diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default new file mode 100644 index 00000000..ec74ebab --- /dev/null +++ b/apparmor.d/groups/_full/default @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for unconfined programs + +abi , + +include + +@{exec_path} = /** +profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + signal (receive) set=(hup), + + @{bin}/{,**} r, + @{bin}/bwrap rPx -> default-bwrap, + @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, + @{bin}/pulseaudio rPx -> systemd//&pulseaudio, + @{bin}/su rPx -> default-sudo, + @{bin}/sudo rPx -> default-sudo, + @{bin}/systemctl rix, + + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + + @{bin}/exo-open rPx -> child-open, + @{bin}/xdg-open rPx -> child-open, + + audit @{bin}/** Pix, + audit @{lib}/** Pix, + audit /opt/*/** Pix, + audit /usr/share/*/* Pix, + + /usr/share/** r, + + /etc/xdg/** r, + + # Full access to user's data + / r, + /*/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rwl, + owner @{HOME}/{,**} rwl, + owner @{run}/user/@{uid}/{,**} rw, + owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/**, + owner @{user_share_dirs}/** rwkl -> @{user_share_dirs}/**, + owner /tmp/{,**} rwk, + + owner @{run}/user/@{uid}/{,**} rw, + + @{run}/systemd/userdb/ r, + @{run}/motd.dynamic.new rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/input/ r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + + @{sys}/devices/**/uevent r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + + @{PROC}/@{pid}/loginuid r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, + + /dev/ r, + /dev/ptmx rwk, + /dev/tty rwk, + owner /dev/tty@{int} rw, + + include if exists + include if exists +} diff --git a/apparmor.d/groups/_full/default-app b/apparmor.d/groups/_full/default-app new file mode 100644 index 00000000..9b195ea9 --- /dev/null +++ b/apparmor.d/groups/_full/default-app @@ -0,0 +1,6 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for user sandboxed application + diff --git a/apparmor.d/groups/_full/default-bwrap b/apparmor.d/groups/_full/default-bwrap new file mode 100644 index 00000000..0ecde79e --- /dev/null +++ b/apparmor.d/groups/_full/default-bwrap @@ -0,0 +1,5 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for bwrap diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo new file mode 100644 index 00000000..09a34319 --- /dev/null +++ b/apparmor.d/groups/_full/default-sudo @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile default-sudo @{exec_path} { + include + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability mknod, + capability net_admin, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network netlink raw, + + ptrace (read), + + @{bin}/sudo mr, + @{bin}/su mr, + @{lib}/sudo/** mr, + + @{bin}/** Px, + @{lib}/** Px, + /opt/*/** Px, + + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, + /etc/default/locale r, + /etc/machine-id r, + /etc/sudo.conf r, + /etc/sudoers r, + /etc/sudoers.d/{,*} r, + + /var/db/sudo/lectured/ r, + /var/lib/extrausers/shadow r, + /var/lib/sudo/lectured/ r, + /var/lib/sudo/ts/ rw, + /var/lib/sudo/ts/* rwk, + /var/log/sudo.log wk, + owner /var/db/sudo/lectured/@{uid} rw, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + owner @{HOME}/.xsession-errors w, + + @{run}/ r, + @{run}/faillock/{,*} rwk, + @{run}/systemd/sessions/* r, + owner @{run}/sudo/ rw, + owner @{run}/sudo/ts/ rw, + owner @{run}/sudo/ts/* rwk, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/stat r, + @{PROC}/1/limits r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + + /dev/ r, # interactive login + /dev/ptmx rwk, + /dev/tty rwk, + owner /dev/tty@{int} rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 4b939b11..144c24dc 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -90,8 +90,8 @@ profile systemd-user flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pids}/status r, - include if exists - include if exists + include if exists + include if exists } include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5e64a76d..7a34ebbe 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,6 +1,10 @@ # Common profile flags definition for all distributions # One profile by line using the format: ' ' +default attach_disconnected,mediate_deleted,complain +default-app attach_disconnected,complain +default-bwrap attach_disconnected,complain +default-sudo complain systemd attach_disconnected,mediate_deleted,complain systemd-user attach_disconnected,complain diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 43ebb0d0..71927003 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -180,7 +180,11 @@ func SetDefaultSystemd() error { // See https://apparmor.pujol.io/development/structure/#full-system-policy func SetFullSystemPolicy() error { // Install full system policy profiles - for _, name := range []string{"systemd", "systemd-user"} { + profiles := []string{ + "systemd", "systemd-user", + "default", "default-bwrap", "default-sudo", "default-app", + } + for _, name := range profiles { err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name)) if err != nil { return err