From eeb990a934ea3a2ee90bd3559600ba55a52e6f6b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 6 May 2024 23:52:38 +0100 Subject: [PATCH] feat(profile): add some whonix specific profiles. --- apparmor.d/groups/whonix/anondate | 47 +++++++++++++++++++ apparmor.d/groups/whonix/msgdispatcher-delete | 24 ++++++++++ apparmor.d/groups/whonix/tor-bootstrap-check | 23 +++++++++ .../groups/whonix/tor-consensus-valid-after | 25 ++++++++++ 4 files changed, 119 insertions(+) create mode 100644 apparmor.d/groups/whonix/anondate create mode 100644 apparmor.d/groups/whonix/msgdispatcher-delete create mode 100644 apparmor.d/groups/whonix/tor-bootstrap-check create mode 100644 apparmor.d/groups/whonix/tor-consensus-valid-after diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate new file mode 100644 index 000000000..179e6c059 --- /dev/null +++ b/apparmor.d/groups/whonix/anondate @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/anondate{,-get,-set} +profile anondate @{exec_path} { + include + include + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/grep rix, + @{bin}/minimum-unixtime-show rix, + @{bin}/rm rix, + @{bin}/systemd-cat rPx, + @{bin}/tee rix, + @{bin}/timeout rix, + @{bin}/tor-circuit-established-check rix, + @{bin}/touch rix, + @{bin}/whoami rix, + + @{lib}/helper-scripts/{,**} r, + @{lib}/helper-scripts/tor_bootstrap_check.py rPx, + @{lib}/helper-scripts/tor_consensus_valid-after.py rPx, + + /usr/share/timesanitycheck/{,**} r, + + /var/lib/sdwdate/time-replay-protection-utc-unixtime r, + + owner /tmp/tmp.@{rand10} rw, + + @{run}/tor/control.authcookie r, + @{run}/tor/log r, + owner @{run}/sdwdate/* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/msgdispatcher-delete b/apparmor.d/groups/whonix/msgdispatcher-delete new file mode 100644 index 000000000..6a2c132b9 --- /dev/null +++ b/apparmor.d/groups/whonix/msgdispatcher-delete @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/msgcollector/msgdispatcher_delete_wrapper +profile msgdispatcher-delete @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/rm rix, + + @{run}/msgcollector/user/* rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check new file mode 100644 index 000000000..d93f3ee3c --- /dev/null +++ b/apparmor.d/groups/whonix/tor-bootstrap-check @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py +profile tor-bootstrap-check @{exec_path} { + include + include + + @{exec_path} mr, + + @{lib}/helper-scripts/{,**} r, + + owner /tmp/tmp.@{rand10} rw, + + @{run}/tor/control.authcookie r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/whonix/tor-consensus-valid-after b/apparmor.d/groups/whonix/tor-consensus-valid-after new file mode 100644 index 000000000..06e2189af --- /dev/null +++ b/apparmor.d/groups/whonix/tor-consensus-valid-after @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/helper-scripts/tor_consensus_valid-after.py +profile tor-consensus-valid-after @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/helper-scripts/{,**} r, + + @{run}/tor/control.authcookie r, + owner @{run}/sdwdate/* rw, + + owner /tmp/tmp.@{rand10} rw, + + include if exists +} \ No newline at end of file