From 3101d9e7b68e9cb867b3b37e6d16b1a1bbc488a3 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Tue, 14 Dec 2021 01:07:50 +0300
Subject: [PATCH 1/6] grc, ls , ss

---
 apparmor.d/profiles-g-l/grc | 62 +++++++++++++++++++++++++++++++++++++
 apparmor.d/profiles-g-l/ls  | 22 +++++++++++++
 apparmor.d/profiles-s-z/ss  | 39 +++++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/grc
 create mode 100644 apparmor.d/profiles-g-l/ls
 create mode 100644 apparmor.d/profiles-s-z/ss

diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
new file mode 100644
index 00000000..2040b132
--- /dev/null
+++ b/apparmor.d/profiles-g-l/grc
@@ -0,0 +1,62 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/share /usr/lib/systemd
+
+@{exec_path} = /{,usr/}bin/grc
+profile grc @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/private-files-strict>
+
+  # python-strict
+  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
+  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
+  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
+  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
+  /{,usr/}bin/python3.[0-9]{,[0-9]} r,
+
+  owner @{HOME}/.grc/** r,
+        /etc/grc.conf r,
+        /{,usr/}{,local/}share/grc/{,**} r,
+
+  /{,usr/}bin/grcat       rix,
+  /{,usr/}bin/cat         rix,
+  /{,usr/}bin/tail        rix,
+  /{,usr/}bin/head        rix,
+  /{,usr/}bin/{,g,m}awk   rix,
+  /{,usr/}bin/{,e}grep    rix,
+  /{,usr/}bin/sed         rix,
+  /{,usr/}bin/less        rix,
+
+  /{,usr/}bin/ping        rPx,
+  /{,usr/}bin/traceroute  rPx,
+  /{,usr/}bin/df          rPx,
+  /{,usr/}bin/dfc         rPx,
+  /{,usr/}bin/ss          rPx,
+  /{,usr/}bin/ls          rPx,
+  /{,usr/}bin/ps          rPx,
+  /{,usr/}bin/ip          rPx,
+  /{,usr/}bin/lsblk       rPx,
+  /{,usr/}bin/diff        rPx,
+  /{,usr/}sbin/blkid      rPx,
+
+  @{GRC_PATHS_RO}/**  r,
+  @{MOUNTS}/**        r,
+
+  deny /var/log/{,**/}*.gz r,
+
+  # Extremely sensitive files
+  audit deny /etc/**.key             mrwkl,
+  audit deny /etc/ssh/ssh_host_*_key mrwkl,
+
+  # Noise
+  deny /{,usr/}bin/ r,
+
+  include if exists <local/grc>
+}
diff --git a/apparmor.d/profiles-g-l/ls b/apparmor.d/profiles-g-l/ls
new file mode 100644
index 00000000..26ce8724
--- /dev/null
+++ b/apparmor.d/profiles-g-l/ls
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}bin/ls
+profile ls @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+
+  # Directory traverse
+  /    r,
+  /**/ r,
+
+  include if exists <local/ls>
+}
diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
new file mode 100644
index 00000000..ff959b34
--- /dev/null
+++ b/apparmor.d/profiles-s-z/ss
@@ -0,0 +1,39 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}bin/ss
+profile ss @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability dac_read_search,
+  capability sys_ptrace,
+
+  ptrace (read),
+
+  /etc/iproute2/{,**} r,
+
+  @{PROC} r,
+  @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/attr/current r,
+  @{PROC}/@{pid}/net/sockstat r,
+  @{PROC}/@{pid}/net/snmp r,
+
+  owner /tmp/*.ss     rw,
+  owner @{HOME}/*.ss  rw,
+
+  # [e]xtended
+  @{PROC}/@{pid}/mounts r,
+  @{sys}/fs/cgroup/{,**/} r,
+
+  include if exists <local/ss>
+}

From b6e4b4b743d6f6debec569adce16d8462bf97403 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sun, 19 Dec 2021 00:40:26 +0300
Subject: [PATCH 2/6] fixes

---
 apparmor.d/profiles-g-l/grc | 17 ++++++++++++-----
 apparmor.d/profiles-g-l/ls  | 22 ----------------------
 apparmor.d/profiles-s-z/ss  | 31 +++++++++++++++++++------------
 3 files changed, 31 insertions(+), 39 deletions(-)
 delete mode 100644 apparmor.d/profiles-g-l/ls

diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
index 2040b132..2dbf350e 100644
--- a/apparmor.d/profiles-g-l/grc
+++ b/apparmor.d/profiles-g-l/grc
@@ -1,4 +1,3 @@
-# vim:syntax=apparmor
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -14,6 +13,14 @@ profile grc @{exec_path} {
   include <abstractions/base>
   include <abstractions/private-files-strict>
 
+       capability dac_read_search,
+  # No visible effect
+  deny capability dac_override,
+
+  signal (send) set=(int) peer=ss,
+  signal (send) set=(int) peer=ping,
+  signal (send) set=(int) peer=traceroute,
+
   # python-strict
   /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
   /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
@@ -23,7 +30,7 @@ profile grc @{exec_path} {
 
   owner @{HOME}/.grc/** r,
         /etc/grc.conf r,
-        /{,usr/}{,local/}share/grc/{,**} r,
+        /usr/{,local/}share/grc/{,**} r,
 
   /{,usr/}bin/grcat       rix,
   /{,usr/}bin/cat         rix,
@@ -33,18 +40,18 @@ profile grc @{exec_path} {
   /{,usr/}bin/{,e}grep    rix,
   /{,usr/}bin/sed         rix,
   /{,usr/}bin/less        rix,
+  /{,usr/}bin/ls          rix,
 
   /{,usr/}bin/ping        rPx,
-  /{,usr/}bin/traceroute  rPx,
   /{,usr/}bin/df          rPx,
   /{,usr/}bin/dfc         rPx,
   /{,usr/}bin/ss          rPx,
-  /{,usr/}bin/ls          rPx,
   /{,usr/}bin/ps          rPx,
   /{,usr/}bin/ip          rPx,
   /{,usr/}bin/lsblk       rPx,
   /{,usr/}bin/diff        rPx,
   /{,usr/}sbin/blkid      rPx,
+  /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx,
 
   @{GRC_PATHS_RO}/**  r,
   @{MOUNTS}/**        r,
@@ -56,7 +63,7 @@ profile grc @{exec_path} {
   audit deny /etc/ssh/ssh_host_*_key mrwkl,
 
   # Noise
-  deny /{,usr/}bin/ r,
+  deny /usr/bin/ r,
 
   include if exists <local/grc>
 }
diff --git a/apparmor.d/profiles-g-l/ls b/apparmor.d/profiles-g-l/ls
deleted file mode 100644
index 26ce8724..00000000
--- a/apparmor.d/profiles-g-l/ls
+++ /dev/null
@@ -1,22 +0,0 @@
-# vim:syntax=apparmor
-# apparmor.d - Full set of apparmor profiles
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /{,usr/}bin/ls
-profile ls @{exec_path} {
-  @{exec_path} r,
-  include <abstractions/base>
-  include <abstractions/nameservice-strict>
-
-  capability dac_read_search,
-
-  # Directory traverse
-  /    r,
-  /**/ r,
-
-  include if exists <local/ls>
-}
diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
index ff959b34..b23a92cb 100644
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@@ -1,4 +1,3 @@
-# vim:syntax=apparmor
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -18,22 +17,30 @@ profile ss @{exec_path} {
 
   ptrace (read),
 
+  signal (receive) set=(int) peer=grc,
+
   /etc/iproute2/{,**} r,
 
-  @{PROC} r,
-  @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
-  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/@{pid}/stat r,
-  @{PROC}/@{pid}/attr/current r,
-  @{PROC}/@{pid}/net/sockstat r,
-  @{PROC}/@{pid}/net/snmp r,
+        @{PROC} r,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+        @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/attr/current r,
+  owner @{PROC}/@{pid}/net/sockstat r,
+  owner @{PROC}/@{pid}/net/snmp r,
+  owner @{PROC}/@{pid}/net/unix r,
+  owner @{PROC}/@{pid}/net/raw r,
+  owner @{PROC}/@{pid}/net/tcp r,
+  owner @{PROC}/@{pid}/net/udp r,
+
+  # [e]xtended
+  owner @{PROC}/@{pid}/mounts r,
+        @{sys}/fs/cgroup/{,**/} r,
+
+  network netlink raw,
 
   owner /tmp/*.ss     rw,
   owner @{HOME}/*.ss  rw,
 
-  # [e]xtended
-  @{PROC}/@{pid}/mounts r,
-  @{sys}/fs/cgroup/{,**/} r,
-
   include if exists <local/ss>
 }

From 0fce337239544a4d6f2a4ba32f17d363bf9b8513 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Mon, 20 Dec 2021 15:54:20 +0000
Subject: [PATCH 3/6] Update grc

---
 apparmor.d/profiles-g-l/grc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
index 2dbf350e..7fd83bbe 100644
--- a/apparmor.d/profiles-g-l/grc
+++ b/apparmor.d/profiles-g-l/grc
@@ -50,6 +50,7 @@ profile grc @{exec_path} {
   /{,usr/}bin/ip          rPx,
   /{,usr/}bin/lsblk       rPx,
   /{,usr/}bin/diff        rPx,
+  /{,usr/}bin/mount       rPx,
   /{,usr/}sbin/blkid      rPx,
   /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx,
 

From d6148c7b239f5c01dc378393f4d3673ad788fd5f Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Mon, 10 Jan 2022 21:49:01 +0000
Subject: [PATCH 4/6] Update grc

- `mount` is too much, for now
- expanding `ro` paths
---
 apparmor.d/profiles-g-l/grc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
index 7fd83bbe..ab02bb6a 100644
--- a/apparmor.d/profiles-g-l/grc
+++ b/apparmor.d/profiles-g-l/grc
@@ -5,7 +5,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/share /usr/lib/systemd
+@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/{,local/}share /{,usr/}lib/systemd
 
 @{exec_path} = /{,usr/}bin/grc
 profile grc @{exec_path} {
@@ -50,7 +50,6 @@ profile grc @{exec_path} {
   /{,usr/}bin/ip          rPx,
   /{,usr/}bin/lsblk       rPx,
   /{,usr/}bin/diff        rPx,
-  /{,usr/}bin/mount       rPx,
   /{,usr/}sbin/blkid      rPx,
   /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx,
 

From 52aa210f701410f6b8697155629ca91f090afa7b Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sat, 15 Jan 2022 23:54:08 +0000
Subject: [PATCH 5/6] Delete grc

---
 apparmor.d/profiles-g-l/grc | 69 -------------------------------------
 1 file changed, 69 deletions(-)
 delete mode 100644 apparmor.d/profiles-g-l/grc

diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
deleted file mode 100644
index ab02bb6a..00000000
--- a/apparmor.d/profiles-g-l/grc
+++ /dev/null
@@ -1,69 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/{,local/}share /{,usr/}lib/systemd
-
-@{exec_path} = /{,usr/}bin/grc
-profile grc @{exec_path} {
-  @{exec_path} r,
-  include <abstractions/base>
-  include <abstractions/private-files-strict>
-
-       capability dac_read_search,
-  # No visible effect
-  deny capability dac_override,
-
-  signal (send) set=(int) peer=ss,
-  signal (send) set=(int) peer=ping,
-  signal (send) set=(int) peer=traceroute,
-
-  # python-strict
-  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
-  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
-  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
-  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
-  /{,usr/}bin/python3.[0-9]{,[0-9]} r,
-
-  owner @{HOME}/.grc/** r,
-        /etc/grc.conf r,
-        /usr/{,local/}share/grc/{,**} r,
-
-  /{,usr/}bin/grcat       rix,
-  /{,usr/}bin/cat         rix,
-  /{,usr/}bin/tail        rix,
-  /{,usr/}bin/head        rix,
-  /{,usr/}bin/{,g,m}awk   rix,
-  /{,usr/}bin/{,e}grep    rix,
-  /{,usr/}bin/sed         rix,
-  /{,usr/}bin/less        rix,
-  /{,usr/}bin/ls          rix,
-
-  /{,usr/}bin/ping        rPx,
-  /{,usr/}bin/df          rPx,
-  /{,usr/}bin/dfc         rPx,
-  /{,usr/}bin/ss          rPx,
-  /{,usr/}bin/ps          rPx,
-  /{,usr/}bin/ip          rPx,
-  /{,usr/}bin/lsblk       rPx,
-  /{,usr/}bin/diff        rPx,
-  /{,usr/}sbin/blkid      rPx,
-  /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx,
-
-  @{GRC_PATHS_RO}/**  r,
-  @{MOUNTS}/**        r,
-
-  deny /var/log/{,**/}*.gz r,
-
-  # Extremely sensitive files
-  audit deny /etc/**.key             mrwkl,
-  audit deny /etc/ssh/ssh_host_*_key mrwkl,
-
-  # Noise
-  deny /usr/bin/ r,
-
-  include if exists <local/grc>
-}

From 56f72ee8f9e70958e115be2c4f39feb0db1e5144 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sun, 16 Jan 2022 00:07:33 +0000
Subject: [PATCH 6/6] Update ss

---
 apparmor.d/profiles-s-z/ss | 43 +++++++++++++++++++-------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
index b23a92cb..ee4c8dea 100644
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@@ -7,7 +7,6 @@ include <tunables/global>
 
 @{exec_path} = /{,usr/}bin/ss
 profile ss @{exec_path} {
-  @{exec_path} r,
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
@@ -15,32 +14,32 @@ profile ss @{exec_path} {
   capability dac_read_search,
   capability sys_ptrace,
 
-  ptrace (read),
-
-  signal (receive) set=(int) peer=grc,
-
-  /etc/iproute2/{,**} r,
-
-        @{PROC} r,
-        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
-        @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/net/sockstat r,
-  owner @{PROC}/@{pid}/net/snmp r,
-  owner @{PROC}/@{pid}/net/unix r,
-  owner @{PROC}/@{pid}/net/raw r,
-  owner @{PROC}/@{pid}/net/tcp r,
-  owner @{PROC}/@{pid}/net/udp r,
-
-  # [e]xtended
-  owner @{PROC}/@{pid}/mounts r,
-        @{sys}/fs/cgroup/{,**/} r,
+  ptrace (read),  # unconfined, TODO
 
   network netlink raw,
 
+  @{exec_path} r,
+
+  /etc/iproute2/{,**} r,
+
   owner /tmp/*.ss     rw,
   owner @{HOME}/*.ss  rw,
 
+        @{PROC} r,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/net/sockstat r,
+  owner @{PROC}/@{pids}/net/snmp r,
+  owner @{PROC}/@{pids}/net/unix r,
+  owner @{PROC}/@{pids}/net/raw r,
+  owner @{PROC}/@{pids}/net/tcp r,
+  owner @{PROC}/@{pids}/net/udp r,
+
+  # [e]xtended
+  owner @{PROC}/@{pids}/mounts r,
+        @{sys}/fs/cgroup/{,**/} r,
+
   include if exists <local/ss>
 }