felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'roddhjav:main' into main

Browse source
This commit is contained in:
Besanon 2024-06-07 17:58:10 +02:00 committed by GitHub
commit b652231277
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
64 changed files with 284 additions and 230 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.gitlab-ci.yml
View file

@ -119,7 +119,7 @@ opensuse:
image: registry.gitlab.com/roddhjav/builders/opensuse
script:
- mkdir -p "$PKGDEST"
- sudo zypper install -y distribution-release golang-packaging rsync
- sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
- bash dists/build.sh rpm
artifacts:
expire_in: 1 day
@ -151,11 +151,16 @@ preprocess-debian:
- dpkg --install $PKGDEST/*
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
.preprocess-ubuntu:
extends: preprocess-debian
preprocess-ubuntu:
stage: preprocess
image: ubuntu
dependencies:
- ubuntu
script:
- apt-get update -q
- apt-get install -y apparmor apparmor-profiles
- dpkg --install $PKGDEST/*
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
preprocess-whonix:
extends: preprocess-debian

7
Makefile
View file

@ -12,7 +12,7 @@ P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
all: build
@./${BUILD}/prebuild --complain
@./${BUILD}/prebuild --complain
build:
@go build -o ${BUILD}/ ./cmd/aa-log
@ -26,6 +26,7 @@ full: build
ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ROOT}; do \
@ -34,6 +35,10 @@ install:
@for file in ${PROFILES}; do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${DISABLES}; do \
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${BUILD}/systemd/system/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \

4
apparmor.d/abstractions/app-launcher-root
View file

@ -3,8 +3,8 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{bin}/* rPUx,
/usr/local/{s,}bin/* rPUx,
@{bin}/* PUx,
/usr/local/{s,}bin/* PUx,
@{bin}/ r,
/ r,

23
apparmor.d/abstractions/app-launcher-user
View file

@ -3,19 +3,18 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{bin}/* rPUx,
/opt/*/** rPUx,
/usr/share/*/* rPUx,
/usr/local/bin/* rPUx,
@{bin}/* PUx,
/opt/*/** PUx,
/usr/share/*/* PUx,
/usr/local/bin/* PUx,
@{bin}/chromium rPx,
@{brave_path} rPx,
@{chrome_path} rPx,
@{chromium_path} rPx,
@{firefox_path} rPx,
@{opera_path} rPx,
@{thunderbird_path} rPx,
@{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
@{brave_path} Px,
@{chrome_path} Px,
@{chromium_path} Px,
@{firefox_path} Px,
@{opera_path} Px,
@{thunderbird_path} Px,
@{offices_path} PUx,
@{bin}/ r,
/ r,

2
apparmor.d/abstractions/app/firefox
View file

@ -41,6 +41,8 @@
network inet6 stream,
network netlink raw,
ptrace trace peer=@{profile_name},
signal (send) set=(term, kill) peer=@{profile_name}-*,
@{sh_path} rix,

2
apparmor.d/abstractions/authentication.d/complete
View file

@ -1,7 +1,7 @@
@{bin}/pam-tmpdir-helper rPx,
#aa:exclude ubuntu
#aa:exclude ubuntu opensuse
@{bin}/unix_chkpwd rPx,
#aa:only whonix

4
apparmor.d/abstractions/common/app
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# Common rules for applications sandboxed using bwrap.
@ -40,8 +41,9 @@
@{bin}/ r,
@{lib}/ r,
/usr/local/bin/ r,
owner /@{uuid}/ w,
owner /_@{int}_/ w,
owner /@{uuid}/ w,
owner /var/cache/ldconfig/{,**} rw,
# Full access to user's data
/ r,

3
apparmor.d/abstractions/mesa.d/complete
View file

@ -5,7 +5,8 @@
# Extra Mesa rules for desktop environments
owner @{desktop_cache_dirs}/ w,
owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk,
owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw,

2
apparmor.d/abstractions/vulkan-strict
View file

@ -15,7 +15,7 @@
/etc/vulkan/implicit_layer.d/{,*.json} r,
owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
@{sys}/class/ r,
@{sys}/class/drm/ r,

2
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} {
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{,g,m}awk rix,
@{bin}/cat rix,
@{bin}/dialog rix,
@{bin}/locale rix,
@{bin}/sed rix,

3
apparmor.d/groups/apt/unattended-upgrade
View file

@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
signal (send) peer=apt-methods-http,
unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
@{exec_path} mr,
@{bin}/ r,
@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/apt-dpkg-install-*/{,*} rw,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/fd/ r,
/dev/ptmx rw,

2
apparmor.d/groups/bus/dbus-session
View file

@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) {
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/** PUx,
/usr/share/*/** PUx,
/etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r,

6
apparmor.d/groups/bus/dbus-system
View file

@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) {
@{exec_path} mrix,
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/*/** PUx,
@{bin}/** PUx,
@{lib}/** PUx,
/usr/share/*/** PUx,
/etc/dbus-1/{,**} r,
/usr/share/dbus-1/{,**} r,

3
apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
View file

@ -12,6 +12,7 @@ include <tunables/global>
@{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
profile polkit-gnome-authentication-agent @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/gnome-strict>
@{exec_path} mr,
@ -19,4 +20,4 @@ profile polkit-gnome-authentication-agent @{exec_path} {
@{PROC}/@{pid}/cgroup r,
include if exists <local/polkit-gnome-authentication-agent>
}
}

1
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -12,6 +12,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-session>
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
include <abstractions/deny-sensitive-home>
include <abstractions/nameservice-strict>
capability sys_admin,
capability sys_nice,

3
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict>
capability sys_nice,
@ -25,6 +26,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
owner @{HOME}/.local/ w,
@{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,
owner @{desktop_share_dirs}/flatpak/ w,

2
apparmor.d/groups/gnome/gnome-control-center
View file

@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{bin}/grep rix,
@{bin}/locale rix,
@{bin}/sed rix,
@{bin}/tecla rix,
@{bin}/bwrap rCx -> bwrap,
@{bin}/gkbd-keyboard-display rPx,
@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
@{PROC}/cmdline r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,

4
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} {
@{exec_path} mr,
/usr/share/gnome-remote-desktop/{,**} r,
owner /var/lib/gnome-remote-desktop//{,**} r,
include if exists <local/gnome-remote-desktop-daemon>
}

6
apparmor.d/groups/gnome/gnome-shell
View file

@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_cache_dirs}/media-art/{,**} r,
owner @{user_cache_dirs}/vlc/**/*.jpg r,
@{run}/gdm{3,}/dbus/dbus-@{rand8} w,
@{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
unix receive type=stream,
@{lib}/gio-launch-desktop mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@{lib}/* PUx,
/usr/games/* PUx,
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,

2
apparmor.d/groups/gnome/gnome-text-editor
View file

@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} {
@{exec_path} mr,
/usr/share/enchant-*/{,**} r,
owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
owner @{PROC}/@{pid}/mountinfo r,

1
apparmor.d/groups/gvfs/gvfsd
View file

@ -11,6 +11,7 @@ include <tunables/global>
profile gvfsd @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict>
#aa:dbus own bus=session name=org.gtk.vfs.Daemon
#aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker

1
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -12,6 +12,7 @@ profile gvfsd-fuse @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/nameservice-strict>
mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,

1
apparmor.d/groups/gvfs/gvfsd-wsdd
View file

@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} {
@{exec_path} mr,
@{bin}/env r,
@{bin}/wsdd rPx,
@{run}/mount/utab r,

2
apparmor.d/groups/network/nm-dispatcher
View file

@ -81,6 +81,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
/dev/tty rw,
@{run}/modem-manager-gui/{,timestamps} rw,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>

15
apparmor.d/groups/network/nmcli
View file

@ -15,7 +15,9 @@ profile nmcli @{exec_path} {
@{exec_path} mr,
@{bin}/less rCx -> pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
owner @{HOME}/.nm-vpngate/*.ovpn r,
owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@ -26,16 +28,5 @@ profile nmcli @{exec_path} {
@{sys}/devices/virtual/net/{,**} r,
@{sys}/devices/@{pci}/net/*/{,**} r,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/less mr,
owner @{HOME}/.lesshs* rw,
owner @{user_cache_dirs}/.lesshs* rw,
}
include if exists <local/nmcli>
}

12
apparmor.d/groups/pacman/pacman
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/pacman
profile pacman @{exec_path} {
profile pacman @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
@ -117,11 +117,6 @@ profile pacman @{exec_path} {
/usr/** rwlk -> /usr/**,
/var/** rwlk -> /var/**,
@{PROC}/ r,
@{run}/ r,
@{sys}/{,**} r,
/mnt r,
# Read packages files
@{user_pkg_dirs}/**/ r,
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@ -132,13 +127,16 @@ profile pacman @{exec_path} {
owner @{tmp}/checkup-db-@{int}/db.lck rw,
@{run}/utmp rk,
@{sys}/{,**} r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/1/environ r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,

3
apparmor.d/groups/pacman/pacman-key
View file

@ -16,13 +16,14 @@ profile pacman-key @{exec_path} {
@{exec_path} mr,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/chmod rix,
@{bin}/{m,g,}awk rix,
@{bin}/gettext rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/grep rix,
@{bin}/ngettext rix,
@{bin}/pacman-conf rPx,
@{bin}/touch rix,
@{bin}/tput rix,

5
apparmor.d/groups/ssh/sshd
View file

@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ssh/ssh_host_* r,
/var/lib/lastlog/ r,
/var/lib/lastlog/* rwk,
/var/lib/wtmpdb/ r,
/var/lib/wtmpdb/* rwk,
# For scp
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,

5
apparmor.d/groups/systemd/systemd-oomd
View file

@ -30,8 +30,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
owner @{run}/systemd/journal/socket w,
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/memory.pressure r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
@{sys}/fs/cgroup/memory.* r,
@{sys}/fs/cgroup/system.slice/memory.* r,
@{sys}/fs/cgroup/user.slice/{,**/}memory.* r,
@{PROC}/pressure/cpu r,
@{PROC}/pressure/io r,

1
apparmor.d/profiles-a-f/atool
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/atool
profile atool @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/user-write-strict>

5
apparmor.d/profiles-a-f/borg
View file

@ -21,11 +21,6 @@ profile borg @{exec_path} {
network inet6 dgram,
network netlink raw,
mount fstype=fuse -> @{MOUNTS}/,
mount fstype=fuse -> @{MOUNTS}/*/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{exec_path} r,
@{bin}/ r,

38
apparmor.d/profiles-a-f/btop
View file

@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/btop
profile btop @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
include <abstractions/graphics-full>
include <abstractions/nameservice-strict>
capability sys_ptrace,
@ -21,30 +22,41 @@ profile btop @{exec_path} {
@{exec_path} mr,
/usr/share/btop/{,**} r,
/etc/fstab r,
owner @{user_config_dirs}/btop/{,**} rw,
@{sys}/bus/pci/devices/ r,
@{sys}/class/hwmon/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
@{sys}/devices/@{pci}/net/*/address r,
@{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r,
@{sys}/devices/@{pci}/**/stat r,
@{sys}/devices/@{pci}/net/*/{,**} r,
@{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r,
@{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
@{sys}/devices/**/hwmon@{int}/{,*} r,
@{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
@{sys}/devices/virtual/**/net/*/address r,
@{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/devices/virtual/block/dm-@{int}/stat r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r,
@{sys}/devices/virtual/net/{,**} r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r,
@{PROC} r,
@{PROC}/loadavg r,
@{PROC}/uptime r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/io r,
@{PROC}/@{pids}/stat r,
@{PROC}/devices r,
@{PROC}/driver/nvidia/capabilities/mig/monitor r,
@{PROC}/loadavg r,
@{PROC}/spl/kstat/zfs/arcstats r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/mounts r,
/dev/nvidia-caps/ rw,
/dev/nvidia-caps/nvidia-cap@{int} rw,
include if exists <local/btop>
}

2
apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
View file

@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
@{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw,
@{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw,
/usr/share/gvfs/remote-volume-monitors/{,**} r,
include if exists <local/gdk-pixbuf-query-loaders>
}

3
apparmor.d/profiles-g-l/gpu-manager
View file

@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} {
/var/log/gpu-manager.log w,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/module/compression r,
@{PROC}/modules r,
@{PROC}/cmdline r,

27
apparmor.d/profiles-g-l/hostapd
View file

@ -1,27 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/hostapd
profile hostapd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_raw,
@{exec_path} mr,
/dev/rfkill r,
/etc/hostapd.conf r,
/etc/hostapd/{,*} r,
@{run}/hostapd/{,**} rw,
@{run}/hostapd.pid rw,
include if exists <local/hostapd>
}

2
apparmor.d/profiles-g-l/kmod
View file

@ -34,6 +34,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{lib}/modprobe.d/{,*.conf} r,
@{lib}/modules/*/modules.* rw,
@{run}/modprobe.d/{,*.conf} r,
/etc/depmod.d/{,**} r,
/etc/modprobe.d/{,*.conf} r,

1
apparmor.d/profiles-g-l/lspci
View file

@ -24,6 +24,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
/usr/share/misc/pci.ids.gz r,
/usr/share/pci.ids r,
@{run}/modprobe.d/{,*.conf} r,
/etc/modprobe.d/{,*.conf} r,
/etc/udev/hwdb.bin r,

2
apparmor.d/profiles-s-z/snapd
View file

@ -153,7 +153,7 @@ profile snapd @{exec_path} {
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/kernel/kexec_loaded r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/{,*/} r,
@{sys}/kernel/security/apparmor/features/{,**} r,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,

5
apparmor.d/profiles-s-z/spotify
View file

@ -41,7 +41,10 @@ profile spotify @{exec_path} {
owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{PROC}/pressure/* r,

24
apparmor.d/profiles-s-z/wsdd Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/wsdd
profile wsdd @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} mr,
@{bin}/env r,
@{bin}/python3.@{int} rix,
/etc/machine-id r,
owner @{run}/user/@{uid}/gvfsd/wsdd w,
include if exists <local/wsdd>
}

1
debian/control vendored
View file

@ -18,6 +18,7 @@ Depends:
apparmor-profiles,
${shlibs:Depends}
Conflicts: apparmor-profiles-extra
Provides: apparmor-profiles-extra
Description: Full set of AppArmor profiles (~ 1500 profiles)
apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine
most Linux based applications and processes.

4
dists/apparmor.d.spec
View file

@ -16,6 +16,7 @@ Source0: %{name}-%{version}.tar.gz
Requires: apparmor-profiles
BuildRequires: distribution-release
BuildRequires: golang-packaging
BuildRequires: apparmor-profiles
%description
AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
@ -36,9 +37,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||:
%files
%license LICENSE
%doc README.md
%exclude /etc/apparmor.d/libvirtd
%exclude /etc/apparmor.d/unix-chkpwd
%exclude /etc/apparmor.d/virt-aa-helper
%config /etc/apparmor.d/
/usr/bin/aa-log

2
dists/docker.sh
View file

@ -80,7 +80,7 @@ build_in_docker_dpkg() {
--env DISTRIBUTION="$target" "$BASEIMAGE/$dist"
docker exec "$img" sudo apt-get update -q
docker exec "$img" sudo apt-get install -y config-package-dev rsync
[[ "$COMMAND" == debian ]] && aptopt=(-t bookworm-backports)
[[ "$dist" == debian ]] && aptopt=(-t bookworm-backports)
docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go
fi

2
dists/flags/arch.flags
View file

@ -1,7 +1,7 @@
archlinux-keyring-wkd-sync complain
makepkg complain
mkinitcpio attach_disconnected,complain
pacman complain
pacman attach_disconnected,complain
pacman-conf attach_disconnected,complain
pacman-hook-dconf complain
pacman-hook-depmod complain

1
dists/flags/main.flags
View file

@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain
virtstoraged attach_disconnected,complain
wg complain
wg-quick complain
wsdd complain
xdg-dbus-proxy attach_disconnected,complain
xdg-desktop-icon complain
xdg-desktop-portal-kde complain

4
dists/ignore/opensuse.ignore
View file

@ -11,3 +11,7 @@ apparmor.d/groups/ubuntu
# Whonix specific definition
apparmor.d/groups/whonix
apparmor.d/tunables/home.d/whonix
# Profiles provided by they own package
libvirt
virt-aa-helper

8
dists/overwrite
View file

@ -1,12 +1,8 @@
# Apparmor ships some unconfined profiles that allow everything and set the
# userns rules. This file keeps track of them and allow apparmor.d to replace
# Apparmor 4.0 ships several profiles that allow userns and are otherwise
# unconfined. This file keeps track of them and allow apparmor.d to replace
# them by our own.
# File format: one profile name by line.
# This is managed globally in this file and not in debian/apparmor.d.hide as
# it applies to all distributions using apparmor 4.0+. When needed, it is
# automatically enabled during prebuild.
brave
chrome
element-desktop

9
docs/configuration.md
View file

@ -49,7 +49,14 @@ The profiles heavily use the (largely extended) XDG directory variables defined
| Vm | `@{XDG_VM_DIR}` | `.vm`
| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
You can personalize these values by creating a file such as: `/etc/apparmor.d/tunables/xdg-user-dirs.d/local` where you define your own personal directories. Example:
You can personalize these values.
First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`:
```
sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d
```
Then create a `local` addition file in it where you define your own personal
directories. Example:
```sh
@{XDG_VIDEOS_DIR}+="Films"
@{XDG_MUSIC_DIR}+="Musique"

2
docs/development/abstractions.md
View file

@ -114,7 +114,7 @@ Minimal set of rules for all electron based UI application. It works as a *funct
!!! note ""
[apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/profile-s-z/spotify#L10-L13)
[apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13)
``` sh linenums="10"
@{name} = spotify
@{lib_dirs} = /opt/@{name}

8
docs/development/dbus.md
View file

@ -2,7 +2,13 @@
title: Dbus
---
All dbus rules are labelled under the name of the given profiles that provide dbus data. If the profiles were going to change (a renaming, an architectural change), the dbus rules need to be updated accordingly.
All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profile for *everything*, we can restrict the bus further by limitint connection to a given peer label (the profile name). In case of a renaming of a profile, all dbus rules related it this profile need to be updated accordingly.
## Profiles
Regardless of the Dbus implementation used (`dbus-daemon` or `dbus-broker`), all dbus daemons are handled under the same set of profiles: [`dbus-system`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-system), [`dbus-session`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-session), and [`dbus-accessibility`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-accessibility). This structure largely improves the confinement of each profile.
To ensure system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile a dbus service must use.
## Abstractions

2
docs/development/directives.md
View file

@ -136,7 +136,7 @@ The `exec` directive is useful to allow executing transition to a profile withou
include <abstractions/common/systemd>
capability dac_override,
capability kill,
unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,
#aa:dbus own bus=system name=org.freedesktop.oom1
/etc/systemd/oomd.conf r,
/etc/systemd/oomd.conf.d/{,**} r,

17
docs/development/guidelines.md
View file

@ -91,24 +91,23 @@ If there is no predictable label it can be omitted.
### Profile rules
`bin, sbin & lib`
#### :material-numeric-1-circle: Variables
: - Do not use: `/usr/lib` or `/usr/bin` but `@{bin}/` or `@{lib}/`
- Do not use: `/usr/sbin` or `/sbin` but `@{bin}/`.
: Always use the apparmor [variables](../variables.md).
Example:
`Variables`
- `/usr/lib` or `/usr/bin` become `@{bin}` or `@{lib}`
- `/usr/sbin` or `/sbin` become `@{bin}`.
: Always use the apparmor variables.
`Sort`
#### :material-numeric-2-circle: Sort
: In a rule block, the rules must be alphabetically sorted.
`Sub profile`
#### :material-numeric-3-circle: Sub profile
: Sub profile should come at the end of a profile.
`Similar purpose`
#### :material-numeric-4-circle: Similar purpose
: When some rules share similar purpose, they may be sorted together. Eg:
```

2
docs/development/index.md
View file

@ -36,7 +36,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co
: As these are mandatory access control policies only what is explicitly required
should be authorized. Meaning, you should **not** allow everything (or a large area)
and blacklist some sub areas.
and deny some sub areas.
#### Rule :material-numeric-2-circle: - Do not break a program

15
docs/full-system-policy.md
View file

@ -1,5 +1,5 @@
---
title: Full system policy
title: Full system policy (FSP)
---
!!! danger
@ -18,6 +18,19 @@ title: Full system policy
*Source: [AppArmor Wiki][apparmor-wiki]*
## Overview
The default mode of `apparmor.d` is the more advanced confinement configuration we can achieve while being as simple as installing a package and doing some minor configuration on your system. By design, a full system confinement does not work this way. Before enabling you need to consider your use case and security objective.
Particularly:
- Every system application will be **blocked** if they do not have a profile.
- Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile.
- Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**.
- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it.
- In FSP mode, all sandbox manager **must** have a profile. Then user sandboxed application (flatpak, snap...) will work as expected.
## Install

2
docs/install.md
View file

@ -14,7 +14,7 @@ title: Installation
**AppArmor**
An `apparmor` based Linux distribution is required. The basic profiles and abstractions shipped with AppArmor must be installed.
An `apparmor` based Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.
**Desktop environment**

5
docs/report.md
View file

@ -16,5 +16,10 @@ If this command produce nothing, try:
aa-log -s -R
```
You can get more logs with:
1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them)
2. `aa-log -R -f <nb>` where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file)
[newissue]: https://github.com/roddhjav/apparmor.d/issues/new
[paste]: https://pastebin.com/

14
docs/usage.md
View file

@ -86,17 +86,27 @@ Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logp
To read the AppArmor log from `/var/log/audit/audit.log`:
```sh
aa-log
$ aa-log
```
To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
```
aa-log dnsmasq
$ aa-log dnsmasq
DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
```
To generate AppArmor rule:
```sh
$ aa-log -r dnsmasq
profile dnsmasq {
@{PROC}/@{pid}/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
}
```
!!! info
Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`

1
docs/variables.md
View file

@ -86,7 +86,6 @@ title: Variables References
| Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` |
| Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | |
| Hexadecimal | `@{h}*@{h}` | |
| MD5 hash | `@{md5}` | |
| Universally unique identifier | `@{uuid}` | |
| Current Process id | `@{pid}` | `[0-9]*` |
| Processes ids | `@{pids}` | `[0-9]*` |

9
pkg/prebuild/cfg/directories.go
View file

@ -28,8 +28,13 @@ var (
// DebianDir is the directory where the debian specific files are stored
DebianDir *paths.Path = paths.New("debian")
// Either or not overwrite some upstreamed profile
Overwrite = Overwriter{Enabled: false}
// AppArmor 4.0 contains several profiles that allow userns and are otherwise
// unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d
// counterpart
Overwrite Overwriter = false
// DebianHide is the path to the debian/apparmor.d.hide file
DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")}
Ignore = Ignorer{}
Flags = Flagger{}

56
pkg/prebuild/cfg/files.go
View file

@ -5,11 +5,15 @@
package cfg
import (
"fmt"
"os"
"strings"
"github.com/roddhjav/apparmor.d/pkg/paths"
"github.com/roddhjav/apparmor.d/pkg/util"
)
// Default content of debian/apparmor.d.hide. Whonix has special addition.
var Hide = `# This file is generated by "make", all edit will be lost.
/etc/apparmor.d/usr.bin.firefox
@ -50,42 +54,42 @@ func (i Ignorer) Read(name string) []string {
return util.MustReadFileAsLines(path)
}
type Overwriter struct {
Enabled bool
}
type Overwriter bool
// Overwrite upstream profile: disable upstream & rename ours
func (o Overwriter) Apply() error {
const ext = ".apparmor.d"
disableDir := RootApparmord.Join("disable")
if err := disableDir.Mkdir(); err != nil {
return err
}
// Get the list of upstream profiles to overwrite from dist/overwrite
func (o Overwriter) Get() []string {
path := DistDir.Join("overwrite")
if !path.Exist() {
return []string{}
return fmt.Errorf("%s not found", path)
}
return util.MustReadFileAsLines(path)
}
// Overwrite upstream profile for APT: rename our profile & hide upstream
func (o Overwriter) Apt(files []string) {
const ext = ".apparmor.d"
file, err := DebianDir.Join("apparmor.d.hide").Append()
if err != nil {
panic(err)
}
for _, name := range files {
for _, name := range util.MustReadFileAsLines(path) {
origin := RootApparmord.Join(name)
dest := RootApparmord.Join(name + ext)
if err := origin.Rename(dest); err != nil {
panic(err)
return err
}
if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil {
panic(err)
originRel, err := origin.RelFrom(dest)
if err != nil {
return err
}
if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
return err
}
}
return nil
}
// Clean the debian/apparmor.d.hide file
func (o Overwriter) AptClean() {
path := DebianDir.Join("apparmor.d.hide")
if err := path.WriteFile([]byte(Hide)); err != nil {
panic(err)
}
type DebianHider struct {
path *paths.Path
}
// Initialize the file with content from Hide
func (d DebianHider) Init() error {
return d.path.WriteFile([]byte(Hide))
}

61
pkg/prebuild/cfg/files_test.go
View file

@ -102,64 +102,3 @@ code
})
}
}
func TestOverwriter_Get(t *testing.T) {
tests := []struct {
name string
content string
want []string
}{
{
name: "empty",
content: `
`,
want: []string{},
},
{
name: "main",
content: `
# This is managed globally
brave # not so brave
chrome
firefox
`,
want: []string{
"brave",
"chrome",
"firefox",
},
},
}
DistDir = paths.New("/tmp/")
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := DistDir.Join("overwrite").WriteFile([]byte(tt.content))
if err != nil {
return
}
if got := Overwrite.Get(); !reflect.DeepEqual(got, tt.want) {
t.Errorf("Overwriter.Get() = %v, want %v", got, tt.want)
}
})
}
}
func TestOverwriter_Apt(t *testing.T) {
tests := []struct {
name string
files []string
}{
{
name: "empty",
files: []string{},
},
}
DebianDir = paths.New("/tmp/")
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Overwrite.Apt(tt.files)
Overwrite.AptClean()
})
}
}

13
pkg/prebuild/prebuild.go
View file

@ -32,22 +32,27 @@ func init() {
builder.Register("dev")
switch cfg.Distribution {
case "opensuse":
builder.Register("abi3")
cfg.Overwrite = true
case "ubuntu":
if cfg.Release["VERSION_CODENAME"] == "noble" {
builder.Register("abi3")
cfg.Overwrite.Enabled = true
cfg.Overwrite = true
}
case "whonix":
cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure
/etc/apparmor.d/home.tor-browser.firefox
/etc/apparmor.d/tunables/home.d/anondist
/etc/apparmor.d/tunables/homsanitycheck
/etc/apparmor.d/usr.bin.url_e.d/anondist
/etc/apparmor.d/tunables/home.d/live-mode
/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
/etc/apparmor.d/usr.bin.hexchat
/etc/apparmor.d/usr.bin.sdwdate
/etc/apparmor.d/usr.bin.systemcheck
/etc/apparmor.d/usr.bin.timesanitycheck
/etc/apparmor.d/usr.bin.url_to_unixtime
/etc/apparmor.d/usr.bin.timeto_unixtime
/etc/apparmor.d/whonix-firewall
`
}

21
pkg/prebuild/prepare/configure.go
View file

@ -28,12 +28,21 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch cfg.Distribution {
case "arch", "opensuse":
if cfg.Overwrite {
if err := cfg.Overwrite.Apply(); err != nil {
return res, err
}
}
case "ubuntu":
cfg.Overwrite.AptClean()
if cfg.Overwrite.Enabled {
profiles := cfg.Overwrite.Get()
cfg.Overwrite.Apt(profiles)
if err := cfg.DebianHide.Init(); err != nil {
return res, err
}
if cfg.Overwrite {
if err := cfg.Overwrite.Apply(); err != nil {
return res, err
}
} else {
if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {
return res, err
@ -41,7 +50,9 @@ func (p Configure) Apply() ([]string, error) {
}
case "debian", "whonix":
cfg.Overwrite.AptClean()
if err := cfg.DebianHide.Init(); err != nil {
return res, err
}
// Copy Debian specific abstractions
if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {

8
pkg/util/tools.go
View file

@ -71,11 +71,11 @@ func DecodeHexInString(str string) string {
func RemoveDuplicate[T comparable](inlist []T) []T {
var empty T
list := []T{}
keys := map[T]bool{}
keys[empty] = true
seen := map[T]bool{}
seen[empty] = true
for _, item := range inlist {
if _, ok := keys[item]; !ok {
keys[item] = true
if _, ok := seen[item]; !ok {
seen[item] = true
list = append(list, item)
}
}