diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c0ad7b45..ffc9dded0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,7 +119,7 @@ opensuse: image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging rsync + - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -151,11 +151,16 @@ preprocess-debian: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -.preprocess-ubuntu: - extends: preprocess-debian +preprocess-ubuntu: + stage: preprocess image: ubuntu dependencies: - ubuntu + script: + - apt-get update -q + - apt-get install -y apparmor apparmor-profiles + - dpkg --install $PKGDEST/* + - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null preprocess-whonix: extends: preprocess-debian diff --git a/Makefile b/Makefile index 1caed67f8..85a4a7190 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) .PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean all: build - @./${BUILD}/prebuild --complain + @./${BUILD}/prebuild --complain build: @go build -o ${BUILD}/ ./cmd/aa-log @@ -26,6 +26,7 @@ full: build ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n") PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n") +DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n") install: @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @for file in ${ROOT}; do \ @@ -34,6 +35,10 @@ install: @for file in ${PROFILES}; do \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ done; + @for file in ${DISABLES}; do \ + mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ + cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; @for file in ${BUILD}/systemd/system/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 680eb5686..69bcf9007 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,8 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /usr/local/{s,}bin/* rPUx, + @{bin}/* PUx, + /usr/local/{s,}bin/* PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 73f4e0b24..4a6c795d6 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,19 +3,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /opt/*/** rPUx, - /usr/share/*/* rPUx, - /usr/local/bin/* rPUx, + @{bin}/* PUx, + /opt/*/** PUx, + /usr/share/*/* PUx, + /usr/local/bin/* PUx, - @{bin}/chromium rPx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{chromium_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, - @{thunderbird_path} rPx, - @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, + @{brave_path} Px, + @{chrome_path} Px, + @{chromium_path} Px, + @{firefox_path} Px, + @{opera_path} Px, + @{thunderbird_path} Px, + @{offices_path} PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 138294664..ba0c7f3ee 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -41,6 +41,8 @@ network inet6 stream, network netlink raw, + ptrace trace peer=@{profile_name}, + signal (send) set=(term, kill) peer=@{profile_name}-*, @{sh_path} rix, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index de6c758b3..4a9d55bd3 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -1,7 +1,7 @@ @{bin}/pam-tmpdir-helper rPx, - #aa:exclude ubuntu + #aa:exclude ubuntu opensuse @{bin}/unix_chkpwd rPx, #aa:only whonix diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 59d93c8f0..36e4e29de 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Common rules for applications sandboxed using bwrap. @@ -40,8 +41,9 @@ @{bin}/ r, @{lib}/ r, /usr/local/bin/ r, - owner /@{uuid}/ w, owner /_@{int}_/ w, + owner /@{uuid}/ w, + owner /var/cache/ldconfig/{,**} rw, # Full access to user's data / r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 436ddc96c..1a77e3e7c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -5,7 +5,8 @@ # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 70d5711d5..ee56ef44c 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,7 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 9d8d33300..bb4789570 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/cat rix, @{bin}/dialog rix, @{bin}/locale rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 9ab8fc698..769b165a8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, + unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + @{exec_path} mr, @{bin}/ r, @@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 4df679c9f..4d8fc6cdf 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, - /usr/share/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index bb37fa90a..ac13f478d 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/** PUx, - @{lib}/** PUx, - /usr/share/*/** PUx, + @{bin}/** PUx, + @{lib}/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1d235c95..5642d7cff 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,6 +12,7 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include include @{exec_path} mr, @@ -19,4 +20,4 @@ profile polkit-gnome-authentication-agent @{exec_path} { @{PROC}/@{pid}/cgroup r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 2715d9712..54104e51d 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,6 +12,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_admin, capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 088561f36..43faaaf9a 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -10,6 +10,7 @@ include profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include + include capability sys_nice, @@ -25,6 +26,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.local/ w, + @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw, owner @{desktop_share_dirs}/flatpak/ w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 531a3273e..fd2462ffa 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, + @{bin}/tecla rix, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 9c7044d07..4fcf39da3 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} { @{exec_path} mr, + /usr/share/gnome-remote-desktop/{,**} r, + + owner /var/lib/gnome-remote-desktop//{,**} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dd58dc810..217cc0d52 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + unix receive type=stream, + @{lib}/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - + @{lib}/* PUx, /usr/games/* PUx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index bfd2ed5f3..6d40144ce 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} { @{exec_path} mr, + /usr/share/enchant-*/{,**} r, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 1e6e05bfb..ea08abe24 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -11,6 +11,7 @@ include profile gvfsd @{exec_path} { include include + include #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index b29faeea4..aa0065211 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -12,6 +12,7 @@ profile gvfsd-fuse @{exec_path} { include include include + include mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4c0459cf1..d44e12dbc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, + @{bin}/env r, @{bin}/wsdd rPx, @{run}/mount/utab r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 05b6b946c..bcbb12f92 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -81,6 +81,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + @{run}/modem-manager-gui/{,timestamps} rw, + profile systemctl { include include diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 71fe1dcb6..c3ae732bd 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -15,7 +15,9 @@ profile nmcli @{exec_path} { @{exec_path} mr, - @{bin}/less rCx -> pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @@ -26,16 +28,5 @@ profile nmcli @{exec_path} { @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, - profile pager { - include - include - - @{bin}/less mr, - - owner @{HOME}/.lesshs* rw, - owner @{user_cache_dirs}/.lesshs* rw, - - } - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e84e8aa5d..7207c714c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pacman -profile pacman @{exec_path} { +profile pacman @{exec_path} flags=(attach_disconnected) { include include include @@ -117,11 +117,6 @@ profile pacman @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - @{PROC}/ r, - @{run}/ r, - @{sys}/{,**} r, - /mnt r, - # Read packages files @{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -132,13 +127,16 @@ profile pacman @{exec_path} { owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, - + + @{sys}/{,**} r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 5b363b2ab..31994b373 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,13 +16,14 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/bash rix, @{bin}/chmod rix, - @{bin}/{m,g,}awk rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/grep rix, + @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, @{bin}/tput rix, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fef44a12c..59f2b4ebe 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ssh/ssh_host_* r, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, + /var/lib/wtmpdb/ r, + /var/lib/wtmpdb/* rwk, + # For scp owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 2ad2a82d7..99fb6bb2f 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -30,8 +30,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/fs/cgroup/memory.pressure r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, + @{sys}/fs/cgroup/memory.* r, + @{sys}/fs/cgroup/system.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/{,**/}memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 3a1177081..cb5317ded 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/atool profile atool @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 739d18472..dffe9087f 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -21,11 +21,6 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, - mount fstype=fuse -> @{MOUNTS}/, - mount fstype=fuse -> @{MOUNTS}/*/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - @{exec_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index ec2ba089a..3ec7b2f3b 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/btop profile btop @{exec_path} { include - include include + include + include capability sys_ptrace, @@ -21,30 +22,41 @@ profile btop @{exec_path} { @{exec_path} mr, + /usr/share/btop/{,**} r, + + /etc/fstab r, + owner @{user_config_dirs}/btop/{,**} rw, + @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r, - @{sys}/devices/@{pci}/net/*/address r, - @{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r, + @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, - @{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r, + @{sys}/devices/**/hwmon@{int}/{,*} r, + @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, - @{sys}/devices/virtual/**/net/*/address r, - @{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r, + @{sys}/devices/virtual/net/{,**} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, @{PROC} r, - @{PROC}/loadavg r, - @{PROC}/uptime r, - @{PROC}/@{pids}/comm r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/mounts r, + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index ad4a8d4c6..cce69937f 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 7e79f79c3..9177b7b3c 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} { /var/log/gpu-manager.log w, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/module/compression r, + @{PROC}/modules r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/hostapd b/apparmor.d/profiles-g-l/hostapd deleted file mode 100644 index a57a22a79..000000000 --- a/apparmor.d/profiles-g-l/hostapd +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hostapd -profile hostapd @{exec_path} { - include - include - - capability net_admin, - capability net_raw, - - @{exec_path} mr, - - /dev/rfkill r, - - /etc/hostapd.conf r, - /etc/hostapd/{,*} r, - - @{run}/hostapd/{,**} rw, - @{run}/hostapd.pid rw, - - include if exists -} diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0ae2ba626..4dbb2de6b 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -34,6 +34,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, + @{run}/modprobe.d/{,*.conf} r, + /etc/depmod.d/{,**} r, /etc/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 7c277d6e7..d8aa90103 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -24,6 +24,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { /usr/share/misc/pci.ids.gz r, /usr/share/pci.ids r, + @{run}/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 7228dd885..dfae29999 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,7 +153,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/{,*/} r, + @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ba94636f2..e588ffbcf 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -41,7 +41,10 @@ profile spotify @{exec_path} { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, @{PROC}/pressure/* r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd new file mode 100644 index 000000000..46a3c40b6 --- /dev/null +++ b/apparmor.d/profiles-s-z/wsdd @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wsdd +profile wsdd @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/env r, + @{bin}/python3.@{int} rix, + + /etc/machine-id r, + + owner @{run}/user/@{uid}/gvfsd/wsdd w, + + include if exists +} \ No newline at end of file diff --git a/debian/control b/debian/control index a93c56280..3d15800b8 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,7 @@ Depends: apparmor-profiles, ${shlibs:Depends} Conflicts: apparmor-profiles-extra +Provides: apparmor-profiles-extra Description: Full set of AppArmor profiles (~ 1500 profiles) apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 06eee4510..b00b12eca 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -16,6 +16,7 @@ Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release BuildRequires: golang-packaging +BuildRequires: apparmor-profiles %description AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. @@ -36,9 +37,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %files %license LICENSE %doc README.md -%exclude /etc/apparmor.d/libvirtd -%exclude /etc/apparmor.d/unix-chkpwd -%exclude /etc/apparmor.d/virt-aa-helper %config /etc/apparmor.d/ /usr/bin/aa-log diff --git a/dists/docker.sh b/dists/docker.sh index d62d469eb..19a8737ae 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -80,7 +80,7 @@ build_in_docker_dpkg() { --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" docker exec "$img" sudo apt-get update -q docker exec "$img" sudo apt-get install -y config-package-dev rsync - [[ "$COMMAND" == debian ]] && aptopt=(-t bookworm-backports) + [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index 3b7c594d0..b94fae2c2 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,7 +1,7 @@ archlinux-keyring-wkd-sync complain makepkg complain mkinitcpio attach_disconnected,complain -pacman complain +pacman attach_disconnected,complain pacman-conf attach_disconnected,complain pacman-hook-dconf complain pacman-hook-depmod complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 733f75ee2..4770b79eb 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain wg complain wg-quick complain +wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore index a4c63bd3d..0d393c6c1 100644 --- a/dists/ignore/opensuse.ignore +++ b/dists/ignore/opensuse.ignore @@ -11,3 +11,7 @@ apparmor.d/groups/ubuntu # Whonix specific definition apparmor.d/groups/whonix apparmor.d/tunables/home.d/whonix + +# Profiles provided by they own package +libvirt +virt-aa-helper diff --git a/dists/overwrite b/dists/overwrite index 37db232dc..bea6d574b 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,12 +1,8 @@ -# Apparmor ships some unconfined profiles that allow everything and set the -# userns rules. This file keeps track of them and allow apparmor.d to replace +# Apparmor 4.0 ships several profiles that allow userns and are otherwise +# unconfined. This file keeps track of them and allow apparmor.d to replace # them by our own. # File format: one profile name by line. -# This is managed globally in this file and not in debian/apparmor.d.hide as -# it applies to all distributions using apparmor 4.0+. When needed, it is -# automatically enabled during prebuild. - brave chrome element-desktop diff --git a/docs/configuration.md b/docs/configuration.md index 05d4fa1f1..c367de4d2 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -49,7 +49,14 @@ The profiles heavily use the (largely extended) XDG directory variables defined | Vm | `@{XDG_VM_DIR}` | `.vm` | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | -You can personalize these values by creating a file such as: `/etc/apparmor.d/tunables/xdg-user-dirs.d/local` where you define your own personal directories. Example: +You can personalize these values. + +First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: +``` +sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d +``` +Then create a `local` addition file in it where you define your own personal +directories. Example: ```sh @{XDG_VIDEOS_DIR}+="Films" @{XDG_MUSIC_DIR}+="Musique" diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 6657bb78a..07d147d6e 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -114,7 +114,7 @@ Minimal set of rules for all electron based UI application. It works as a *funct !!! note "" - [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/profile-s-z/spotify#L10-L13) + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify @{lib_dirs} = /opt/@{name} diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 875370c57..1c8e2e971 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -2,7 +2,13 @@ title: Dbus --- -All dbus rules are labelled under the name of the given profiles that provide dbus data. If the profiles were going to change (a renaming, an architectural change), the dbus rules need to be updated accordingly. +All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profile for *everything*, we can restrict the bus further by limitint connection to a given peer label (the profile name). In case of a renaming of a profile, all dbus rules related it this profile need to be updated accordingly. + +## Profiles + +Regardless of the Dbus implementation used (`dbus-daemon` or `dbus-broker`), all dbus daemons are handled under the same set of profiles: [`dbus-system`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-system), [`dbus-session`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-session), and [`dbus-accessibility`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-accessibility). This structure largely improves the confinement of each profile. + +To ensure system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile a dbus service must use. ## Abstractions diff --git a/docs/development/directives.md b/docs/development/directives.md index fb8c79c4e..877001adb 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -136,7 +136,7 @@ The `exec` directive is useful to allow executing transition to a profile withou include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index b25305f88..4e5e1af7e 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -91,24 +91,23 @@ If there is no predictable label it can be omitted. ### Profile rules -`bin, sbin & lib` +#### :material-numeric-1-circle: Variables -: - Do not use: `/usr/lib` or `/usr/bin` but `@{bin}/` or `@{lib}/` - - Do not use: `/usr/sbin` or `/sbin` but `@{bin}/`. +: Always use the apparmor [variables](../variables.md). + Example: -`Variables` + - `/usr/lib` or `/usr/bin` become `@{bin}` or `@{lib}` + - `/usr/sbin` or `/sbin` become `@{bin}`. -: Always use the apparmor variables. - -`Sort` +#### :material-numeric-2-circle: Sort : In a rule block, the rules must be alphabetically sorted. -`Sub profile` +#### :material-numeric-3-circle: Sub profile : Sub profile should come at the end of a profile. -`Similar purpose` +#### :material-numeric-4-circle: Similar purpose : When some rules share similar purpose, they may be sorted together. Eg: ``` diff --git a/docs/development/index.md b/docs/development/index.md index 21e8457ba..72029af86 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -36,7 +36,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co : As these are mandatory access control policies only what is explicitly required should be authorized. Meaning, you should **not** allow everything (or a large area) - and blacklist some sub areas. + and deny some sub areas. #### Rule :material-numeric-2-circle: - Do not break a program diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 21c209ea1..f5b7fa812 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -1,5 +1,5 @@ --- -title: Full system policy +title: Full system policy (FSP) --- !!! danger @@ -18,6 +18,19 @@ title: Full system policy *Source: [AppArmor Wiki][apparmor-wiki]* +## Overview + +The default mode of `apparmor.d` is the more advanced confinement configuration we can achieve while being as simple as installing a package and doing some minor configuration on your system. By design, a full system confinement does not work this way. Before enabling you need to consider your use case and security objective. + +Particularly: + +- Every system application will be **blocked** if they do not have a profile. +- Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. +- Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. +- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. +- In FSP mode, all sandbox manager **must** have a profile. Then user sandboxed application (flatpak, snap...) will work as expected. + + ## Install diff --git a/docs/install.md b/docs/install.md index 828624d5c..59a963a23 100644 --- a/docs/install.md +++ b/docs/install.md @@ -14,7 +14,7 @@ title: Installation **AppArmor** -An `apparmor` based Linux distribution is required. The basic profiles and abstractions shipped with AppArmor must be installed. +An `apparmor` based Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed. **Desktop environment** diff --git a/docs/report.md b/docs/report.md index 05995fae1..2292d1bd0 100644 --- a/docs/report.md +++ b/docs/report.md @@ -16,5 +16,10 @@ If this command produce nothing, try: aa-log -s -R ``` +You can get more logs with: + +1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) +2. `aa-log -R -f ` where `` is `1`, `2`, `3` and `4` (the rotated audit log file) + [newissue]: https://github.com/roddhjav/apparmor.d/issues/new [paste]: https://pastebin.com/ diff --git a/docs/usage.md b/docs/usage.md index e20714b12..9ad0d7050 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -86,17 +86,27 @@ Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logp To read the AppArmor log from `/var/log/audit/audit.log`: ```sh -aa-log +$ aa-log ``` To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): ``` -aa-log dnsmasq +$ aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r ``` +To generate AppArmor rule: +```sh +$ aa-log -r dnsmasq +profile dnsmasq { + @{PROC}/@{pid}/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, +} +``` + !!! info Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1` diff --git a/docs/variables.md b/docs/variables.md index f1113be13..6ea5285c8 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -86,7 +86,6 @@ title: Variables References | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | | Hexadecimal | `@{h}*@{h}` | | -| MD5 hash | `@{md5}` | | | Universally unique identifier | `@{uuid}` | | | Current Process id | `@{pid}` | `[0-9]*` | | Processes ids | `@{pids}` | `[0-9]*` | diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/cfg/directories.go index 4032249b4..282aa1ad8 100644 --- a/pkg/prebuild/cfg/directories.go +++ b/pkg/prebuild/cfg/directories.go @@ -28,8 +28,13 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") - // Either or not overwrite some upstreamed profile - Overwrite = Overwriter{Enabled: false} + // AppArmor 4.0 contains several profiles that allow userns and are otherwise + // unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d + // counterpart + Overwrite Overwriter = false + + // DebianHide is the path to the debian/apparmor.d.hide file + DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} Ignore = Ignorer{} Flags = Flagger{} diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go index 6d635d657..6f81d25bc 100644 --- a/pkg/prebuild/cfg/files.go +++ b/pkg/prebuild/cfg/files.go @@ -5,11 +5,15 @@ package cfg import ( + "fmt" + "os" "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/util" ) +// Default content of debian/apparmor.d.hide. Whonix has special addition. var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox @@ -50,42 +54,42 @@ func (i Ignorer) Read(name string) []string { return util.MustReadFileAsLines(path) } -type Overwriter struct { - Enabled bool -} +type Overwriter bool + +// Overwrite upstream profile: disable upstream & rename ours +func (o Overwriter) Apply() error { + const ext = ".apparmor.d" + disableDir := RootApparmord.Join("disable") + if err := disableDir.Mkdir(); err != nil { + return err + } -// Get the list of upstream profiles to overwrite from dist/overwrite -func (o Overwriter) Get() []string { path := DistDir.Join("overwrite") if !path.Exist() { - return []string{} + return fmt.Errorf("%s not found", path) } - return util.MustReadFileAsLines(path) -} - -// Overwrite upstream profile for APT: rename our profile & hide upstream -func (o Overwriter) Apt(files []string) { - const ext = ".apparmor.d" - file, err := DebianDir.Join("apparmor.d.hide").Append() - if err != nil { - panic(err) - } - for _, name := range files { + for _, name := range util.MustReadFileAsLines(path) { origin := RootApparmord.Join(name) dest := RootApparmord.Join(name + ext) if err := origin.Rename(dest); err != nil { - panic(err) + return err } - if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil { - panic(err) + originRel, err := origin.RelFrom(dest) + if err != nil { + return err + } + if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { + return err } } + return nil } -// Clean the debian/apparmor.d.hide file -func (o Overwriter) AptClean() { - path := DebianDir.Join("apparmor.d.hide") - if err := path.WriteFile([]byte(Hide)); err != nil { - panic(err) - } +type DebianHider struct { + path *paths.Path +} + +// Initialize the file with content from Hide +func (d DebianHider) Init() error { + return d.path.WriteFile([]byte(Hide)) } diff --git a/pkg/prebuild/cfg/files_test.go b/pkg/prebuild/cfg/files_test.go index c3d89dd20..b4ce13a1c 100644 --- a/pkg/prebuild/cfg/files_test.go +++ b/pkg/prebuild/cfg/files_test.go @@ -102,64 +102,3 @@ code }) } } - -func TestOverwriter_Get(t *testing.T) { - tests := []struct { - name string - content string - want []string - }{ - { - name: "empty", - content: ` - -`, - want: []string{}, - }, - { - name: "main", - content: ` -# This is managed globally -brave # not so brave -chrome -firefox -`, - want: []string{ - "brave", - "chrome", - "firefox", - }, - }, - } - DistDir = paths.New("/tmp/") - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - err := DistDir.Join("overwrite").WriteFile([]byte(tt.content)) - if err != nil { - return - } - if got := Overwrite.Get(); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Overwriter.Get() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestOverwriter_Apt(t *testing.T) { - tests := []struct { - name string - files []string - }{ - { - name: "empty", - files: []string{}, - }, - } - DebianDir = paths.New("/tmp/") - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - Overwrite.Apt(tt.files) - Overwrite.AptClean() - }) - } -} diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go index a0e8117d3..30bf5c2e6 100644 --- a/pkg/prebuild/prebuild.go +++ b/pkg/prebuild/prebuild.go @@ -32,22 +32,27 @@ func init() { builder.Register("dev") switch cfg.Distribution { + case "opensuse": + builder.Register("abi3") + cfg.Overwrite = true + case "ubuntu": if cfg.Release["VERSION_CODENAME"] == "noble" { builder.Register("abi3") - cfg.Overwrite.Enabled = true + cfg.Overwrite = true } + case "whonix": cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox -/etc/apparmor.d/tunables/home.d/anondist +/etc/apparmor.d/tunables/homsanitycheck +/etc/apparmor.d/usr.bin.url_e.d/anondist /etc/apparmor.d/tunables/home.d/live-mode /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist /etc/apparmor.d/usr.bin.hexchat /etc/apparmor.d/usr.bin.sdwdate /etc/apparmor.d/usr.bin.systemcheck -/etc/apparmor.d/usr.bin.timesanitycheck -/etc/apparmor.d/usr.bin.url_to_unixtime +/etc/apparmor.d/usr.bin.timeto_unixtime /etc/apparmor.d/whonix-firewall ` } diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index ba0c700c4..df4daaeb1 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -28,12 +28,21 @@ func (p Configure) Apply() ([]string, error) { res := []string{} switch cfg.Distribution { case "arch", "opensuse": + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } + } case "ubuntu": - cfg.Overwrite.AptClean() - if cfg.Overwrite.Enabled { - profiles := cfg.Overwrite.Get() - cfg.Overwrite.Apt(profiles) + if err := cfg.DebianHide.Init(); err != nil { + return res, err + } + + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } } else { if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { return res, err @@ -41,7 +50,9 @@ func (p Configure) Apply() ([]string, error) { } case "debian", "whonix": - cfg.Overwrite.AptClean() + if err := cfg.DebianHide.Init(); err != nil { + return res, err + } // Copy Debian specific abstractions if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { diff --git a/pkg/util/tools.go b/pkg/util/tools.go index c7d91a8da..96cffb36a 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -71,11 +71,11 @@ func DecodeHexInString(str string) string { func RemoveDuplicate[T comparable](inlist []T) []T { var empty T list := []T{} - keys := map[T]bool{} - keys[empty] = true + seen := map[T]bool{} + seen[empty] = true for _, item := range inlist { - if _, ok := keys[item]; !ok { - keys[item] = true + if _, ok := seen[item]; !ok { + seen[item] = true list = append(list, item) } }