felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(full): improve systemd profile.

Browse source 
See https://apparmor.pujol.io/development/structure/#full-system-policy
This commit is contained in:
Alexandre Pujol 2023-11-19 21:31:57 +00:00
parent d64ef39bd1
commit 59140f5411
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 203 additions and 208 deletions
Download patch file Download diff file Expand all files Collapse all files

390
apparmor.d/groups/_full/systemd
View file

@ -1,235 +1,227 @@
# full-apparmor-policy # apparmor.d - Full set of apparmor profiles
# Full System MAC Policy using AppArmor # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# # Copyright (C) 2023 monsieuremre <https://github.com/monsieuremre>
# Copyright (c) 2023 monsieuremre <https://github.com/monsieuremre> # SPDX-License-Identifier: GPL-2.0-only
#
# This file is part of full-apparmor-policy. You can redistribute it and/or modify # Profile for systemd (PID 1), it does not specify an attachment path because
# it under the terms of the GNU General Public License as published by # it is directly loaded by systemd.
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. # Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
# Distributions and other programs can add rules in the usr/systemd.d directory
# Note: A non negligible part of the rules are due to stacked profile and unified systemd/systemd-user
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
profile systemd @{lib}/systemd/** flags=(attach_disconnected) { profile systemd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/authentication>
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/wutmp>
## Section 1 - Non-file related permissions # Needed by systemd
capability audit_read,
capability audit_read, # can be phased out?
capability audit_write, capability audit_write,
capability bpf,
capability chown, capability chown,
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,
capability fowner, capability fowner,
capability sys_admin,
# The following is needed by desktop environments
# If on gnome, these can be phased out because the DE components are already covered
# with profiles. For other desktops, these have to be allowed
capability sys_nice,
capability kill, capability kill,
capability mknod,
capability perfmon,
capability sys_admin,
capability sys_tty_config,
capability sys_resource,
capability sys_chroot,
network netlink, # Required by stacked profiles
network inet, capability net_admin,
network inet6, capability net_bind_service,
network packet, capability net_raw,
# network unix, # same as just allowing unix? capability setfcap,
# network local, # a thing? capability setgid,
capability setpcap,
capability setuid,
capability sys_nice,
capability sys_ptrace,
capability sys_time,
unix (accept), network inet dgram,
unix (connect), network inet raw,
unix (send), network inet stream,
unix (receive), network inet6 dgram,
network inet6 raw,
ptrace (read), network inet6 stream,
network netlink raw,
dbus (send), network packet dgram,
dbus (receive), network packet raw,
dbus (bind),
signal (send),
signal (receive),
# TODO: WIP
mount, mount,
remount,
umount, umount,
## Restrictions pivot_root @{run}/systemd/mount-rootfs/ -> @{run}/systemd/mount-rootfs/,
#
## The following are implicitly denied with this profile. There are comments on
## what they might break without dedicated profilesand how to address these breakages.
#
## mostly won't break anything with the current set of profiles
# deny capability mknod,
# deny capability setpcap,
# deny capability checkpoint_restore,
# deny capability audit_control,
# deny capability net_bind_service,
# deny capability block_suspend,
# deny capability bpf,
# deny capability ipc_owner,
# deny capability sys_tty_config,
# deny capability mac_admin, # intentional to protect policy
# deny capability mac_override, # intentional to protect policy
# deny capability sys_module,
# deny capability linux_immutable,
# deny capability lease,
# deny capability net_broadcast,
# deny capability perfmon,
# deny capability sys_boot,
# deny capability sys_pacct,
# deny capability sys_time,
# deny capability wake_alarm,
# deny capability setfcap,
#
# deny pivot_root,
#
# deny unix (listen),
# deny unix (create),
# deny unix (getattr),
# deny unix (setattr),
# deny unix (setopt),
# deny unix (getopt),
#
# deny ptrace (trace),
# deny ptrace (tracedby),
# deny ptrace (readby),
#
# deny network bluetooth,
# deny network alg,
# deny network ash,
# deny network rose,
# deny network x25,
# deny network ax25,
# deny network ipx,
# deny network netrom,
# deny network appletalk,
# deny network econet,
# deny network qipcrtr,
# deny network bridge,
# deny network atmpvc,
# deny network netbeui,
# deny network security,
# deny network key,
# deny network atmsvc,
# deny network rds,
# deny network irda,
# deny network pppox,
# deny network wanpipe,
# deny network ib,
# deny network mpls,
# deny network can,
# deny network tipc,
# deny network rxrpc,
# deny network isdn,
# deny network phonet,
# deny network ieee802154,
# deny network caif,
# deny network vsock,
# deny network kcm,
# deny network smc,
# deny network xdp,
#
## will break firewalls with no profile, use firewalld as profile provided
# deny capability net_raw,
# deny capability net_admin,
#
## might break some desktop components without profile, won't brake on gnome or kde
# deny capability ipc_lock,
#
## might break if you use utilities that don't have profiles (unlikely)
# deny capability sys_rawio,
# deny capability fsetid,
#
## will break electron apps without profiles, which the most common ones have here
## might also break sandboxing utils if they don't have profiles, which the most common ones have here
# deny capability sys_resource,
# deny capability sys_chroot,
#
## most anything is covered with profiles, but some niche custom utils
## or replacements or rewrites or very specific things can (probably won't) break
## in that case it is worth making a profile request.
# deny capability setgid,
# deny capability setuid,
change_profile,
# ----- signal (receive) set=(term, hup, cont),
signal (send),
## Section 2 - File permissions ptrace (read, readby),
## This is quite restrictive for a "general" profile. unix (send) type=dgram,
## Can of course be further restricted. Probably by a lot.
dbus, # TODO: WIP
dbus bind bus=system name=org.freedesktop.systemd1,
@{bin}/{,u}mount rix,
@{bin}/ldconfig rPx -> ldconfig.service,
@{bin}/chgrp rPx -> dmesg.service,
@{bin}/chmod rPx -> dmesg.service,
@{bin}/savelog rPx -> dmesg.service,
audit @{lib}/** Pix,
audit @{bin}/** Pix,
audit /etc/init.d/* PUx,
@{bin}/pipewire rPx -> systemd//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd//&pipewire-media-session,
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd//&pulseaudio,
@{bin}/wireplumber rPx -> systemd//&wireplumber,
@{lib}/{,polkit-1/}polkitd rPx -> systemd//&polkitd,
@{lib}/snapd/snapd-apparmor rPx,
# @{lib}/systemd/systemd rPx -> systemd-user, # FIXME: only works on server
@{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd,
@{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved,
@{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd,
/usr/share/apport/apport rPx,
/usr/share/gdm/generate-config rPx,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown rPx,
## The owner can read pretty much everything
## He can also write to the directories
## directly under root.
/ r, / r,
owner / rwlk, /boot/ r,
/boot/efi/ r,
/efi/ r,
/tmp/ r,
/usr/ r,
/var/lib/*/ r,
/var/tmp/ r,
@{lib}/ r,
## Everyone can see the home directories /usr/share/** r,
## Only the owners allowed inside
/home r,
owner /home/** rwlkPix,
## Reserved for the owner 'root' only /etc/binfmt.d/{,**} r,
owner /boot/** rwlk, /etc/conf.d/{,**} r,
owner /root/** rwlk, /etc/credstore.encrypted/{,**} r,
/etc/credstore/{,**} r,
/etc/default/** r,
/etc/environment r,
/etc/environment.d/{,**} r,
/etc/machine-id r,
/etc/modules-load.d/ r,
/etc/networkd-dispatcher/{,**} r,
/etc/pipewire/** r,
/etc/polkit*/** r,
/etc/systemd/{,**} r,
/etc/udev/hwdb.d/{,*} r,
## Running binaries is allowed in these places /var/lib/gdm{3,}/.config/pulse/{,**} rw,
## Modifying them requires ownership /var/lib/gdm{3,}/.config/pulse/cookie k,
@{lib}/** rPix, /var/lib/gdm{3,}/.config/dconf/user r,
owner @{lib}/** rwmlkPix,
@{bin}/** rPix, /var/lib/systemd/{,**} rw,
owner @{bin}/** rwmlkPix, owner /var/tmp/systemd-private-*/{,**} rw,
/opt/** rPix, @{user_config_dirs}/pulse/{,**} rw,
owner /opt/** rwmlkPix,
## Reading /usr allowed, writing requires ownership /tmp/namespace-dev-@{rand6}/{,**} rw,
/usr/** r, /tmp/systemd-private-*/{,**} rw,
owner /usr/** rwlk,
## Reading files in temp requires ownership @{run}/ r,
owner /{,var/}tmp/** rw, @{run}/credentials/{,**} rw,
@{run}/dbus/system_bus_socket rw,
@{run}/spice-vdagentd/spice-vdagent-sock rw,
@{run}/systemd/{,**} rw,
@{run}/udev/control rw,
@{run}/udev/data/* r,
@{run}/udev/tags/systemd/ r,
@{run}/user/@{uid}/{,**} rwlk,
owner @{run}/* rw,
owner @{run}/*/ rw,
owner @{run}/*/* rw,
## Reading /etc allowed, writing requires ownership @{sys}/bus/ r,
/{,usr/local/}etc/** r, @{sys}/class/ r,
owner /{,usr/local/}etc/** rwmlk, @{sys}/class/sound/ r,
@{sys}/devices/@{pci}/** r,
@{sys}/devices/**/net/** r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/fs/**/ r,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/kernel/**/ r,
@{sys}/module/apparmor/parameters/enabled r,
## Can be restricted? Maybe @{PROC}/@{pid}/{uid_map,gid_map} r,
/dev/** rw, @{PROC}/@{pid}/attr/apparmor/exec w,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/coredump_filter r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/gid_map w,
@{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/setgroups rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/@{pid}/uid_map w,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/fs/binfmt_misc/ r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/* r,
@{PROC}/sys/kernel/random/* rw,
@{PROC}/sys/net/ipv{4,6}/** rw,
owner @{PROC}/@{pid}/oom_score_adj rw,
## Owner can access his media and mount /dev/ r,
owner @{MOUNTDIR}/** rw, /dev/bus/usb/ r,
/dev/hwrng r,
/dev/rfkill rw,
/dev/shm/ rw,
/dev/tty rw,
/dev/tty@{int} rwk,
owner /dev/console rwk,
owner /dev/hugepages/ rw,
owner /dev/mqueue/ rw,
owner /dev/ttyS@{int} rwk,
## Many stuff run in /var. We deny executing tmp and log files. include if exists <usr/systemd.d>
/var/** rwmlkPix, include if exists <local/systemd>
deny /var/log/** x,
deny /var/tmp/** x,
## Can be restricted
@{run}/** rw,
owner @{run}/** rwlk,
## Reading can be more restricted for subdirs
@{PROC}/** r,
owner @{PROC}/** rw,
## Can definetely be restricted further
@{sys}/** rw,
## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy
deny /dev/mem rw,
deny /dev/kmem rw,
deny /dev/port rw,
deny /dev/sd* rw,
deny /dev/vd* rw,
deny /dev/nvme* rw,
deny /dev/disk/** rw,
deny /dev/block/** rw,
include if exists <usr/full-policy.d>
include if exists <local/full-policy>
} }

3
dists/flags/main.flags
View file

@ -1,6 +1,9 @@
# Common profile flags definition for all distributions # Common profile flags definition for all distributions
# One profile by line using the format: '<profile> <flags>' # One profile by line using the format: '<profile> <flags>'
systemd attach_disconnected,complain
systemd-user attach_disconnected,complain
aa-load complain aa-load complain
acpid attach_disconnected,complain acpid attach_disconnected,complain
agetty complain agetty complain