mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
Full-Policy integration for Whonix/Kicksecure - And also everyone else (#249)
* full-policy * change path * change * big fix * Delete apparmor.d/groups/_full/systemd * Update and rename full-policy to systemd
This commit is contained in:
parent
f0cdadbdaf
commit
83a2a1cbf9
@ -1,14 +1,235 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
# full-apparmor-policy
|
||||
# Full System MAC Policy using AppArmor
|
||||
#
|
||||
# Copyright (c) 2023 monsieuremre <https://github.com/monsieuremre>
|
||||
#
|
||||
# This file is part of full-apparmor-policy. You can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
|
||||
# Main profile for full system policy.
|
||||
abi <abi/3.0>,
|
||||
|
||||
# Profile for systemd (PID 1), it does not specify an attachment path because
|
||||
# it is direclty used by systemd.
|
||||
include <tunables/global>
|
||||
|
||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
|
||||
profile systemd @{lib}/systemd/** flags=(attach_disconnected) {
|
||||
|
||||
# Distributions and other programs can add rules in the usr/systemd.d directory
|
||||
## Section 1 - Non-file related permissions
|
||||
|
||||
capability audit_read, # can be phased out?
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability sys_admin,
|
||||
|
||||
# The following is needed by desktop environments
|
||||
# If on gnome, these can be phased out because the DE components are already covered
|
||||
# with profiles. For other desktops, these have to be allowed
|
||||
capability sys_nice,
|
||||
capability kill,
|
||||
|
||||
network netlink,
|
||||
network inet,
|
||||
network inet6,
|
||||
network packet,
|
||||
# network unix, # same as just allowing unix?
|
||||
# network local, # a thing?
|
||||
|
||||
unix (accept),
|
||||
unix (connect),
|
||||
unix (send),
|
||||
unix (receive),
|
||||
|
||||
ptrace (read),
|
||||
|
||||
dbus (send),
|
||||
dbus (receive),
|
||||
dbus (bind),
|
||||
|
||||
signal (send),
|
||||
signal (receive),
|
||||
|
||||
mount,
|
||||
remount,
|
||||
umount,
|
||||
|
||||
## Restrictions
|
||||
#
|
||||
## The following are implicitly denied with this profile. There are comments on
|
||||
## what they might break without dedicated profilesand how to address these breakages.
|
||||
#
|
||||
## mostly won't break anything with the current set of profiles
|
||||
# deny capability mknod,
|
||||
# deny capability setpcap,
|
||||
# deny capability checkpoint_restore,
|
||||
# deny capability audit_control,
|
||||
# deny capability net_bind_service,
|
||||
# deny capability block_suspend,
|
||||
# deny capability bpf,
|
||||
# deny capability ipc_owner,
|
||||
# deny capability sys_tty_config,
|
||||
# deny capability mac_admin, # intentional to protect policy
|
||||
# deny capability mac_override, # intentional to protect policy
|
||||
# deny capability sys_module,
|
||||
# deny capability linux_immutable,
|
||||
# deny capability lease,
|
||||
# deny capability net_broadcast,
|
||||
# deny capability perfmon,
|
||||
# deny capability sys_boot,
|
||||
# deny capability sys_pacct,
|
||||
# deny capability sys_time,
|
||||
# deny capability wake_alarm,
|
||||
# deny capability setfcap,
|
||||
#
|
||||
# deny pivot_root,
|
||||
#
|
||||
# deny unix (listen),
|
||||
# deny unix (create),
|
||||
# deny unix (getattr),
|
||||
# deny unix (setattr),
|
||||
# deny unix (setopt),
|
||||
# deny unix (getopt),
|
||||
#
|
||||
# deny ptrace (trace),
|
||||
# deny ptrace (tracedby),
|
||||
# deny ptrace (readby),
|
||||
#
|
||||
# deny network bluetooth,
|
||||
# deny network alg,
|
||||
# deny network ash,
|
||||
# deny network rose,
|
||||
# deny network x25,
|
||||
# deny network ax25,
|
||||
# deny network ipx,
|
||||
# deny network netrom,
|
||||
# deny network appletalk,
|
||||
# deny network econet,
|
||||
# deny network qipcrtr,
|
||||
# deny network bridge,
|
||||
# deny network atmpvc,
|
||||
# deny network netbeui,
|
||||
# deny network security,
|
||||
# deny network key,
|
||||
# deny network atmsvc,
|
||||
# deny network rds,
|
||||
# deny network irda,
|
||||
# deny network pppox,
|
||||
# deny network wanpipe,
|
||||
# deny network ib,
|
||||
# deny network mpls,
|
||||
# deny network can,
|
||||
# deny network tipc,
|
||||
# deny network rxrpc,
|
||||
# deny network isdn,
|
||||
# deny network phonet,
|
||||
# deny network ieee802154,
|
||||
# deny network caif,
|
||||
# deny network vsock,
|
||||
# deny network kcm,
|
||||
# deny network smc,
|
||||
# deny network xdp,
|
||||
#
|
||||
## will break firewalls with no profile, use firewalld as profile provided
|
||||
# deny capability net_raw,
|
||||
# deny capability net_admin,
|
||||
#
|
||||
## might break some desktop components without profile, won't brake on gnome or kde
|
||||
# deny capability ipc_lock,
|
||||
#
|
||||
## might break if you use utilities that don't have profiles (unlikely)
|
||||
# deny capability sys_rawio,
|
||||
# deny capability fsetid,
|
||||
#
|
||||
## will break electron apps without profiles, which the most common ones have here
|
||||
## might also break sandboxing utils if they don't have profiles, which the most common ones have here
|
||||
# deny capability sys_resource,
|
||||
# deny capability sys_chroot,
|
||||
#
|
||||
## most anything is covered with profiles, but some niche custom utils
|
||||
## or replacements or rewrites or very specific things can (probably won't) break
|
||||
## in that case it is worth making a profile request.
|
||||
# deny capability setgid,
|
||||
# deny capability setuid,
|
||||
|
||||
|
||||
# -----
|
||||
|
||||
## Section 2 - File permissions
|
||||
|
||||
## This is quite restrictive for a "general" profile.
|
||||
## Can of course be further restricted. Probably by a lot.
|
||||
|
||||
## The owner can read pretty much everything
|
||||
## He can also write to the directories
|
||||
## directly under root.
|
||||
/ r,
|
||||
owner / rwlk,
|
||||
|
||||
## Everyone can see the home directories
|
||||
## Only the owners allowed inside
|
||||
/home r,
|
||||
owner /home/** rwlkPix,
|
||||
|
||||
## Reserved for the owner 'root' only
|
||||
owner /boot/** rwlk,
|
||||
owner /root/** rwlk,
|
||||
|
||||
## Running binaries is allowed in these places
|
||||
## Modifying them requires ownership
|
||||
@{lib}/** rPix,
|
||||
owner @{lib}/** rwmlkPix,
|
||||
|
||||
@{bin}/** rPix,
|
||||
owner @{bin}/** rwmlkPix,
|
||||
|
||||
/opt/** rPix,
|
||||
owner /opt/** rwmlkPix,
|
||||
|
||||
## Reading /usr allowed, writing requires ownership
|
||||
/usr/** r,
|
||||
owner /usr/** rwlk,
|
||||
|
||||
## Reading files in temp requires ownership
|
||||
owner /{,var/}tmp/** rw,
|
||||
|
||||
## Reading /etc allowed, writing requires ownership
|
||||
/{,usr/local/}etc/** r,
|
||||
owner /{,usr/local/}etc/** rwmlk,
|
||||
|
||||
## Can be restricted? Maybe
|
||||
/dev/** rw,
|
||||
|
||||
## Owner can access his media and mount
|
||||
owner @{MOUNTDIR}/** rw,
|
||||
|
||||
## Many stuff run in /var. We deny executing tmp and log files.
|
||||
/var/** rwmlkPix,
|
||||
deny /var/log/** x,
|
||||
deny /var/tmp/** x,
|
||||
|
||||
## Can be restricted
|
||||
@{run}/** rw,
|
||||
owner @{run}/** rwlk,
|
||||
|
||||
## Reading can be more restricted for subdirs
|
||||
@{PROC}/** r,
|
||||
owner @{PROC}/** rw,
|
||||
|
||||
## Can definetely be restricted further
|
||||
@{sys}/** rw,
|
||||
|
||||
## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy
|
||||
deny /dev/mem rw,
|
||||
deny /dev/kmem rw,
|
||||
deny /dev/port rw,
|
||||
deny /dev/sd* rw,
|
||||
deny /dev/vd* rw,
|
||||
deny /dev/nvme* rw,
|
||||
deny /dev/disk/** rw,
|
||||
deny /dev/block/** rw,
|
||||
|
||||
include if exists <usr/full-policy.d>
|
||||
include if exists <local/full-policy>
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user