refractor(abs): move common and app abstraction to their own abstractions subfolder.

As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
2024-03-27 15:11:21 +00:00 · 2024-03-27 15:11:21 +00:00 · b88b8b8c26
commit b88b8b8c26
parent 92f83d9e8d
158 changed files with 226 additions and 198 deletions
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -0,0 +1,113 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Common rules for applications sandboxed using bwrap.
+
+# This abstraction is wide on purpose. It is meant to be used by sandbox
+# applications (bwrap) that have no way to restrict access depending on the
+# application being confined.
+
+  include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/consoles>
+  include <abstractions/deny-sensitive-home>
+  include <abstractions/desktop>
+  include <abstractions/devices-usb>
+  include <abstractions/disks-read>
+  include <abstractions/graphics>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
+  include <abstractions/video>
+
+  dbus bus=accessibility,
+  dbus bus=session,
+  dbus bus=system,
+
+  /usr/** r,
+
+  /etc/** r,
+  /etc/igfx_user_feature*.txt rw,
+  /etc/shells rw,
+
+        / r,
+        /.* r,
+        /*/ r,
+  owner /@{uuid}/ w,
+  owner /_@{int}_/ w,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rwl,
+  owner @{HOME}/.var/app/** rmix,
+  owner @{HOME}/{,**} rwlk,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{user_config_dirs}/** rwkl,
+  owner @{user_share_dirs}/** rwkl,
+  owner @{user_games_dirs}/{,**} rm,
+
+  owner /tmp/** rmwk,
+  owner /dev/shm/** rwlk -> /dev/shm/**,
+
+  @{run}/cups/cups.sock rw, # Allow access to cups printing socket.
+  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
+  @{run}/host/{,**} r,
+  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
+
+  @{sys}/ r,
+  @{sys}/block/ r,
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/** r,
+
+        @{sys}/fs/cgroup/user.slice/* r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/* r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/* r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pid}/net/** r,
+        @{PROC}/@{pid}/smaps r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
+        @{PROC}/@{pid}/task/@{tid}/stat r,
+        @{PROC}/bus/pci/devices r,
+        @{PROC}/driver/** r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+        @{PROC}/uptime r,
+        @{PROC}/zoneinfo r,
+  owner @{PROC}/@{pid}/comm rw,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fd/@{int} rw,
+  owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/net/if_inet6 r,
+  owner @{PROC}/@{pid}/oom_score_adj rw,
+  owner @{PROC}/@{pid}/statm r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/status r,
+
+  /dev/hidraw@{int} rw,
+  /dev/input/ r,
+  /dev/ptmx rw,
+  /dev/pts/ptmx rw,
+  /dev/tty rw,
+
+  include if exists <abstractions/common/app.d>
--- a/apparmor.d/abstractions/common/apt
+++ b/apparmor.d/abstractions/common/apt
@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/tupletable r,
+
+  /etc/apt/apt.conf r,
+  /etc/apt/apt.conf.d/{,*} r,
+
+  /etc/apt/preferences r,
+  /etc/apt/preferences.d/{,*} r,
+
+  /etc/apt/sources.list r,
+  /etc/apt/sources.list.d/ r,
+  /etc/apt/sources.list.d/*.{sources,list} r,
+
+  /var/lib/apt/lists/{,**} r,
+  /var/lib/apt/extended_states r,
+
+  /var/cache/apt/pkgcache.bin r,
+  /var/cache/apt/srcpkgcache.bin r,
+
+  /var/lib/dpkg/status r,
+  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
+
+  owner /tmp/#@{int} rw,
+  owner /tmp/clearsigned.message.* rw,
+
+  include if exists <abstractions/common/apt.d>
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -0,0 +1,54 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for bwrap
+
+# A profile using this abstraction still needs to set:
+# - the attach_disconnected flag
+# - bwrap execution: '@{bin}/bwrap rix,'
+
+  # userns,
+
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+
+  network netlink raw,
+
+  mount               options=(rw rbind)                 /tmp/newroot/ -> /tmp/newroot/,
+  mount               options=(rw rbind)                /oldroot/{,**} -> /newroot/{,**},
+  mount               options=(rw silent rprivate)                     -> /oldroot/,
+  mount               options=(rw silent rslave)                       -> /,
+  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
+  mount fstype=proc   options=(rw nosuid nodev noexec)            proc -> /newroot/@{PROC}/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/{,**},
+  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /tmp/,
+
+  remount /newroot/{,**},
+
+  umount /,
+  umount /oldroot/,
+
+  pivot_root oldroot=/newroot/ /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ /tmp/,
+
+  owner / r,
+  owner /newroot/{,**} w,
+
+  owner /tmp/newroot/ w,
+  owner /tmp/oldroot/ w,
+
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <abstractions/common/bwrap.d>
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This abstraction is for chromium based application. Chromium based browsers
+# need to use abstractions/chromium instead.
+
+  # userns,
+
+  # Only needed when kernel.unprivileged_userns_clone is set to "1"
+  capability sys_admin,
+  capability sys_chroot,
+  capability setuid,
+  capability setgid,
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+
+        /tmp/ r,
+        /var/tmp/ r,
+  owner /tmp/.org.chromium.Chromium.* rw,
+  owner /tmp/.org.chromium.Chromium.*/{,**} rw,
+  owner /tmp/scoped_dir*/ rw,
+  owner /tmp/scoped_dir*/SingletonCookie w,
+  owner /tmp/scoped_dir*/SingletonSocket w,
+  owner /tmp/scoped_dir*/SS w,
+
+        /dev/shm/ r,
+  owner /dev/shm/.org.chromium.Chromium.* rw,
+
+  include if exists <abstractions/common/chromium.d>
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  ptrace (read) peer=@{systemd},
+
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
+
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/environ r,
+        @{PROC}/1/sched r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/stat r,
+
+  /dev/kmsg w,
+
+  include if exists <abstractions/common/systemd.d>