Bug#923367: AppArmor: Profile for journald

[Jörg Sommer]

Package: apparmor-profiles
Version: 2.13.2-9
Severity: normal

Hi,

I've created a profile for journald to restrict the possible capabilities
the process has. But journald starts before the AppArmor profiles get
loaded. I've created a service to run after apparmor.service to restart
all unconfined services having a profile. What do you think about this?
Would you include this in the package?

Bye Jörg

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.13.2-9

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- no debconf information

-- 
Das Recht, seine Meinung zu wechseln, ist eines der wichtigsten
menschlichen Privilegien.
                                                (Robert Peel)

include <tunables/global>

profile /lib/systemd/systemd-journald {
  include <abstractions/base>

  /dev/kmsg rw,
  /etc/machine-id r,
  /proc/cmdline r,
  /proc/sys/kernel/hostname r,
  /proc/sys/kernel/random/boot_id r,
  /proc/*/{cgroup,cmdline,comm,loginuid,sessionid} r,
  /proc/*/attr/current r,
  /proc/1/{environ,sched} r,
  owner /proc/@{pid}/stat r,

  capability setgid setuid sys_admin sys_ptrace syslog,
  ptrace (read),

  /etc/systemd/journald.conf r,

  owner /run/systemd/journal/{,**} rw,
  owner /var/log/journal/{,**} rw,

  /run/udev/data/* r,
  /sys/devices/pci0000:00/**/uevent r,
}

[Unit]
Description=Restart unconfined services having AppArmor profiles
DefaultDependencies=no
ConditionSecurity=apparmor
Before=dbus.service sysinit.target
After=apparmor.service
Requires=apparmor.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/apparmor-systemd-restart-unconfined

[Install]
WantedBy=sysinit.target

#!/bin/sh

uc_pids=$(aa-status --json | jq -r '.processes[][]
  |select(.status == "unconfined") |.pid')

if test -z "$uc_pids"
then
    exit
fi

if echo "$uc_pids" |grep -qFx 1
then
    uc_pids=$(echo "$uc_pids" |grep -vFx 1)
    systemctl daemon-reexec
fi

uc_srv=$(systemctl status -n0 $uc_pids |sed '/^● /!d; s///; s/ .*//' |sort -u)

systemctl restart $uc_srv

signature.asc
Description: PGP signature