Merge branch 'main' of github.com:roddhjav/apparmor.d

* 'main' of github.com:roddhjav/apparmor.d: Full-Policy integration for Whonix/Kicksecure - And also everyone else (#249)
2024-11-14 23:43:56 +01:00 · 2023-11-19 20:54:34 +00:00 · 2023-11-19 20:54:34 +00:00 · 8686cc458f
commit 8686cc458f
parent 3aa07e4d64 83a2a1cbf9
1 changed files with 230 additions and 9 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -1,14 +1,235 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
+# full-apparmor-policy
+# Full System MAC Policy using AppArmor
+#
+# Copyright (c) 2023 monsieuremre <https://github.com/monsieuremre>
+#  
+# This file is part of full-apparmor-policy. You can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.

-# Main profile for full system policy.
+abi <abi/3.0>,

-# Profile for systemd (PID 1), it does not specify an attachment path because
-# it is direclty used by systemd.
+include <tunables/global>

-# Only use this profile with a fully configured system. Otherwise it **WILL**
-# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
+profile systemd @{lib}/systemd/** flags=(attach_disconnected) {

-# Distributions and other programs can add rules in the usr/systemd.d directory
+  ## Section 1 - Non-file related permissions
+  
+  capability audit_read, # can be phased out?
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability sys_admin,

+  # The following is needed by desktop environments
+  # If on gnome, these can be phased out because the DE components are already covered
+  # with profiles. For other desktops, these have to be allowed
+  capability sys_nice,
+  capability kill,
+  
+  network netlink,
+  network inet,
+  network inet6,
+  network packet,
+  # network unix, # same as just allowing unix?
+  # network local, # a thing?
+  
+  unix (accept),
+  unix (connect),
+  unix (send),
+  unix (receive),
+  
+  ptrace (read),
+  
+  dbus (send),
+  dbus (receive),
+  dbus (bind),
+    
+  signal (send),
+  signal (receive),
+  
+  mount,
+  remount,
+  umount,
+  
+  ## Restrictions
+  #
+  ## The following are implicitly denied with this profile. There are comments on
+  ## what they might break without dedicated profilesand how to address these breakages.
+  #
+  ## mostly won't break anything with the current set of profiles
+  # deny capability mknod,   
+  # deny capability setpcap,
+  # deny capability checkpoint_restore,
+  # deny capability audit_control,
+  # deny capability net_bind_service,
+  # deny capability block_suspend,
+  # deny capability bpf,
+  # deny capability ipc_owner,
+  # deny capability sys_tty_config,
+  # deny capability mac_admin, # intentional to protect policy
+  # deny capability mac_override, # intentional to protect policy
+  # deny capability sys_module,
+  # deny capability linux_immutable,
+  # deny capability lease,
+  # deny capability net_broadcast,
+  # deny capability perfmon,
+  # deny capability sys_boot,
+  # deny capability sys_pacct,
+  # deny capability sys_time,
+  # deny capability wake_alarm,
+  # deny capability setfcap,
+  #
+  # deny pivot_root, 
+  #
+  # deny unix (listen),
+  # deny unix (create),
+  # deny unix (getattr),
+  # deny unix (setattr),
+  # deny unix (setopt),
+  # deny unix (getopt),
+  #
+  # deny ptrace (trace),
+  # deny ptrace (tracedby),
+  # deny ptrace (readby),
+  #
+  # deny network bluetooth,
+  # deny network alg,
+  # deny network ash,
+  # deny network rose,
+  # deny network x25,
+  # deny network ax25,
+  # deny network ipx,
+  # deny network netrom,
+  # deny network appletalk,
+  # deny network econet,
+  # deny network qipcrtr,
+  # deny network bridge,
+  # deny network atmpvc,
+  # deny network netbeui,
+  # deny network security,
+  # deny network key,
+  # deny network atmsvc,
+  # deny network rds,
+  # deny network irda,
+  # deny network pppox,
+  # deny network wanpipe,
+  # deny network ib,
+  # deny network mpls,
+  # deny network can,
+  # deny network tipc,
+  # deny network rxrpc,
+  # deny network isdn,
+  # deny network phonet,
+  # deny network ieee802154,
+  # deny network caif,
+  # deny network vsock,
+  # deny network kcm,
+  # deny network smc,
+  # deny network xdp,
+  #
+  ## will break firewalls with no profile, use firewalld as profile provided
+  #  deny capability net_raw,
+  #  deny capability net_admin,
+  #
+  ## might break some desktop components without profile, won't brake on gnome or kde
+  # deny capability ipc_lock,
+  #
+  ## might break if you use utilities that don't have profiles (unlikely)
+  # deny capability sys_rawio,
+  # deny capability fsetid,
+  #
+  ## will break electron apps without profiles, which the most common ones have here
+  ## might also break sandboxing utils if they don't have profiles, which the most common ones have here
+  # deny capability sys_resource,
+  # deny capability sys_chroot,
+  #
+  ## most anything is covered with profiles, but some niche custom utils
+  ## or replacements or rewrites or very specific things can (probably won't) break
+  ## in that case it is worth making a profile request.
+  # deny capability setgid,
+  # deny capability setuid,
+
+
+  # -----
+  
+  ## Section 2 - File permissions
+  
+  ## This is quite restrictive for a "general" profile.
+  ## Can of course be further restricted. Probably by a lot.
+  
+  ## The owner can read pretty much everything
+  ## He can also write to the directories
+  ## directly under root.
+  / r,
+  owner / rwlk,
+
+  ## Everyone can see the home directories
+  ## Only the owners allowed inside
+  /home r,
+  owner /home/** rwlkPix,
+
+  ## Reserved for the owner 'root' only
+  owner /boot/** rwlk,
+  owner /root/** rwlk,
+
+  ## Running binaries is allowed in these places
+  ## Modifying them requires ownership
+  @{lib}/** rPix,
+  owner @{lib}/** rwmlkPix,
+
+  @{bin}/** rPix,
+  owner @{bin}/** rwmlkPix,
+
+  /opt/** rPix,
+  owner /opt/** rwmlkPix,
+  
+  ## Reading /usr allowed, writing requires ownership
+  /usr/** r,
+  owner /usr/** rwlk,
+
+  ## Reading files in temp requires ownership
+  owner /{,var/}tmp/** rw,
+ 
+  ## Reading /etc allowed, writing requires ownership
+  /{,usr/local/}etc/** r,
+  owner /{,usr/local/}etc/** rwmlk,
+
+  ## Can be restricted? Maybe
+  /dev/** rw,
+
+  ## Owner can access his media and mount
+  owner @{MOUNTDIR}/** rw,
+
+  ## Many stuff run in /var. We deny executing tmp and log files.
+  /var/** rwmlkPix,
+  deny /var/log/** x,
+  deny /var/tmp/** x,
+
+  ## Can be restricted
+  @{run}/** rw,
+  owner @{run}/** rwlk,
+
+  ## Reading can be more restricted for subdirs
+  @{PROC}/** r,
+  owner @{PROC}/** rw,
+  
+  ## Can definetely be restricted further
+  @{sys}/** rw,
+  
+  ## Explicitly deny access to memory, I/O ports and the disk in other ways to circumvent the policy
+  deny /dev/mem rw,
+  deny /dev/kmem rw,
+  deny /dev/port rw,
+  deny /dev/sd* rw,
+  deny /dev/vd* rw,
+  deny /dev/nvme* rw,
+  deny /dev/disk/** rw,
+  deny /dev/block/** rw,
+
+  include if exists <usr/full-policy.d>
+  include if exists <local/full-policy>
+}