feat(full): add default fallback profile.

See #252

apparmor.d/groups/_full/default

@@ -0,0 +1,124 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for unconfined programs
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /**
+profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/dbus-session>
+  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gnome>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/video>
+  include <abstractions/vulkan>
+  include <abstractions/zsh>
+
+  capability dac_override,
+  capability dac_read_search,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
+  signal (receive) set=(hup),
+
+  @{bin}/{,**} r,
+  @{bin}/bwrap           rPx -> default-bwrap,
+  @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
+  @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
+  @{bin}/su              rPx -> default-sudo,
+  @{bin}/sudo            rPx -> default-sudo,
+  @{bin}/systemctl       rix,
+
+  @{bin}/less            rPx -> child-pager,
+  @{bin}/more            rPx -> child-pager,
+  @{bin}/pager           rPx -> child-pager,
+
+  @{bin}/exo-open        rPx -> child-open,
+  @{bin}/xdg-open        rPx -> child-open,
+
+  audit @{bin}/**        Pix,
+  audit @{lib}/**        Pix,
+  audit /opt/*/**        Pix,
+  audit /usr/share/*/*   Pix,
+
+  /usr/share/** r,
+
+  /etc/xdg/** r,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rwl,
+  owner @{HOME}/{,**} rwl,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/**,
+  owner @{user_share_dirs}/** rwkl -> @{user_share_dirs}/**,
+  owner /tmp/{,**} rwk,
+
+  owner @{run}/user/@{uid}/{,**} rw,
+
+  @{run}/systemd/userdb/ r,
+  @{run}/motd.dynamic.new rw,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/firmware/acpi/pm_profile r,
+
+  @{sys}/devices/**/uevent r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
+
+        @{PROC}/@{pid}/loginuid r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/kernel/random/boot_id r,
+        @{PROC}/sys/kernel/seccomp/actions_avail r,
+        @{PROC}/zoneinfo r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/mem r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pids}/environ r,
+  owner @{PROC}/@{pids}/task/ r,
+
+        /dev/ r,
+        /dev/ptmx rwk,
+        /dev/tty rwk,
+  owner /dev/tty@{int} rw,
+
+  include if exists <usr/default.d>
+  include if exists <local/default>
+}

apparmor.d/groups/_full/default-app

@@ -0,0 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for user sandboxed application
+

apparmor.d/groups/_full/default-bwrap

@@ -0,0 +1,5 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for bwrap

apparmor.d/groups/_full/default-sudo

@@ -0,0 +1,84 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile default-sudo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability mknod,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+  capability sys_resource,
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  ptrace (read),
+
+  @{bin}/sudo     mr,
+  @{bin}/su       mr,
+  @{lib}/sudo/**  mr,
+
+  @{bin}/**       Px,
+  @{lib}/**       Px,
+  /opt/*/**       Px,
+
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
+  /etc/default/locale r,
+  /etc/machine-id r,
+  /etc/sudo.conf r,
+  /etc/sudoers r,
+  /etc/sudoers.d/{,*} r,
+
+        /var/db/sudo/lectured/ r,
+        /var/lib/extrausers/shadow r,
+        /var/lib/sudo/lectured/ r,
+        /var/lib/sudo/ts/ rw,
+        /var/lib/sudo/ts/* rwk,
+        /var/log/sudo.log wk,
+  owner /var/db/sudo/lectured/@{uid} rw,
+  owner /var/lib/sudo/lectured/* rw,
+
+  owner @{HOME}/.sudo_as_admin_successful rw,
+  owner @{HOME}/.xsession-errors w,
+
+        @{run}/ r,
+        @{run}/faillock/{,*} rwk,
+        @{run}/systemd/sessions/* r,
+  owner @{run}/sudo/ rw,
+  owner @{run}/sudo/ts/ rw,
+  owner @{run}/sudo/ts/* rwk,
+
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/1/limits r,
+  @{PROC}/sys/kernel/seccomp/actions_avail r,
+
+        /dev/ r,    # interactive login
+        /dev/ptmx rwk,
+        /dev/tty rwk,
+  owner /dev/tty@{int} rw,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
+  include if exists <local/default-sudo>
+}

apparmor.d/groups/_full/systemd-user

@@ -90,8 +90,8 @@ profile systemd-user flags=(attach_disconnected) {
           @{PROC}/sys/kernel/osrelease r,
     owner @{PROC}/@{pids}/status r,
 
-    include if exists <usr/systemd_systemctl.d>
+    include if exists <usr/systemd-user_systemctl.d>
-    include if exists <local/systemd_systemctl>
+    include if exists <local/systemd-user_systemctl>
   }
 
   include if exists <usr/systemd-user.d>

dists/flags/main.flags

@@ -1,6 +1,10 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'
 
+default attach_disconnected,mediate_deleted,complain
+default-app attach_disconnected,complain
+default-bwrap attach_disconnected,complain
+default-sudo complain
 systemd attach_disconnected,mediate_deleted,complain
 systemd-user attach_disconnected,complain
 

pkg/prebuild/prepare.go

@@ -180,7 +180,11 @@ func SetDefaultSystemd() error {
 // See https://apparmor.pujol.io/development/structure/#full-system-policy
 func SetFullSystemPolicy() error {
 	// Install full system policy profiles
-	for _, name := range []string{"systemd", "systemd-user"} {
+	profiles := []string{
+		"systemd", "systemd-user",
+		"default", "default-bwrap", "default-sudo", "default-app",
+	}
+	for _, name := range profiles {
 		err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name))
 		if err != nil {
 			return err