.
#
# We put it in enforcing mode so that we have a consistent story (saying
# everything is enforcing is simpler than listing exceptions), and
# it could potentially also mitigate attacks in which logind could be
# tricked into reading and trusting files that it shouldn't.
#include <tunables/global>
/lib/systemd/systemd-logind flags=(complain) {
/lib/systemd/systemd-logind {
#include <abstractions/base>
#include <abstractions/dbus-strict>
#include <abstractions/nameservice>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment