feat(profile): whonix: add sdwdate profiles.

2024-11-15 16:03:51 +01:00 · 2024-04-06 15:09:48 +01:00 · 2024-04-06 15:09:48 +01:00 · 279b8b40a6
commit 279b8b40a6
parent 9aa9f26507
5 changed files with 188 additions and 0 deletions
--- a/apparmor.d/groups/whonix/sdwdate
+++ b/apparmor.d/groups/whonix/sdwdate
@ -0,0 +1,56 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/sdwdate/sdwdate
+profile sdwdate @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
+
+  capability sys_time,
+
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  @{bin}/cat                            rix,
+  @{bin}/date                           rix,
+  @{bin}/minimum-unixtime-show          rix,
+  @{bin}/sleep                          rix,
+  @{bin}/timeout                        rix,
+  @{bin}/timesanitycheck                rix,
+  @{bin}/tor-circuit-established-check  rix,
+  @{bin}/touch                          rix,
+  @{lib}/helper-scripts/*               rix,
+  @{bin}/url_to_unixtime                rix,
+  @{bin}/grep rix,
+
+  @{lib}/helper-scripts/ r,
+  @{lib}/sdwdate/ r,
+
+  /usr/share/timesanitycheck/* r,
+  /usr/share/tor/tor-service-defaults-torrc r,
+  /usr/share/translations/sdwdate.yaml r,
+  /usr/local/etc/torrc.d/{,**} r,
+
+  /etc/sdwdate.d/{,**} r,
+  /etc/tor/torrc r,
+  @{etc_ro}/torrc.d/{,**} r,
+
+  owner /var/lib/sdwdate/ rw,
+  owner /var/lib/sdwdate/* rw,
+
+        @{run}/tor/control.authcookie r,
+  owner @{run}/sdwdate/* rw,
+
+  /dev/tty rw,
+
+  include if exists <local/sdwdate>
+}
--- a/apparmor.d/groups/whonix/sdwdate-clock-jump
+++ b/apparmor.d/groups/whonix/sdwdate-clock-jump
@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/sdwdate-clock-jump
+profile sdwdate-clock-jump @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+
+  @{exec_path} mr,
+
+  @{bin}/id rix,
+  @{bin}/rm rix,
+  @{bin}/systemctl rCx -> systemctl,
+  @{bin}/touch rix,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <local/sdwdate-clock-jump_systemctl>
+  }
+
+  include if exists <local/sdwdate-clock-jump>
+}
--- a/apparmor.d/groups/whonix/sdwdate-gui
+++ b/apparmor.d/groups/whonix/sdwdate-gui
@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path}  = @{bin}/sdwdate-gui
+@{exec_path} += @{lib}/sdwdate-gui/start-maybe @{lib}/sdwdate-gui/sdwdate-gui
+profile sdwdate-gui @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+
+  ptrace (read) peer=@{p_systemd},
+  ptrace (read) peer=xfce-panel,
+
+  @{exec_path} mrix,
+
+  @{sh_path}  rix,
+
+  @{bin}/sudo rCx -> root,
+  @{bin}/xfce4-terminal rix,
+  @{lib}/helper-scripts/terminal-wrapper rix,
+  @{lib}/sdwdate-gui/log-viewer rix,
+  @{lib}/helper-scripts/* rix,
+
+  @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw,
+
+  @{lib}/sdwdate-gui/ r,
+
+  /usr/share/sdwdate-gui/{,**} r,
+
+  /etc/sdwdate-gui.d/{,**} r,
+
+  /dev/tty rw,
+
+  @{run}/sdwdate/status r,
+
+  profile root {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    @{bin}/sdwdate-clock-jump rPx,
+
+    include if exists <local/sdwdate-gui_root>
+  }
+
+  include if exists <local/sdwdate-gui>
+}
--- a/apparmor.d/groups/whonix/sdwdate-start
+++ b/apparmor.d/groups/whonix/sdwdate-start
@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/sdwdate/sdwdate-start-anondate-set-file-watcher
+profile sdwdate-start @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/mkdir rix,
+  @{bin}/chown rix,
+  @{bin}/mktemp rix,
+  @{bin}/rm rix,
+  @{bin}/mkfifo  rix,
+  @{bin}/inotifywait  rix,
+
+  owner /tmp/tmp.@{rand10} rw,
+
+  owner @{run}/sdwdate/ rw,
+  owner @{run}/sdwdate/status rw,
+
+  /dev/tty rw,
+
+  include if exists <local/sdwdate-start>
+}
--- a/apparmor.d/groups/whonix/sdwdate-wrapper
+++ b/apparmor.d/groups/whonix/sdwdate-wrapper
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/sdwdate
+profile sdwdate-wrapper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+
+  @{exec_path} mr,
+
+  @{lib}/sdwdate/sdwdate rPx,
+
+  include if exists <local/sdwdate-wrapper>
+}