Full-Policy integration for Whonix/Kicksecure - And also everyone else (#249)

* full-policy

* change path

* change

* big fix

* Delete apparmor.d/groups/_full/systemd

* Update and rename full-policy to systemd
This commit is contained in:
monsieuremre 2023-11-19 20:54:09 +00:00 committed by GitHub
parent f0cdadbdaf
commit 83a2a1cbf9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,14 +1,235 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# full-apparmor-policy
# Full System MAC Policy using AppArmor
#
# Copyright (c) 2023 monsieuremre <https://github.com/monsieuremre>
#
# This file is part of full-apparmor-policy. You can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# Main profile for full system policy.
abi <abi/3.0>,
# Profile for systemd (PID 1), it does not specify an attachment path because
# it is direclty used by systemd.
include <tunables/global>
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
profile systemd @{lib}/systemd/** flags=(attach_disconnected) {
# Distributions and other programs can add rules in the usr/systemd.d directory
## Section 1 - Non-file related permissions
capability audit_read, # can be phased out?
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability sys_admin,
# The following is needed by desktop environments
# If on gnome, these can be phased out because the DE components are already covered
# with profiles. For other desktops, these have to be allowed
capability sys_nice,
capability kill,
network netlink,
network inet,
network inet6,
network packet,
# network unix, # same as just allowing unix?
# network local, # a thing?
unix (accept),
unix (connect),
unix (send),
unix (receive),
ptrace (read),
dbus (send),
dbus (receive),
dbus (bind),
signal (send),
signal (receive),
mount,
remount,
umount,
## Restrictions
#
## The following are implicitly denied with this profile. There are comments on
## what they might break without dedicated profilesand how to address these breakages.
#
## mostly won't break anything with the current set of profiles
# deny capability mknod,
# deny capability setpcap,
# deny capability checkpoint_restore,
# deny capability audit_control,
# deny capability net_bind_service,
# deny capability block_suspend,
# deny capability bpf,
# deny capability ipc_owner,
# deny capability sys_tty_config,
# deny capability mac_admin, # intentional to protect policy
# deny capability mac_override, # intentional to protect policy
# deny capability sys_module,
# deny capability linux_immutable,
# deny capability lease,
# deny capability net_broadcast,
# deny capability perfmon,
# deny capability sys_boot,
# deny capability sys_pacct,
# deny capability sys_time,
# deny capability wake_alarm,
# deny capability setfcap,
#
# deny pivot_root,
#
# deny unix (listen),
# deny unix (create),
# deny unix (getattr),
# deny unix (setattr),
# deny unix (setopt),
# deny unix (getopt),
#
# deny ptrace (trace),
# deny ptrace (tracedby),
# deny ptrace (readby),
#
# deny network bluetooth,
# deny network alg,
# deny network ash,
# deny network rose,
# deny network x25,
# deny network ax25,
# deny network ipx,
# deny network netrom,
# deny network appletalk,
# deny network econet,
# deny network qipcrtr,
# deny network bridge,
# deny network atmpvc,
# deny network netbeui,
# deny network security,
# deny network key,
# deny network atmsvc,
# deny network rds,
# deny network irda,
# deny network pppox,
# deny network wanpipe,
# deny network ib,
# deny network mpls,
# deny network can,
# deny network tipc,
# deny network rxrpc,
# deny network isdn,
# deny network phonet,
# deny network ieee802154,
# deny network caif,
# deny network vsock,
# deny network kcm,
# deny network smc,
# deny network xdp,
#
## will break firewalls with no profile, use firewalld as profile provided
# deny capability net_raw,
# deny capability net_admin,
#
## might break some desktop components without profile, won't brake on gnome or kde
# deny capability ipc_lock,
#
## might break if you use utilities that don't have profiles (unlikely)
# deny capability sys_rawio,
# deny capability fsetid,
#
## will break electron apps without profiles, which the most common ones have here
## might also break sandboxing utils if they don't have profiles, which the most common ones have here
# deny capability sys_resource,
# deny capability sys_chroot,
#
## most anything is covered with profiles, but some niche custom utils
## or replacements or rewrites or very specific things can (probably won't) break
## in that case it is worth making a profile request.
# deny capability setgid,
# deny capability setuid,
# -----
## Section 2 - File permissions
## This is quite restrictive for a "general" profile.
## Can of course be further restricted. Probably by a lot.
## The owner can read pretty much everything
## He can also write to the directories
## directly under root.
/ r,
owner / rwlk,
## Everyone can see the home directories
## Only the owners allowed inside
/home r,
owner /home/** rwlkPix,
## Reserved for the owner 'root' only
owner /boot/** rwlk,
owner /root/** rwlk,
## Running binaries is allowed in these places
## Modifying them requires ownership
@{lib}/** rPix,
owner @{lib}/** rwmlkPix,
@{bin}/** rPix,
owner @{bin}/** rwmlkPix,
/opt/** rPix,
owner /opt/** rwmlkPix,
## Reading /usr allowed, writing requires ownership
/usr/** r,
owner /usr/** rwlk,
## Reading files in temp requires ownership
owner /{,var/}tmp/** rw,
## Reading /etc allowed, writing requires ownership
/{,usr/local/}etc/** r,
owner /{,usr/local/}etc/** rwmlk,
## Can be restricted? Maybe
/dev/** rw,
## Owner can access his media and mount
owner @{MOUNTDIR}/** rw,
## Many stuff run in /var. We deny executing tmp and log files.
/var/** rwmlkPix,
deny /var/log/** x,
deny /var/tmp/** x,
## Can be restricted
@{run}/** rw,
owner @{run}/** rwlk,
## Reading can be more restricted for subdirs
@{PROC}/** r,
owner @{PROC}/** rw,
## Can definetely be restricted further
@{sys}/** rw,
## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy
deny /dev/mem rw,
deny /dev/kmem rw,
deny /dev/port rw,
deny /dev/sd* rw,
deny /dev/vd* rw,
deny /dev/nvme* rw,
deny /dev/disk/** rw,
deny /dev/block/** rw,
include if exists <usr/full-policy.d>
include if exists <local/full-policy>
}