mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(full): improve systemd profile.

Browse Source 
See https://apparmor.pujol.io/development/structure/#full-system-policy
This commit is contained in:
Alexandre Pujol 2023-11-19 21:31:57 +00:00
parent d64ef39bd1
commit 59140f5411
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
2 changed files with 203 additions and 208 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

390
apparmor.d/groups/_full/systemd
View File

@ -1,235 +1,227 @@
# full-apparmor-policy
# Full System MAC Policy using AppArmor
#
# Copyright (c) 2023 monsieuremre <https://github.com/monsieuremre>
#
# This file is part of full-apparmor-policy. You can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2023 monsieuremre <https://github.com/monsieuremre>
# SPDX-License-Identifier: GPL-2.0-only
# Profile for systemd (PID 1), it does not specify an attachment path because
# it is directly loaded by systemd.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
# Distributions and other programs can add rules in the usr/systemd.d directory
# Note: A non negligible part of the rules are due to stacked profile and unified systemd/systemd-user
abi <abi/3.0>,
include <tunables/global>
profile systemd @{lib}/systemd/** flags=(attach_disconnected) {
profile systemd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/authentication>
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/video>
include <abstractions/wutmp>
## Section 1 - Non-file related permissions
capability audit_read, # can be phased out?
# Needed by systemd
capability audit_read,
capability audit_write,
capability bpf,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability sys_admin,
# The following is needed by desktop environments
# If on gnome, these can be phased out because the DE components are already covered
# with profiles. For other desktops, these have to be allowed
capability sys_nice,
capability kill,
capability mknod,
capability perfmon,
capability sys_admin,
capability sys_tty_config,
capability sys_resource,
capability sys_chroot,
network netlink,
network inet,
network inet6,
network packet,
# network unix, # same as just allowing unix?
# network local, # a thing?
# Required by stacked profiles
capability net_admin,
capability net_bind_service,
capability net_raw,
capability setfcap,
capability setgid,
capability setpcap,
capability setuid,
capability sys_nice,
capability sys_ptrace,
capability sys_time,
unix (accept),
unix (connect),
unix (send),
unix (receive),
ptrace (read),
dbus (send),
dbus (receive),
dbus (bind),
signal (send),
signal (receive),
network inet dgram,
network inet raw,
network inet stream,
network inet6 dgram,
network inet6 raw,
network inet6 stream,
network netlink raw,
network packet dgram,
network packet raw,
# TODO: WIP
mount,
remount,
umount,
## Restrictions
#
## The following are implicitly denied with this profile. There are comments on
## what they might break without dedicated profilesand how to address these breakages.
#
## mostly won't break anything with the current set of profiles
# deny capability mknod,
# deny capability setpcap,
# deny capability checkpoint_restore,
# deny capability audit_control,
# deny capability net_bind_service,
# deny capability block_suspend,
# deny capability bpf,
# deny capability ipc_owner,
# deny capability sys_tty_config,
# deny capability mac_admin, # intentional to protect policy
# deny capability mac_override, # intentional to protect policy
# deny capability sys_module,
# deny capability linux_immutable,
# deny capability lease,
# deny capability net_broadcast,
# deny capability perfmon,
# deny capability sys_boot,
# deny capability sys_pacct,
# deny capability sys_time,
# deny capability wake_alarm,
# deny capability setfcap,
#
# deny pivot_root,
#
# deny unix (listen),
# deny unix (create),
# deny unix (getattr),
# deny unix (setattr),
# deny unix (setopt),
# deny unix (getopt),
#
# deny ptrace (trace),
# deny ptrace (tracedby),
# deny ptrace (readby),
#
# deny network bluetooth,
# deny network alg,
# deny network ash,
# deny network rose,
# deny network x25,
# deny network ax25,
# deny network ipx,
# deny network netrom,
# deny network appletalk,
# deny network econet,
# deny network qipcrtr,
# deny network bridge,
# deny network atmpvc,
# deny network netbeui,
# deny network security,
# deny network key,
# deny network atmsvc,
# deny network rds,
# deny network irda,
# deny network pppox,
# deny network wanpipe,
# deny network ib,
# deny network mpls,
# deny network can,
# deny network tipc,
# deny network rxrpc,
# deny network isdn,
# deny network phonet,
# deny network ieee802154,
# deny network caif,
# deny network vsock,
# deny network kcm,
# deny network smc,
# deny network xdp,
#
## will break firewalls with no profile, use firewalld as profile provided
# deny capability net_raw,
# deny capability net_admin,
#
## might break some desktop components without profile, won't brake on gnome or kde
# deny capability ipc_lock,
#
## might break if you use utilities that don't have profiles (unlikely)
# deny capability sys_rawio,
# deny capability fsetid,
#
## will break electron apps without profiles, which the most common ones have here
## might also break sandboxing utils if they don't have profiles, which the most common ones have here
# deny capability sys_resource,
# deny capability sys_chroot,
#
## most anything is covered with profiles, but some niche custom utils
## or replacements or rewrites or very specific things can (probably won't) break
## in that case it is worth making a profile request.
# deny capability setgid,
# deny capability setuid,
pivot_root @{run}/systemd/mount-rootfs/ -> @{run}/systemd/mount-rootfs/,
change_profile,
# -----
signal (receive) set=(term, hup, cont),
signal (send),
## Section 2 - File permissions
ptrace (read, readby),
## This is quite restrictive for a "general" profile.
## Can of course be further restricted. Probably by a lot.
unix (send) type=dgram,
dbus, # TODO: WIP
dbus bind bus=system name=org.freedesktop.systemd1,
@{bin}/{,u}mount rix,
@{bin}/ldconfig rPx -> ldconfig.service,
@{bin}/chgrp rPx -> dmesg.service,
@{bin}/chmod rPx -> dmesg.service,
@{bin}/savelog rPx -> dmesg.service,
audit @{lib}/** Pix,
audit @{bin}/** Pix,
audit /etc/init.d/* PUx,
@{bin}/pipewire rPx -> systemd//&pipewire,
@{bin}/pipewire-media-session rPx -> systemd//&pipewire-media-session,
@{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse,
@{bin}/pulseaudio rPx -> systemd//&pulseaudio,
@{bin}/wireplumber rPx -> systemd//&wireplumber,
@{lib}/{,polkit-1/}polkitd rPx -> systemd//&polkitd,
@{lib}/snapd/snapd-apparmor rPx,
# @{lib}/systemd/systemd rPx -> systemd-user, # FIXME: only works on server
@{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd,
@{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved,
@{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd,
/usr/share/apport/apport rPx,
/usr/share/gdm/generate-config rPx,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown rPx,
## The owner can read pretty much everything
## He can also write to the directories
## directly under root.
/ r,
owner / rwlk,
/boot/ r,
/boot/efi/ r,
/efi/ r,
/tmp/ r,
/usr/ r,
/var/lib/*/ r,
/var/tmp/ r,
@{lib}/ r,
## Everyone can see the home directories
## Only the owners allowed inside
/home r,
owner /home/** rwlkPix,
/usr/share/** r,
## Reserved for the owner 'root' only
owner /boot/** rwlk,
owner /root/** rwlk,
/etc/binfmt.d/{,**} r,
/etc/conf.d/{,**} r,
/etc/credstore.encrypted/{,**} r,
/etc/credstore/{,**} r,
/etc/default/** r,
/etc/environment r,
/etc/environment.d/{,**} r,
/etc/machine-id r,
/etc/modules-load.d/ r,
/etc/networkd-dispatcher/{,**} r,
/etc/pipewire/** r,
/etc/polkit*/** r,
/etc/systemd/{,**} r,
/etc/udev/hwdb.d/{,*} r,
## Running binaries is allowed in these places
## Modifying them requires ownership
@{lib}/** rPix,
owner @{lib}/** rwmlkPix,
/var/lib/gdm{3,}/.config/pulse/{,**} rw,
/var/lib/gdm{3,}/.config/pulse/cookie k,
/var/lib/gdm{3,}/.config/dconf/user r,
@{bin}/** rPix,
owner @{bin}/** rwmlkPix,
/var/lib/systemd/{,**} rw,
owner /var/tmp/systemd-private-*/{,**} rw,
/opt/** rPix,
owner /opt/** rwmlkPix,
@{user_config_dirs}/pulse/{,**} rw,
## Reading /usr allowed, writing requires ownership
/usr/** r,
owner /usr/** rwlk,
/tmp/namespace-dev-@{rand6}/{,**} rw,
/tmp/systemd-private-*/{,**} rw,
## Reading files in temp requires ownership
owner /{,var/}tmp/** rw,
@{run}/ r,
@{run}/credentials/{,**} rw,
@{run}/dbus/system_bus_socket rw,
@{run}/spice-vdagentd/spice-vdagent-sock rw,
@{run}/systemd/{,**} rw,
@{run}/udev/control rw,
@{run}/udev/data/* r,
@{run}/udev/tags/systemd/ r,
@{run}/user/@{uid}/{,**} rwlk,
owner @{run}/* rw,
owner @{run}/*/ rw,
owner @{run}/*/* rw,
## Reading /etc allowed, writing requires ownership
/{,usr/local/}etc/** r,
owner /{,usr/local/}etc/** rwmlk,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/sound/ r,
@{sys}/devices/@{pci}/** r,
@{sys}/devices/**/net/** r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/tty/console/active r,
@{sys}/fs/**/ r,
@{sys}/fs/cgroup/{,**} rw,
@{sys}/kernel/**/ r,
@{sys}/module/apparmor/parameters/enabled r,
## Can be restricted? Maybe
/dev/** rw,
@{PROC}/@{pid}/{uid_map,gid_map} r,
@{PROC}/@{pid}/attr/apparmor/exec w,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/comm r,
@{PROC}/@{pid}/coredump_filter r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/gid_map w,
@{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/setgroups rw,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/@{pid}/uid_map w,
@{PROC}/cmdline r,
@{PROC}/devices r,
@{PROC}/pressure/* r,
@{PROC}/swaps r,
@{PROC}/sys/fs/binfmt_misc/ r,
@{PROC}/sys/fs/nr_open r,
@{PROC}/sys/kernel/* r,
@{PROC}/sys/kernel/random/* rw,
@{PROC}/sys/net/ipv{4,6}/** rw,
owner @{PROC}/@{pid}/oom_score_adj rw,
## Owner can access his media and mount
owner @{MOUNTDIR}/** rw,
/dev/ r,
/dev/bus/usb/ r,
/dev/hwrng r,
/dev/rfkill rw,
/dev/shm/ rw,
/dev/tty rw,
/dev/tty@{int} rwk,
owner /dev/console rwk,
owner /dev/hugepages/ rw,
owner /dev/mqueue/ rw,
owner /dev/ttyS@{int} rwk,
## Many stuff run in /var. We deny executing tmp and log files.
/var/** rwmlkPix,
deny /var/log/** x,
deny /var/tmp/** x,
## Can be restricted
@{run}/** rw,
owner @{run}/** rwlk,
## Reading can be more restricted for subdirs
@{PROC}/** r,
owner @{PROC}/** rw,
## Can definetely be restricted further
@{sys}/** rw,
## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy
deny /dev/mem rw,
deny /dev/kmem rw,
deny /dev/port rw,
deny /dev/sd* rw,
deny /dev/vd* rw,
deny /dev/nvme* rw,
deny /dev/disk/** rw,
deny /dev/block/** rw,
include if exists <usr/full-policy.d>
include if exists <local/full-policy>
include if exists <usr/systemd.d>
include if exists <local/systemd>
}

3
dists/flags/main.flags
View File

@ -1,6 +1,9 @@
# Common profile flags definition for all distributions
# One profile by line using the format: '<profile> <flags>'
systemd attach_disconnected,complain
systemd-user attach_disconnected,complain
aa-load complain
acpid attach_disconnected,complain
agetty complain