feat(abs): add initial version of the bwrap abs.

- To be used by profile that runs bwrap directly. - Needs more rule when used alongside flatpak
2025-01-18 17:08:09 +01:00 · 2024-02-24 18:41:36 +00:00 · 2024-02-24 18:41:36 +00:00 · 99e4c4622d
commit 99e4c4622d
parent 975bbabf9c
1 changed files with 58 additions and 0 deletions
--- a/apparmor.d/abstractions/bwrap
+++ b/apparmor.d/abstractions/bwrap
@ -0,0 +1,58 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for bwrap
+
+# A profile using this abstaction still needs to include: @{bin}/bwrap rix,
+
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+
+  network netlink raw,
+
+  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
+  mount fstype=proc options=(rw nosuid nodev noexec)              proc -> /newroot/@{PROC}/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/dev/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/tmp/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /tmp/,
+  mount options=(ro nosuid nodev noexec remount bind silent relatime)  -> /newroot/**/,
+  mount options=(ro nosuid nodev remount bind silent relatime)         -> /newroot/**/,
+  mount options=(rw nosuid nodev remount bind silent relatime)         -> /newroot/**/,
+  mount options=(rw rbind)                               /tmp/newroot/ -> /tmp/newroot/,
+  mount options=(rw rbind)                              /oldroot/dev/* -> /newroot/dev/*, 
+  mount options=(rw rbind)                             /oldroot/{,**/} -> /newroot/{,**/},
+  mount options=(rw silent rprivate)                                   -> /oldroot/,
+  mount options=(rw silent rslave)                                     -> /,
+
+  umount /,
+  umount /oldroot/,
+
+  pivot_root oldroot=/newroot/ /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ /tmp/,
+
+  owner / r,
+  owner /newroot/**/ w,
+  owner /newroot/dev/* w,
+
+  owner /tmp/newroot/ w,
+  owner /tmp/oldroot/ w,
+
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <abstractions/bwrap.d>