From 595a27560fdb08880d167b6bc35ec6d5e301ece2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Jul 2022 20:17:03 +0100 Subject: [PATCH] feat(profiles): add mullvad profiles. --- apparmor.d/groups/network/mullvad-daemon | 54 +++++++++++++++++ apparmor.d/groups/network/mullvad-gui | 75 ++++++++++++++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 131 insertions(+) create mode 100644 apparmor.d/groups/network/mullvad-daemon create mode 100644 apparmor.d/groups/network/mullvad-gui diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon new file mode 100644 index 00000000..4f7fe0cc --- /dev/null +++ b/apparmor.d/groups/network/mullvad-daemon @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" +profile mullvad-daemon @{exec_path} { + include + include + + capability dac_override, + capability net_admin, + capability net_raw, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network netlink dgram, + + mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + + @{exec_path} mr, + + "/opt/Mullvad VPN/resources/*" r, + + /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/*.json rw, + /etc/resolv.conf rw, + /etc/resolv.conf.mullvadbackup rw, + + /var/cache/mullvad-vpn/{,*} rw, + /var/log/mullvad-vpn/{,*} rw, + + @{run}/mullvad-vpn rw, + @{run}/NetworkManager/resolv.conf r, + + @{sys}/fs/cgroup/net_cls/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + owner @{PROC}/@{pid}/mounts r, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui new file mode 100644 index 00000000..a602dbfe --- /dev/null +++ b/apparmor.d/groups/network/mullvad-gui @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = "/opt/Mullvad VPN/mullvad-gui" +profile mullvad-gui @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + capability sys_chroot, + capability sys_ptrace, + capability sys_admin, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mrix, + + "/opt/Mullvad VPN/*.so*" rm, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gsettings rix, + /{usr/,}bin/xdg-open rPx, + + "/opt/Mullvad VPN/{,**}" r, + /usr/share/themes/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/libva.conf r, + /var/lib/dbus/machine-id r, + + owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, + + owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, + + @{PROC}/ r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{uid}/cmdline r, + owner @{PROC}/@{uid}/fd/ r, + owner @{PROC}/@{uid}/cgroup r, + owner @{PROC}/@{uid}/gid_map w, + owner @{PROC}/@{uid}/oom_score_adj w, + owner @{PROC}/@{uid}/setgroups w, + owner @{PROC}/@{uid}/stat r, + owner @{PROC}/@{uid}/statm r, + owner @{PROC}/@{uid}/task/ r, + owner @{PROC}/@{uid}/task/@{tid}/status r, + owner @{PROC}/@{uid}/uid_map w, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 0e115545..d4886101 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -95,6 +95,8 @@ mke2fs complain ModemManager attach_disconnected,complain molly-guard complain mount complain +mullvad-daemon complain +mullvad-gui complain nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain