From 3197f52a97e5c61ee8980cd7873567c9b311348d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 10:59:46 +0000 Subject: [PATCH 01/14] feat(aa-log): improve log to rule conversion. --- pkg/aa/profile.go | 25 +++++++++++++++---------- pkg/aa/template.go | 1 + 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 0af3dede6..9b548306c 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -87,15 +87,16 @@ func (p *AppArmorProfile) AddRule(log map[string]string) { case "net": p.Rules = append(p.Rules, NetworkFromLog(log)) case "mount": - p.Rules = append(p.Rules, MountFromLog(log)) - case "remount": - p.Rules = append(p.Rules, RemountFromLog(log)) - case "umount": - p.Rules = append(p.Rules, UmountFromLog(log)) - case "pivot_root": - p.Rules = append(p.Rules, PivotRootFromLog(log)) - case "change_profile": - p.Rules = append(p.Rules, RemountFromLog(log)) + switch log["operation"] { + case "mount": + p.Rules = append(p.Rules, MountFromLog(log)) + case "umount": + p.Rules = append(p.Rules, UmountFromLog(log)) + case "remount": + p.Rules = append(p.Rules, RemountFromLog(log)) + case "pivotroot": + p.Rules = append(p.Rules, PivotRootFromLog(log)) + } case "mqueue": p.Rules = append(p.Rules, MqueueFromLog(log)) case "signal": @@ -107,7 +108,11 @@ func (p *AppArmorProfile) AddRule(log map[string]string) { case "unix": p.Rules = append(p.Rules, UnixFromLog(log)) case "file": - p.Rules = append(p.Rules, FileFromLog(log)) + if log["operation"] == "change_onexec" { + p.Rules = append(p.Rules, ChangeProfileFromLog(log)) + } else { + p.Rules = append(p.Rules, FileFromLog(log)) + } default: if strings.Contains(log["operation"], "dbus") { p.Rules = append(p.Rules, DbusFromLog(log)) diff --git a/pkg/aa/template.go b/pkg/aa/template.go index e80ef52d7..b61366355 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -33,6 +33,7 @@ var ( // TODO: Should be a map of slice, not exhaustive yet maskToAccess = map[string]string{ "a": "w", + "ac": "w", "c": "w", "d": "w", "k": "k", From b79a1fcd31e9597a6734f9b0744cba9c5fd9edfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 11:08:35 +0000 Subject: [PATCH 02/14] feat(profile): general update. Also include some preparation for the systemd profile. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/children/child-open | 1 + apparmor.d/groups/freedesktop/colord | 9 +++---- apparmor.d/groups/freedesktop/polkitd | 4 ++-- .../freedesktop/update-desktop-database | 5 ++++ .../freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/freedesktop/xorg | 6 +---- apparmor.d/groups/gnome/gdm-x-session | 5 ++-- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 ++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/ssh/sshfs | 24 +++++++++---------- apparmor.d/groups/systemd/systemd-homed | 2 ++ apparmor.d/groups/systemd/systemd-hostnamed | 10 +++++--- apparmor.d/groups/systemd/systemd-journald | 9 +++---- apparmor.d/groups/systemd/systemd-logind | 2 ++ .../groups/systemd/systemd-modules-load | 2 ++ apparmor.d/groups/systemd/systemd-networkd | 2 ++ apparmor.d/groups/systemd/systemd-resolved | 2 ++ apparmor.d/groups/systemd/systemd-timesyncd | 11 +++++---- apparmor.d/groups/systemd/systemd-udevd | 4 +++- .../groups/systemd/systemd-user-runtime-dir | 4 ++-- apparmor.d/groups/systemd/systemd-userdbd | 3 +++ apparmor.d/groups/systemd/systemd-userwork | 1 + apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/haveged | 4 ++-- apparmor.d/profiles-g-l/irqbalance | 2 +- apparmor.d/profiles-g-l/lvm | 1 + apparmor.d/profiles-m-r/packagekitd | 5 +++- apparmor.d/profiles-m-r/rngd | 3 ++- apparmor.d/profiles-s-z/sudo | 2 +- 31 files changed, 86 insertions(+), 48 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9f057e79d..bcec1d2f1 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/cache/apt/ r, + /var/cache/apt/ rw, /var/cache/apt/** rwk, /var/crash/{,*.@{uid}.crash} rw, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index f7ffc320f..406e6891e 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -69,6 +69,7 @@ profile child-open { @{bin}/engrampa rPx, @{bin}/eog rPUx, @{bin}/evince rPx, + @{bin}/extension-manager rPx, @{bin}/file-roller rPUx, @{bin}/filezilla rPx, @{bin}/flameshot rPx, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ab83a7ffc..0b490b8aa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/colord/colord-sane rPx, - @{lib}/colord-sane rPx, + @{lib}/{,colord/}colord-sane rPx, /etc/machine-id r, /etc/udev/hwdb.bin r, @@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, + @{run}/udev/data/+pci:* r, @{run}/udev/data/c81:@{int} r, # For video4linux @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 4126867ec..fb5b210fe 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/{,polkit-1/}polkitd -profile polkitd @{exec_path} { +profile polkitd @{exec_path} flags=(attach_disconnected) { include include include @@ -58,8 +58,8 @@ profile polkitd @{exec_path} { /usr/share/polkit-1/actions/*.policy r, /usr/share/polkit-1/actions/*.policy.choice r, - owner /var/lib/polkit{,-1}/.cache/ rw, /var/lib/polkit{,-1}/localauthority/{,**} r, + owner /var/lib/polkit{,-1}/.cache/ rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 46735b405..096c44a66 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, + owner @{user_share_dirs}/.mimeinfo.cache.* rw, + owner @{user_share_dirs}/{,**/} r, + owner @{user_share_dirs}/**.desktop r, + owner @{user_share_dirs}/mimeinfo.cache w, + # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index a259bbe35..a7a684f8e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9a2d133d9..3abee2900 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, capability dac_read_search, capability ipc_owner, capability perfmon, @@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_rawio, - # These can be denied? - #audit capability dac_override, - #audit capability sys_nice, - #capability sys_tty_config, - signal (send) set=(usr1), signal (receive) peer=lightdm, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index db6a8d349..cd6d9eaf4 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/Xorg rPx, + @{bin}/dbus-daemon rPx, @{bin}/dbus-run-session rPx, - /etc/gdm{3,}/Xsession rPx, + @{bin}/Xorg rPx, /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Xsession rPx, /usr/share/gdm/gdm.schemas r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index c756b5fac..da4a54784 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, /var/lib/gdm{3,}/.local/share/applications/{,**} r, - /var/lib/gdm{3,}/.local/share/gnome-shell/ rw, + /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw, /var/lib/gdm{3,}/.local/share/icc/{,*} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 76db087c0..3979cbcc7 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} { @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, + /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm3/greeter-dconf-defaults r, owner @{user_cache_dirs}/mesa_shader_cache/index rw, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index acec19ade..6c73607ba 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -93,6 +93,8 @@ profile pacman @{exec_path} { @{bin}/perl rix, @{bin}/pkgfile rPUx, @{bin}/pkill rix, + @{bin}/mkdir rix, + @{bin}/setfacl rix, @{bin}/pwd rix, @{bin}/rm rix, @{bin}/rsync rix, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 7791871a4..b5ef540dd 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,41 +11,40 @@ include profile sshfs @{exec_path} flags=(complain) { include - @{exec_path} mr, + mount fstype=fuse.sshfs -> @{HOME}/*/, + mount fstype=fuse.sshfs -> @{HOME}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + @{exec_path} mr, + @{bin}/ssh rPx, @{bin}/fusermount{,3} rCx -> fusermount, - /dev/fuse rw, - - mount fstype=fuse.sshfs -> @{HOME}/*/, - mount fstype=fuse.sshfs -> @{HOME}/*/*/, - @{PROC}/sys/fs/pipe-max-size r, + /dev/fuse rw, profile fusermount flags=(complain) { include include - # To mount anything: capability sys_admin, + mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, + mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), @{bin}/fusermount{,3} mr, - mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, - mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, - /etc/fuse.conf r, - /dev/fuse rw, - @{PROC}/@{pid}/mounts r, + /dev/fuse rw, + + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 4c09badd1..130162662 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, + @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, + @{PROC}/pressure/* r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 490ab3caf..4c8609f99 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname + dbus bind bus=system name=org.freedesktop.hostname1, + + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.hostname1 + member=SetHostname + peer=(name=:*, label=systemd//&systemd-networkd), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName,GetConnectionUnixUser} @@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { member=Set*Hostname peer=(name=:*, label=hostnamectl), - dbus bind bus=system - name=org.freedesktop.hostname[0-9], - @{exec_path} mr, @{etc_rw}/.#hostname* rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b168c5f4c..4899546ae 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/module/printk/parameters/time r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, /dev/kmsg rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a7d3fa06e..925ad73be 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/sleep.conf r, /etc/systemd/logind.conf.d/{,**} r, + / r, /boot/{,**} r, /swap/swapfile r, /swapfile r, @@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, + @{PROC}/pressure/* r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 6d8160834..07268038d 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 880077159..5b6499bfb 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4637e76a2..2cf7ecf28 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { @{run}/systemd/resolve/{,**} rw, owner @{run}/systemd/journal/socket w, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index d9324bdb4..f6e9dddab 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus bind bus=system name=org.freedesktop.timesync1, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label=dbus-daemon), - dbus bind bus=system name=org.freedesktop.timesync1, - @{exec_path} mr, @{etc_rw}/adjtime r, @@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - owner @{run}/systemd/journal/socket w, - owner @{run}/systemd/timesync/synchronized rw, @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, + owner @{run}/systemd/timesync/synchronized rw, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 7ae92f1e5..0ac7717cb 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/** rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/devices r, @{PROC}/driver/nvidia/gpus/ r, @{PROC}/driver/nvidia/gpus/*/information r, + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, /dev/ rw, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9037b9928..18166ec90 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - dbus send bus=system path=/org/freedesktop/login[0-9] + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 3ef93d22e..d4b2ddda8 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/userdb/{,**} rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index a3b5b1fad..3732f4255 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -17,6 +17,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/machine-id r, + /etc/shadow r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index fcb9bc5aa..fad365165 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx@{int}.efi rw, - @{lib}/fwupd/efi/fwupdx@{int}.efi r, + @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index da4bc0a78..48d3dd08e 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -25,8 +25,8 @@ profile haveged @{exec_path} { @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, - @{sys}/devices/system/cpu/cpu*/cache/ r, - @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, + @{sys}/devices/system/cpu/cpu@{int}/cache/ r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 37b888313..4c4d3374f 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/irqbalance -profile irqbalance @{exec_path} { +profile irqbalance @{exec_path} flags=(attach_disconnected) { include capability setpcap, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index b6fdeced8..1760ae92c 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{etc_rw}/lvm/** rwkl, + @{run}/lock/ rw, @{run}/lock/lvm/ rw, @{run}/lock/lvm/* rwk, @{run}/lvm/** rwk, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 94949bdd1..9c4030e11 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/appstreamcli rPx, @{bin}/arch-audit rPx, # only: arch @{bin}/dpkg rPx -> child-dpkg, # only: dpkg + @{bin}/fc-cache rPx @{bin}/glib-compile-schemas rPx, + @{bin}/install-info rPx @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, # only: dpkg @{lib}/cnf-update-db rPx, @{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile - /usr/share/libalpm/scripts/* rPx, + /usr/share/libalpm/scripts/* rPx, # Install/update packages / r, @@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, + owner /tmp/alpm_*/{,**} rw, owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner /tmp/packagekit* rw, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 41de3f474..aa702237b 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -8,13 +8,14 @@ abi , include @{exec_path} = @{bin}/rngd -profile rngd @{exec_path} { +profile rngd @{exec_path} flags=(attach_disconnected) { include include include include capability dac_read_search, + capability net_admin, capability sys_admin, capability sys_nice, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index fefe8a10a..487cdf072 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -94,7 +94,7 @@ profile sudo @{exec_path} { @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, # interactive login - /dev/ptmx rw, + /dev/ptmx rwk, owner /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 2143fb03af3571be0fede9d949261985a714f14d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 11:13:40 +0000 Subject: [PATCH 03/14] feat(full): add new systemd variable. --- apparmor.d/groups/ssh/sshd | 6 ++++-- apparmor.d/groups/systemd/systemd-update-done | 2 +- apparmor.d/groups/systemd/systemd-userwork | 2 ++ apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/udisksd | 2 ++ apparmor.d/tunables/multiarch.d/apparmor.d | 3 +++ 7 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 648ac7329..071ad9147 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -44,14 +44,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) { # but will fall back to a non-privileged version if it fails. deny capability net_admin, - ptrace (read,trace) peer=unconfined, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal (receive) set=(hup) peer=@{systemd}, + + ptrace (read,trace) peer=@{systemd}, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member={CreateSession,ReleaseSession} diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e497a5544..bd9a0d077 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} { capability net_admin, - ptrace (read) peer=unconfined, + ptrace (read) peer=@{systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 3732f4255..4d2b26de7 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -14,6 +14,8 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { capability sys_resource, + signal (send) peer=@{systemd}, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 46fdf3d77..4f7462b91 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -19,7 +19,7 @@ profile qemu-ga @{exec_path} { network inet6 stream, network netlink raw, - ptrace peer=unconfined, + ptrace (read) peer=@{systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 84d34247d..db5e33157 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -44,7 +44,7 @@ profile snapd @{exec_path} { umount /snap/*/*/, ptrace (read) peer=snap, - ptrace (read) peer=unconfined, + ptrace (read) peer=@{systemd}, dbus (send) bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index ab62573b1..8cbd08508 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -54,6 +54,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom[0-9]/, + signal (receive) set=(int) peer=@{systemd}, + dbus (send,receive) bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect, diff --git a/apparmor.d/tunables/multiarch.d/apparmor.d b/apparmor.d/tunables/multiarch.d/apparmor.d index 70e16dcc8..c9c8c5ad7 100644 --- a/apparmor.d/tunables/multiarch.d/apparmor.d +++ b/apparmor.d/tunables/multiarch.d/apparmor.d @@ -53,3 +53,6 @@ # Common places for binaries and libraries across distributions @{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} + +# Name of the systemd profile: unconfined || systemd +@{systemd}=unconfined From 6dc990ac022748c98f185c26fa2fbdf0ba546c3e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 11:14:31 +0000 Subject: [PATCH 04/14] feat(full): set systemd profile name on build time. --- pkg/prebuild/prepare.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 289c873bd..2ed9e362d 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -176,12 +176,25 @@ func SetFlags() error { // Set AppArmor for (experimental) full system policy. // See https://apparmor.pujol.io/development/structure/#full-system-policy func SetFullSystemPolicy() error { + // Install full system policy profiles for _, name := range []string{"systemd", "systemd-user"} { err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name)) if err != nil { return err } } + + // Set systemd profile name + path := paths.New("apparmor.d/tunables/multiarch.d/apparmor.d") + content, err := path.ReadFile() + if err != nil { + return err + } + res := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) + if err := path.WriteFile([]byte(res)); err != nil { + return err + } + logging.Success("Configure AppArmor for full system policy") return nil } From 88555a12d09bef4701b9da739585d4c076179297 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 11:19:24 +0000 Subject: [PATCH 05/14] feat(profiles): add initial userns rule. Require apparmor 4 to be enabled. --- apparmor.d/abstractions/chromium | 2 ++ apparmor.d/groups/virt/virtiofsd | 2 ++ apparmor.d/profiles-s-z/slirp4netns | 2 ++ apparmor.d/profiles-s-z/thunderbird | 2 ++ pkg/prebuild/build.go | 8 +++----- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 083bb16c8..0507fd862 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -31,6 +31,8 @@ include include + # userns, + capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 1eef05080..ac0ea5a4d 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -10,6 +10,8 @@ include profile virtiofsd @{exec_path} { include + # userns, + capability chown, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 94dd1b3ed..46b559da0 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -10,6 +10,8 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include + # userns, + capability net_admin, capability setpcap, capability sys_admin, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 0a5cd08fc..511343b61 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -35,6 +35,8 @@ profile thunderbird @{exec_path} { include include + # userns, + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go index add73dfc6..0cdb64c6f 100644 --- a/pkg/prebuild/build.go +++ b/pkg/prebuild/build.go @@ -22,11 +22,9 @@ var ( regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) regProfileHeader = regexp.MustCompile(` {`) - regAbi4To3 = util.ToRegexRepl([]string{ - `abi/4.0`, `abi/3.0`, - `(?m)^.*mqueue.*$`, ``, - `(?m)^.*userns.*$`, ``, - `(?m)^.*io_uring.*$`, ``, + regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 + `abi/3.0`, `abi/4.0`, + `# userns,`, `userns,`, }) ) From d1c8471b1d58bdce4b72c09b61f1dfa2752e5a12 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 11:39:24 +0000 Subject: [PATCH 06/14] fix: rule compilation. --- apparmor.d/profiles-m-r/packagekitd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9c4030e11..c5b8b6de6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -101,9 +101,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/appstreamcli rPx, @{bin}/arch-audit rPx, # only: arch @{bin}/dpkg rPx -> child-dpkg, # only: dpkg - @{bin}/fc-cache rPx + @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/install-info rPx + @{bin}/install-info rPx, @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, # only: dpkg From f56434758066ca49d78d046f6c3e1bbcef838741 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:20:14 +0000 Subject: [PATCH 07/14] refractor: move default systemd drop in files. --- cmd/prebuild/main.go | 2 ++ pkg/prebuild/prepare.go | 5 +++++ pkg/prebuild/tools.go | 3 +++ systemd/{ => default}/system/haveged.service | 0 systemd/{ => default}/system/multipathd.service | 0 systemd/{ => default}/system/pcscd.service | 0 systemd/{ => default}/system/systemd-journald.service | 0 systemd/{ => default}/system/systemd-networkd.service | 0 systemd/{ => default}/system/systemd-timesyncd.service | 0 systemd/default/system/systemd-userdbd.service | 2 ++ .../user/org.freedesktop.IBus.session.GNOME.service | 0 11 files changed, 12 insertions(+) rename systemd/{ => default}/system/haveged.service (100%) rename systemd/{ => default}/system/multipathd.service (100%) rename systemd/{ => default}/system/pcscd.service (100%) rename systemd/{ => default}/system/systemd-journald.service (100%) rename systemd/{ => default}/system/systemd-networkd.service (100%) rename systemd/{ => default}/system/systemd-timesyncd.service (100%) create mode 100644 systemd/default/system/systemd-userdbd.service rename systemd/{ => default}/user/org.freedesktop.IBus.session.GNOME.service (100%) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 2ebd2c222..f7767c63c 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -47,6 +47,8 @@ func aaPrebuild() error { if full { prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy) + } else { + prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd) } if complain { prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain) diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 2ed9e362d..20c9d9be8 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -173,6 +173,11 @@ func SetFlags() error { return nil } +// Set systemd unit drop in files to ensure some service start after apparmor +func SetDefaultSystemd() error { + return copyTo(paths.New("systemd/default/"), Root.Join("systemd")) +} + // Set AppArmor for (experimental) full system policy. // See https://apparmor.pujol.io/development/structure/#full-system-policy func SetFullSystemPolicy() error { diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go index 688788737..f0df64baa 100644 --- a/pkg/prebuild/tools.go +++ b/pkg/prebuild/tools.go @@ -71,6 +71,9 @@ func copyTo(src *paths.Path, dst *paths.Path) error { return err } destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } if err := file.CopyTo(destination); err != nil { return err } diff --git a/systemd/system/haveged.service b/systemd/default/system/haveged.service similarity index 100% rename from systemd/system/haveged.service rename to systemd/default/system/haveged.service diff --git a/systemd/system/multipathd.service b/systemd/default/system/multipathd.service similarity index 100% rename from systemd/system/multipathd.service rename to systemd/default/system/multipathd.service diff --git a/systemd/system/pcscd.service b/systemd/default/system/pcscd.service similarity index 100% rename from systemd/system/pcscd.service rename to systemd/default/system/pcscd.service diff --git a/systemd/system/systemd-journald.service b/systemd/default/system/systemd-journald.service similarity index 100% rename from systemd/system/systemd-journald.service rename to systemd/default/system/systemd-journald.service diff --git a/systemd/system/systemd-networkd.service b/systemd/default/system/systemd-networkd.service similarity index 100% rename from systemd/system/systemd-networkd.service rename to systemd/default/system/systemd-networkd.service diff --git a/systemd/system/systemd-timesyncd.service b/systemd/default/system/systemd-timesyncd.service similarity index 100% rename from systemd/system/systemd-timesyncd.service rename to systemd/default/system/systemd-timesyncd.service diff --git a/systemd/default/system/systemd-userdbd.service b/systemd/default/system/systemd-userdbd.service new file mode 100644 index 000000000..cd2840571 --- /dev/null +++ b/systemd/default/system/systemd-userdbd.service @@ -0,0 +1,2 @@ +[Unit] +After=apparmor.service \ No newline at end of file diff --git a/systemd/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service similarity index 100% rename from systemd/user/org.freedesktop.IBus.session.GNOME.service rename to systemd/default/user/org.freedesktop.IBus.session.GNOME.service From 96ea9d17ae48e526564a7df77a42d2fd3e593165 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:32:57 +0000 Subject: [PATCH 08/14] feat(full): disable nnp flag on some services. --- pkg/prebuild/prepare.go | 5 +++++ systemd/full/system/ModemManager.service | 2 ++ systemd/full/system/e2scrub_reap.service | 2 ++ systemd/full/system/fwupd-refresh.service | 3 +++ systemd/full/system/irqbalance.service | 2 ++ systemd/full/system/rngd.service | 2 ++ systemd/full/system/systemd-homed.service | 2 ++ systemd/full/system/systemd-hostnamed.service | 2 ++ systemd/full/system/systemd-journald.service | 3 +++ systemd/full/system/systemd-localed.service | 2 ++ systemd/full/system/systemd-logind.service | 3 +++ systemd/full/system/systemd-timedated.service | 2 ++ systemd/full/system/systemd-userdbd.service | 2 ++ systemd/full/system/upower.service | 2 ++ systemd/full/system/user@.service | 3 +++ 15 files changed, 37 insertions(+) create mode 100644 systemd/full/system/ModemManager.service create mode 100644 systemd/full/system/e2scrub_reap.service create mode 100644 systemd/full/system/fwupd-refresh.service create mode 100644 systemd/full/system/irqbalance.service create mode 100644 systemd/full/system/rngd.service create mode 100644 systemd/full/system/systemd-homed.service create mode 100644 systemd/full/system/systemd-hostnamed.service create mode 100644 systemd/full/system/systemd-journald.service create mode 100644 systemd/full/system/systemd-localed.service create mode 100644 systemd/full/system/systemd-logind.service create mode 100644 systemd/full/system/systemd-timedated.service create mode 100644 systemd/full/system/systemd-userdbd.service create mode 100644 systemd/full/system/upower.service create mode 100644 systemd/full/system/user@.service diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 20c9d9be8..23f862350 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -200,6 +200,11 @@ func SetFullSystemPolicy() error { return err } + // Set systemd unit drop-in files + if err := copyTo(paths.New("systemd/full/"), Root.Join("systemd")); err != nil { + return err + } + logging.Success("Configure AppArmor for full system policy") return nil } diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/ModemManager.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/e2scrub_reap.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service new file mode 100644 index 000000000..b11945a16 --- /dev/null +++ b/systemd/full/system/fwupd-refresh.service @@ -0,0 +1,3 @@ +[Service] +ProtectKernelModules=no +RestrictRealtime=no \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/irqbalance.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/rngd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-homed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-hostnamed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-journald.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-localed.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service new file mode 100644 index 000000000..0316a67c8 --- /dev/null +++ b/systemd/full/system/systemd-logind.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-timedated.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/systemd-userdbd.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/upower.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/user@.service b/systemd/full/system/user@.service new file mode 100644 index 000000000..05023d01d --- /dev/null +++ b/systemd/full/system/user@.service @@ -0,0 +1,3 @@ +# TODO: works as intended on server, does not work on desktop +# [Service] +# AppArmorProfile=systemd-user \ No newline at end of file From 5eb120cdbb3819639c91aa09a96ba4bafe29bec7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:34:42 +0000 Subject: [PATCH 09/14] build: new system origin path. --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 8575a9f38..ea9c30bcc 100644 --- a/Makefile +++ b/Makefile @@ -33,11 +33,11 @@ install: @for file in ${PROFILES}; do \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ done; - @for file in systemd/system/*; do \ + @for file in ${BUILD}/systemd/system/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ done; - @for file in systemd/user/*; do \ + @for file in ${BUILD}/systemd/user/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ done From 9e04743156a160b409e316ee53329e8168b1bf82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:47:55 +0000 Subject: [PATCH 10/14] build: do not use rsync to synchronise file anymore. --- debian/control | 1 - dists/apparmor.d.spec | 1 - docs/install.md | 1 - pkg/prebuild/prepare.go | 8 +++----- pkg/prebuild/tools.go | 2 +- 5 files changed, 4 insertions(+), 9 deletions(-) diff --git a/debian/control b/debian/control index 47f4f479f..46452332a 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,6 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, - rsync, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 7fcbf4a79..9c1b72679 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -16,7 +16,6 @@ Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release BuildRequires: golang-packaging -BuildRequires: rsync %description AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/docs/install.md b/docs/install.md index 0bec02c21..da2ea17ce 100644 --- a/docs/install.md +++ b/docs/install.md @@ -24,7 +24,6 @@ Please note that Wayland has a better support than Xorg. **Build dependencies** * Go >= 1.18 -* Rsync ## :material-arch: Archlinux diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 23f862350..207cf8e6f 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -7,7 +7,6 @@ package prebuild import ( "fmt" "os" - "os/exec" "path/filepath" "strings" @@ -28,15 +27,14 @@ type PrepareFunc func() error // Initialize a new clean apparmor.d build directory func Synchronise() error { - dirs := paths.PathList{RootApparmord, Root.Join("root")} + dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")} for _, dir := range dirs { if err := dir.RemoveAll(); err != nil { return err } } - for _, path := range []string{"./apparmor.d", "./root"} { - cmd := exec.Command("rsync", "-a", path, Root.String()) - if err := cmd.Run(); err != nil { + for _, name := range []string{"apparmor.d", "root"} { + if err := copyTo(paths.New(name), Root.Join(name)); err != nil { return err } } diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go index f0df64baa..54b34ef49 100644 --- a/pkg/prebuild/tools.go +++ b/pkg/prebuild/tools.go @@ -61,7 +61,7 @@ func getSupportedDistribution() string { } func copyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) if err != nil { return err } From edab2be894ad0ff8cff6398cf34da2834de33c46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:48:25 +0000 Subject: [PATCH 11/14] doc: add nnp section. --- docs/development/structure.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/development/structure.md b/docs/development/structure.md index 0d1889016..0773962ae 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -69,9 +69,9 @@ It creates even more issues when we want to use this profile in other profiles. **What if I still want to protect these programs?** -You do not protect this program. *Protect the usage you have of these tools*. +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your development's terminal in a -sandbox managed with [Toolbox] +sandbox managed with [Toolbox]. !!! example "To sum up" @@ -100,7 +100,7 @@ include ## Children profiles -Usually, a child profile is in the [`children`][children] group. They have the following note: +Usually, a child profile is in the [`children`][children] group. They have the following note: !!! quote @@ -165,6 +165,17 @@ Special care must be given as sometimes udev numbers are allocated dynamically b [kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt +## No New Privileges + +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly-started program to get more privileges that its parent. So it is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transition to other profile because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). + +The possible solutions are: + +* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). +* Inherit the current confinement (`ix`) +* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) + + ## Full system policy !!! quote From 185187b608decd72450209fd3ee7b3e8b73a7ae9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 14:49:08 +0000 Subject: [PATCH 12/14] doc: rewrite full system policy section. --- docs/development/structure.md | 60 ++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/docs/development/structure.md b/docs/development/structure.md index 0773962ae..0e1c0659e 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -187,22 +187,60 @@ The possible solutions are: *Source: [AppArmor Wiki][apparmor-wiki]* -This feature is only enabled when the profiles are built with `make full`. The profiles for full system policies are maintained in the **[`_full`][full]** group. It consists of two extra main profiles: - -1. **`init`**: For systemd as PID 1 -2. **`systemd`**: For systemd as user - -All core required applications that need to be started by systemd (both as user or root) need to be present in these profiles. - -Early policy load should also be enabled. In `/etc/apparmor/parser.conf` -``` -cache-loc /etc/apparmor/earlypolicy/ -``` +### Enable !!! danger Full system policy is still under early development, do not run it outside a development VM! **You have been warned!!!** +This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load must be enabled, in `/etc/apparmor/parser.conf` ensure you have: +``` +write-cache +cache-loc /etc/apparmor/earlypolicy/ +``` + +### Structure + +The profiles for full system policies are maintained in the **[`_full`][full]** group. + +**systemd** + +In addition to systemd services (`systemd-*`) that have their own profiles, systemd itself, is confined using: + +- [x] **`systemd`**: For systemd as PID 1, designed such as: + - It allows internal systemd access, + - It allows starting all common root services. +- [ ] **`systemd-user`**: For `systemd --user`, designed such as: + - It allows internal systemd user access, + - It allows starting all common user services. + +These profiles are only intended to confine themselves. Any services started by systemd must have their corresponding profile. It means that for a given distribution, the following services must have profiles: + +- [ ] For `systemd`: +```sh +/usr/lib/systemd/system-generators/* +/usr/lib/systemd/system-environment-generators/* +/usr/lib/systemd/system/*.service +``` + +- [ ] For `systemd-user` +```sh +/usr/lib/systemd/user-environment-generators/* +/usr/lib/systemd/user-generators/* +/usr/lib/systemd/user/*.service +``` + +To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: +``` + @{lib}/foo rPx -> systemd//&foo, + ... +``` + +**Fallback** + +!!! warning "Work in Progress" + +In addition to systemd profiles, a full system policy needs to ensure that no program run in an unconfined state at any time. When full policy mode is enabled, special fallback profiles `default` and `default-user` are used to ensure this. PAM rule can be used to configure it further. [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full From 1b48e419f44ef63802fd6390191b3b18a38f3c73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 15:38:36 +0000 Subject: [PATCH 13/14] build(suse): add systemd-userdbd drop in file. --- dists/apparmor.d.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 9c1b72679..4eae77d04 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -47,6 +47,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %dir /usr/lib/systemd/system/systemd-journald.service.d %dir /usr/lib/systemd/system/systemd-networkd.service.d %dir /usr/lib/systemd/system/systemd-timesyncd.service.d +%dir /usr/lib/systemd/system/systemd-userdbd.service.d %dir /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d %dir /usr/share/zsh %dir /usr/share/zsh/site-functions @@ -57,6 +58,7 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: /usr/lib/systemd/system/systemd-journald.service.d/apparmor.conf /usr/lib/systemd/system/systemd-networkd.service.d/apparmor.conf /usr/lib/systemd/system/systemd-timesyncd.service.d/apparmor.conf +/usr/lib/systemd/system/systemd-userdbd.service.d/apparmor.conf /usr/lib/systemd/user/org.freedesktop.IBus.session.GNOME.service.d/apparmor.conf /usr/share/bash-completion/completions/aa-log /usr/share/zsh/site-functions/_aa-log.zsh From f0cdadbdafb949f60ecb4cea63cbd6820a988de0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 19 Nov 2023 15:39:02 +0000 Subject: [PATCH 14/14] feat(abs): improve mesa abstraction. --- apparmor.d/abstractions/mesa.d/complete | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index d8b2f4a38..7c0394ca6 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -3,12 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only # Extra Mesa rules for GDM - /var/lib/gdm/.cache/ w, - /var/lib/gdm/.cache/mesa_shader_cache/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/index rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, - /var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, + /var/lib/gdm{3,}/.cache/ w, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, # Extra Mesa rules for SDDM /var/lib/sddm/.cache/ w,