From 99e4c4622d79edc5c5d23c6a7da3c7e14ac46ddb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 24 Feb 2024 18:41:36 +0000
Subject: [PATCH] feat(abs): add initial version of the bwrap abs.

- To be used by profile that runs bwrap directly.
- Needs more rule when used alongside flatpak
---
 apparmor.d/abstractions/bwrap | 58 +++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 apparmor.d/abstractions/bwrap

diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap
new file mode 100644
index 00000000..87fb68e4
--- /dev/null
+++ b/apparmor.d/abstractions/bwrap
@@ -0,0 +1,58 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for bwrap
+
+# A profile using this abstaction still needs to include: @{bin}/bwrap rix,
+
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+
+  network netlink raw,
+
+  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
+  mount fstype=proc options=(rw nosuid nodev noexec)              proc -> /newroot/@{PROC}/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/dev/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/tmp/,
+  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /tmp/,
+  mount options=(ro nosuid nodev noexec remount bind silent relatime)  -> /newroot/**/,
+  mount options=(ro nosuid nodev remount bind silent relatime)         -> /newroot/**/,
+  mount options=(rw nosuid nodev remount bind silent relatime)         -> /newroot/**/,
+  mount options=(rw rbind)                               /tmp/newroot/ -> /tmp/newroot/,
+  mount options=(rw rbind)                              /oldroot/dev/* -> /newroot/dev/*, 
+  mount options=(rw rbind)                             /oldroot/{,**/} -> /newroot/{,**/},
+  mount options=(rw silent rprivate)                                   -> /oldroot/,
+  mount options=(rw silent rslave)                                     -> /,
+
+  umount /,
+  umount /oldroot/,
+
+  pivot_root oldroot=/newroot/ /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ /tmp/,
+
+  owner / r,
+  owner /newroot/**/ w,
+  owner /newroot/dev/* w,
+
+  owner /tmp/newroot/ w,
+  owner /tmp/oldroot/ w,
+
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <abstractions/bwrap.d>