From a9c864fe605e897320df7807f2c47bdcb448201e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 9 Dec 2023 11:25:38 +0000 Subject: [PATCH] feat(profile): initial support for whonix. --- apparmor.d/groups/bus/dbus-daemon | 2 + apparmor.d/groups/freedesktop/xrdb | 4 +- apparmor.d/groups/grub/update-grub | 2 + .../groups/systemd/systemd-generator-getty | 2 + apparmor.d/profiles-g-l/lightdm | 106 ++++++------------ apparmor.d/profiles-g-l/lightdm-gtk-greeter | 45 ++------ apparmor.d/profiles-s-z/x11-xsession | 38 +++++-- dists/flags/main.flags | 1 + 8 files changed, 84 insertions(+), 116 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 76969fca..1f10b6b0 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -60,6 +60,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /usr/share/org.gnome.Characters/org.gnome.Characters rPx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + @{lib}/mate-notification-daemon/mate-notification-daemon rPUx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 910f769b..27a77f8b 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -23,10 +23,10 @@ profile xrdb @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, + /usr/etc/X11/xdm/Xresources r, - @{etc_ro}/X11/Xresources r, - @{etc_ro}/X11/Xresources/x11-common r, + /etc/X11/Xresources/* r, # The location of the .Xresources file owner @{HOME}/.Xdefaults r, diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index c3db281b..0538002b 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -11,6 +11,8 @@ profile update-grub @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{bin}/{,ba,da}sh rix, @{bin}/grub-mkconfig rPx, diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty index 56b4ac9a..7bc89310 100644 --- a/apparmor.d/groups/systemd/systemd-generator-getty +++ b/apparmor.d/groups/systemd/systemd-generator-getty @@ -21,5 +21,7 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, + owner /dev/ttyS@{int} rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/lightdm b/apparmor.d/profiles-g-l/lightdm index c340c654..5f8a3e23 100644 --- a/apparmor.d/profiles-g-l/lightdm +++ b/apparmor.d/profiles-g-l/lightdm @@ -8,115 +8,79 @@ abi , include @{exec_path} = @{bin}/lightdm -profile lightdm @{exec_path} { +profile lightdm @{exec_path} flags=(attach_disconnected) { include - include - include + include include + include include include - include include + include - # To remove the following errors: - # lightdm[]: Could not chown user data directory /var/lib/lightdm/data/lightdm: Error setting - # owner: Operation not permitted + audit capability sys_nice, + capability audit_write, capability chown, + capability dac_read_search, capability fowner, capability fsetid, - - # To remove the following errors: - # write(2, "Failed to initialize supplementary groups for lightdm: - # Operation not permitted\n", 79) = 79 + capability kill, + capability net_admin, capability setgid, - - # To remove the following errors: - # write(1, "Bail out! ERROR:privileges.c:30:privileges_drop: assertion failed: - # (setresuid (uid, uid, -1) == 0)\n", 99) = 99 capability setuid, - - # To remove the following errors: - # lightdm[]: Could not enumerate user data directory /var/lib/lightdm/data: Error opening - # directory '/var/lib/lightdm/data': Permission denied - capability dac_read_search, - - # To remove the following errors: - # Error using VT_ACTIVATE 7 on /dev/tty0: Operation not permitted + capability sys_resource, capability sys_tty_config, - # To be able to kill the X-server - capability kill, - - # To remove the following errors: - # pam_limits(su-l:session): Could not set limit for 'nofile' to soft=1024, hard=1048576: - # Operation not permitted; uid=1000,euid=0 - # pam_limits(su-l:session): Could not set limit for 'memlock' to soft=1017930240, - # hard=1017930240: Operation not permitted; uid=1000,euid=0 - capability sys_resource, - - # Needed? - capability audit_write, - deny capability sys_nice, - deny capability net_admin, + network netlink raw, signal (send) set=(term, kill, usr1), signal (receive) set=(usr1) peer=xorg, @{exec_path} mrix, - @{bin}/plymouth mrix, + @{bin}/rm rix, @{bin}/lightdm-gtk-greeter rPx, @{bin}/startx rPx, @{bin}/Xorg rPx, + @{bin}/plymouth rPx, + @{bin}/gnome-keyring-daemon rPx, - /etc/X11/Xsession rPUx, - @{bin}/gnome-keyring-daemon rPUx, + @{lib}/security-misc/* rPUx, # only: whonix + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - @{bin}/rm rix, + /etc/X11/Xsession rPUx, - # LightDM files /usr/share/lightdm/{,**} r, - /usr/share/xgreeters/{,**} r, - /var/lib/lightdm/{,**} rw, - - # List of graphical sessions - # The X sessions are covered by abstractions/X /usr/share/wayland-sessions/{,*.desktop} r, + /usr/share/xgreeters/{,**} r, - /tmp/.X[0-9]*-lock r, - - # LightDM config files + /etc/default/locale r, + /etc/environment r, /etc/lightdm/{,**} r, + /etc/security/limits.d/{,*} r, - # LightDM logs + /var/cache/lightdm/dmrc/*.dmrc* rw, + /var/lib/lightdm/{,**} rw, /var/log/lightdm/{,**} rw, - @{run}/lightdm/{,**} rw, - @{run}/lightdm.pid rw, + owner @{HOME}/.dmrc r, + owner @{HOME}/.Xauthority rw, + owner @{HOME}/.xsession-errors{,.old} rw, - @{PROC}/1/limits r, - @{etc_ro}/security/limits.d/ r, + @{run}/faillock/ rw, + @{run}/faillock/user rwk, + @{run}/lightdm.pid rw, + @{run}/lightdm/{,**} rw, + owner @{run}/systemd/sessions/@{int}.ref rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, - owner @{PROC}/@{pid}/fd/ r, + @{PROC}/1/limits r, @{PROC}/cmdline r, - - @{etc_ro}/environment r, - /etc/default/locale r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty@{int} r, - # Xsession logs - owner @{HOME}/.xsession-errors{,.old} rw, - - owner @{HOME}/.Xauthority rw, - - owner @{HOME}/.dmrc* rw, - /var/cache/lightdm/dmrc/*.dmrc* rw, - - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - include if exists } diff --git a/apparmor.d/profiles-g-l/lightdm-gtk-greeter b/apparmor.d/profiles-g-l/lightdm-gtk-greeter index 0ec35e27..add639a6 100644 --- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter +++ b/apparmor.d/profiles-g-l/lightdm-gtk-greeter @@ -10,12 +10,12 @@ include @{exec_path} = @{bin}/lightdm-gtk-greeter profile lightdm-gtk-greeter @{exec_path} { include - include - include - include - include include + include + include + include include + include signal (receive) set=(term, kill) peer=lightdm, @@ -24,53 +24,32 @@ profile lightdm-gtk-greeter @{exec_path} { @{bin}/locale rix, @{lib}/systemd/systemd rCx -> systemd, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - # LightDM files + /usr/share/desktop-base/{,**} r, /usr/share/lightdm/{,**} r, - /var/lib/lightdm/{,**} rw, - - # List of graphical sessions - # The X sessions are covered by abstractions/X /usr/share/wayland-sessions/{,*.desktop} r, - # Greeter theme - /var/lib/AccountsService/{,**} r, - /usr/share/desktop-base/{,**} r, - - # LightDM config files /etc/lightdm/{,**} r, - # LightDM logs + /var/lib/AccountsService/{,**} r, + /var/lib/lightdm/{,**} rw, /var/log/lightdm/{,**} rw, - owner @{HOME}/.face r, - owner @{PROC}/@{pid}/fd/ r, - # For account icons - @{HOME}/.dmrc r, - @{HOME}/.face r, - - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - profile systemd { include + include + include @{lib}/systemd/systemd mr, /etc/systemd/user.conf r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /var/log/lightdm/seat[0-9]*-greeter.log w, + owner @{PROC}/@{pid}/oom_score_adj r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index c5defcf3..dab9ed3d 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov -# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,21 +11,27 @@ include profile x11-xsession @{exec_path} { include include - include + include @{exec_path} r, @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, + @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, + @{bin}/cut rix, @{bin}/date rix, @{bin}/fold rix, @{bin}/head rix, @{bin}/id rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, + @{bin}/sleep rix, + @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.debianutils} rix, @@ -36,11 +42,13 @@ profile x11-xsession @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/udevadm rCx -> udevadm, - @{bin}/flatpak rPx, - @{bin}/xrdb rPx, - @{bin}/numlockx rPx, - @{bin}/xhost rPx, - @{bin}/glxinfo rPx, + @{bin}/flatpak rPx, + @{bin}/glxinfo rPx, + @{bin}/numlockx rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/xhost rPx, + @{bin}/xrdb rPx, + @{bin}/xset rPx, # Allowed GUI sessions to start @{bin}/openbox-session rPx, @@ -48,9 +56,17 @@ profile x11-xsession @{exec_path} { @{bin}/sway rPUx, @{bin}/ssh-agent rPx, + @{bin}/sudo rPx, # only: whonix + @{lib}/*/*.sh r, + /etc/default/{,*} r, + /etc/profile.d/*.sh r, + /etc/X11/{,**} r, + + owner @{HOME}/.xsession-errors w, owner /tmp/file* rw, + owner /tmp/tmp.@{rand10} rw, profile run-parts { include @@ -62,7 +78,6 @@ profile x11-xsession @{exec_path} { /etc/default/kexec.d/ r, - # file_inherit owner @{HOME}/.xsession-errors w, include if exists @@ -73,8 +88,11 @@ profile x11-xsession @{exec_path} { @{bin}/dbus-update-activation-environment mr, - # file_inherit - owner @{HOME}/.xsession-errors w, + /var/lib/dbus/machine-id r, + + owner @{HOME}/.xsession-errors rw, + + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8f6d6f53..bc1e89a9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -367,6 +367,7 @@ systemd-resolve complain systemd-resolved attach_disconnected,complain systemd-shutdown complain systemd-sleep complain +systemd-socket-proxyd complain systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-udevd attach_disconnected,complain