feat(profile): add user_unconfined profile & reorganise pam profiles.
This commit is contained in:
Alexandre Pujol
parent
de9e98bdf7
commit
538a73e21e
5 changed files with 86 additions and 58 deletions
29
apparmor.d/groups/children/user_confined
Normal file
29
apparmor.d/groups/children/user_confined
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Allow confined users to read, write, lock and link to their own files
|
||||
# anywhere, and execute from some places.
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile user_confined flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/shells>
|
||||
|
||||
deny capability sys_ptrace,
|
||||
|
||||
@{bin}/** Pixmr,
|
||||
|
||||
owner /** rwkl,
|
||||
owner @{HOMEDIRS}/bin/** ixmr,
|
||||
owner @{user_bin_dirs}/** ixmr,
|
||||
|
||||
@{PROC}/** r,
|
||||
|
||||
include if exists <local/user_confined>
|
||||
}
|
||||
30
apparmor.d/groups/children/user_default
Normal file
30
apparmor.d/groups/children/user_default
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# By default, allow users to read, lock and link to their own files anywhere,
|
||||
# but only write to files in their home directory. Only allow limited execution
|
||||
# of files.
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile user_default flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/shells>
|
||||
|
||||
deny capability sys_ptrace,
|
||||
|
||||
@{bin}/** Pixmr,
|
||||
|
||||
owner /** rkl,
|
||||
owner @{HOMEDIRS}/ w,
|
||||
owner @{HOMEDIRS}/** w,
|
||||
|
||||
@{PROC}/** r,
|
||||
|
||||
include if exists <local/user_default>
|
||||
}
|
||||
24
apparmor.d/groups/children/user_unconfined
Normal file
24
apparmor.d/groups/children/user_unconfined
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile user_unconfined flags=(attach_disconnected,mediate_deleted) {
|
||||
|
||||
capability,
|
||||
network,
|
||||
mount,
|
||||
remount,
|
||||
umount,
|
||||
pivot_root,
|
||||
ptrace,
|
||||
signal,
|
||||
dbus,
|
||||
unix,
|
||||
file,
|
||||
|
||||
include if exists <local/user_unconfined>
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue