From 83a2a1cbf9e210b5f39afe1218e523785b794aed Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 20:54:09 +0000 Subject: [PATCH] Full-Policy integration for Whonix/Kicksecure - And also everyone else (#249) * full-policy * change path * change * big fix * Delete apparmor.d/groups/_full/systemd * Update and rename full-policy to systemd --- apparmor.d/groups/_full/systemd | 239 ++++++++++++++++++++++++++++++-- 1 file changed, 230 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index ddf859ad..948bd704 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -1,14 +1,235 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only +# full-apparmor-policy +# Full System MAC Policy using AppArmor +# +# Copyright (c) 2023 monsieuremre +# +# This file is part of full-apparmor-policy. You can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. -# Main profile for full system policy. +abi , -# Profile for systemd (PID 1), it does not specify an attachment path because -# it is direclty used by systemd. +include -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy. +profile systemd @{lib}/systemd/** flags=(attach_disconnected) { -# Distributions and other programs can add rules in the usr/systemd.d directory + ## Section 1 - Non-file related permissions + + capability audit_read, # can be phased out? + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability sys_admin, + # The following is needed by desktop environments + # If on gnome, these can be phased out because the DE components are already covered + # with profiles. For other desktops, these have to be allowed + capability sys_nice, + capability kill, + + network netlink, + network inet, + network inet6, + network packet, + # network unix, # same as just allowing unix? + # network local, # a thing? + + unix (accept), + unix (connect), + unix (send), + unix (receive), + + ptrace (read), + + dbus (send), + dbus (receive), + dbus (bind), + + signal (send), + signal (receive), + + mount, + remount, + umount, + + ## Restrictions + # + ## The following are implicitly denied with this profile. There are comments on + ## what they might break without dedicated profilesand how to address these breakages. + # + ## mostly won't break anything with the current set of profiles + # deny capability mknod, + # deny capability setpcap, + # deny capability checkpoint_restore, + # deny capability audit_control, + # deny capability net_bind_service, + # deny capability block_suspend, + # deny capability bpf, + # deny capability ipc_owner, + # deny capability sys_tty_config, + # deny capability mac_admin, # intentional to protect policy + # deny capability mac_override, # intentional to protect policy + # deny capability sys_module, + # deny capability linux_immutable, + # deny capability lease, + # deny capability net_broadcast, + # deny capability perfmon, + # deny capability sys_boot, + # deny capability sys_pacct, + # deny capability sys_time, + # deny capability wake_alarm, + # deny capability setfcap, + # + # deny pivot_root, + # + # deny unix (listen), + # deny unix (create), + # deny unix (getattr), + # deny unix (setattr), + # deny unix (setopt), + # deny unix (getopt), + # + # deny ptrace (trace), + # deny ptrace (tracedby), + # deny ptrace (readby), + # + # deny network bluetooth, + # deny network alg, + # deny network ash, + # deny network rose, + # deny network x25, + # deny network ax25, + # deny network ipx, + # deny network netrom, + # deny network appletalk, + # deny network econet, + # deny network qipcrtr, + # deny network bridge, + # deny network atmpvc, + # deny network netbeui, + # deny network security, + # deny network key, + # deny network atmsvc, + # deny network rds, + # deny network irda, + # deny network pppox, + # deny network wanpipe, + # deny network ib, + # deny network mpls, + # deny network can, + # deny network tipc, + # deny network rxrpc, + # deny network isdn, + # deny network phonet, + # deny network ieee802154, + # deny network caif, + # deny network vsock, + # deny network kcm, + # deny network smc, + # deny network xdp, + # + ## will break firewalls with no profile, use firewalld as profile provided + # deny capability net_raw, + # deny capability net_admin, + # + ## might break some desktop components without profile, won't brake on gnome or kde + # deny capability ipc_lock, + # + ## might break if you use utilities that don't have profiles (unlikely) + # deny capability sys_rawio, + # deny capability fsetid, + # + ## will break electron apps without profiles, which the most common ones have here + ## might also break sandboxing utils if they don't have profiles, which the most common ones have here + # deny capability sys_resource, + # deny capability sys_chroot, + # + ## most anything is covered with profiles, but some niche custom utils + ## or replacements or rewrites or very specific things can (probably won't) break + ## in that case it is worth making a profile request. + # deny capability setgid, + # deny capability setuid, + + + # ----- + + ## Section 2 - File permissions + + ## This is quite restrictive for a "general" profile. + ## Can of course be further restricted. Probably by a lot. + + ## The owner can read pretty much everything + ## He can also write to the directories + ## directly under root. + / r, + owner / rwlk, + + ## Everyone can see the home directories + ## Only the owners allowed inside + /home r, + owner /home/** rwlkPix, + + ## Reserved for the owner 'root' only + owner /boot/** rwlk, + owner /root/** rwlk, + + ## Running binaries is allowed in these places + ## Modifying them requires ownership + @{lib}/** rPix, + owner @{lib}/** rwmlkPix, + + @{bin}/** rPix, + owner @{bin}/** rwmlkPix, + + /opt/** rPix, + owner /opt/** rwmlkPix, + + ## Reading /usr allowed, writing requires ownership + /usr/** r, + owner /usr/** rwlk, + + ## Reading files in temp requires ownership + owner /{,var/}tmp/** rw, + + ## Reading /etc allowed, writing requires ownership + /{,usr/local/}etc/** r, + owner /{,usr/local/}etc/** rwmlk, + + ## Can be restricted? Maybe + /dev/** rw, + + ## Owner can access his media and mount + owner @{MOUNTDIR}/** rw, + + ## Many stuff run in /var. We deny executing tmp and log files. + /var/** rwmlkPix, + deny /var/log/** x, + deny /var/tmp/** x, + + ## Can be restricted + @{run}/** rw, + owner @{run}/** rwlk, + + ## Reading can be more restricted for subdirs + @{PROC}/** r, + owner @{PROC}/** rw, + + ## Can definetely be restricted further + @{sys}/** rw, + + ## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy + deny /dev/mem rw, + deny /dev/kmem rw, + deny /dev/port rw, + deny /dev/sd* rw, + deny /dev/vd* rw, + deny /dev/nvme* rw, + deny /dev/disk/** rw, + deny /dev/block/** rw, + + include if exists + include if exists +}