From 3da0ad25726b0cb0fc7910872062a3a11b627b38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Nov 2023 23:08:02 +0000 Subject: [PATCH] feat(full): add bwrap-app abstraction. --- apparmor.d/abstractions/bwrap-app | 115 ++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 apparmor.d/abstractions/bwrap-app diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app new file mode 100644 index 000000000..68643758b --- /dev/null +++ b/apparmor.d/abstractions/bwrap-app @@ -0,0 +1,115 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common rules for applications sandboxed using bwrap. + + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + /usr/** r, + + /etc/** r, + /etc/igfx_user_feature*.txt rw, + /etc/shells rw, + + / r, + /.* r, + /*/ r, + owner /@{uuid}/ w, + owner /_@{int}_/ w, + + # Full access to user's data + / r, + /*/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rwl, + owner @{HOME}/.var/app/** rmix, + owner @{HOME}/{,**} rwlk, + owner @{run}/user/@{uid}/{,**} rw, + owner @{user_config_dirs}/** rwkl, + owner @{user_share_dirs}/** rwkl, + + @{user_games_dirs}/{,**} rm, + + owner /tmp/** rmwk, + owner /dev/shm/** rwlk -> /dev/shm/**, + + @{run}/cups/cups.sock rw, # Allow access to cups printing socket. + @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. + @{run}/host/{,**} r, + @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. + owner @{run}/user/@{uid}/orcexec.@{rand6} rwm, + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/{class,numa_node,local_cpus,irq,carrier} r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/power_supply/** r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/** r, + @{sys}/devices/system/cpu/** r, + @{sys}/devices/virtual/dmi/id/{,**} r, + @{sys}/devices/virtual/net/{,**} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.* r, + + @{PROC}/ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/** r, + @{PROC}/@{pid}/smaps r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/stat r, + @{PROC}/driver/** r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/uptime r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/comm rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/status r, + + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/pts/ptmx rw, + /dev/tty rw, + + include if exists \ No newline at end of file