From c0e62f30bb9d0ed13dfe671360c0c7b34d773b43 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 10 Jul 2022 14:24:30 +0100
Subject: [PATCH] feat(profiles): add wireguard.

---
 apparmor.d/groups/network/wg       | 20 +++++++++++++
 apparmor.d/groups/network/wg-quick | 48 ++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 apparmor.d/groups/network/wg
 create mode 100644 apparmor.d/groups/network/wg-quick

diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg
new file mode 100644
index 00000000..6f4bf4ea
--- /dev/null
+++ b/apparmor.d/groups/network/wg
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/wg
+profile wg @{exec_path} {
+  include <abstractions/base>
+
+  capability net_admin,
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  include if exists <local/wg>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
new file mode 100644
index 00000000..06ccb7d6
--- /dev/null
+++ b/apparmor.d/groups/network/wg-quick
@@ -0,0 +1,48 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/wg-quick
+profile wg-quick @{exec_path} {
+  include <abstractions/base>
+
+  capability net_admin,
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}{s,}bin/nft            rix,
+  /{usr/,}{s,}bin/sysctl         rix,
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/cat                rix,
+  /{usr/,}bin/ip                 rPx,
+  /{usr/,}bin/readlink           rix,
+  /{usr/,}bin/resolvectl         rPx,
+  /{usr/,}bin/sort               rix,
+  /{usr/,}bin/stat               rix,
+  /{usr/,}bin/wg                 rPx,
+  /{usr/,}bin/xtables-nft-multi  rix,
+
+  /usr/share/terminfo/x/xterm-256color r,
+
+  /etc/iproute2/group  r,
+  /etc/iproute2/rt_realms r,
+  /etc/resolvconf/interface-order r,
+  /etc/wireguard/*.conf r,
+
+  @{sys}/module/wireguard r,
+
+  @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
+
+  /dev/tty rw,
+
+  # Force the use as root
+  deny /{usr/,}bin/sudo x,
+
+  include if exists <local/wg-quick>
+}
\ No newline at end of file