From ccf4b4df0675469989926d9c29b6e4c20a6c2808 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 9 Dec 2023 16:19:42 +0000
Subject: [PATCH] feat(profiles): add some whonix specific profiles.

Dev only, they may be moved into whonix repo later.
---
 apparmor.d/groups/whonix/msgdispatcher        | 34 +++++++++++++
 .../groups/whonix/open-link-confirmation      | 16 ++++++
 apparmor.d/groups/whonix/sensible-browser     | 23 +++++++++
 apparmor.d/groups/whonix/whonix-firewall-edit | 23 +++++++++
 .../groups/whonix/whonix-firewall-restarter   | 47 ++++++++++++++++++
 apparmor.d/groups/whonix/whonix-firewalld     | 49 +++++++++++++++++++
 apparmor.d/tunables/home.d/whonix             |  6 +++
 7 files changed, 198 insertions(+)
 create mode 100644 apparmor.d/groups/whonix/msgdispatcher
 create mode 100644 apparmor.d/groups/whonix/open-link-confirmation
 create mode 100644 apparmor.d/groups/whonix/sensible-browser
 create mode 100644 apparmor.d/groups/whonix/whonix-firewall-edit
 create mode 100644 apparmor.d/groups/whonix/whonix-firewall-restarter
 create mode 100644 apparmor.d/groups/whonix/whonix-firewalld
 create mode 100644 apparmor.d/tunables/home.d/whonix

diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher
new file mode 100644
index 00000000..37f9523f
--- /dev/null
+++ b/apparmor.d/groups/whonix/msgdispatcher
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/msgcollector/msgdispatcher
+profile msgdispatcher @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh           rix,
+  @{bin}/basename             rix,
+  @{bin}/flock                rix,
+  @{bin}/inotifywait          rix,
+  @{bin}/mkdir                rix,
+  @{bin}/mkfifo               rix,
+  @{bin}/rm                   rix,
+  @{bin}/sleep                rix,
+  @{bin}/touch                rix,
+  @{bin}/whoami               rix,
+
+  @{lib}/msgcollector/* r,
+
+        @{run}/msgcollector/ r,
+  owner @{run}/msgcollector/user/{,**} rwk,
+
+  include if exists <local/msgdispatcher>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation
new file mode 100644
index 00000000..0feefec1
--- /dev/null
+++ b/apparmor.d/groups/whonix/open-link-confirmation
@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/open-link-confirmation/open-link-confirmation
+profile open-link-confirmation @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/open-link-confirmation>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser
new file mode 100644
index 00000000..63f6d230
--- /dev/null
+++ b/apparmor.d/groups/whonix/sensible-browser
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/sensible-browser
+profile sensible-browser @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh     rix,
+  @{bin}/whichbrowser   rix,
+  @{bin}/x-www-browser  rix,
+
+  @{bin}/torbrowser     rPx,
+
+  include if exists <local/sensible-browser>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/whonix/whonix-firewall-edit b/apparmor.d/groups/whonix/whonix-firewall-edit
new file mode 100644
index 00000000..1c71edd2
--- /dev/null
+++ b/apparmor.d/groups/whonix/whonix-firewall-edit
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/whonix-firewall/{firewall30default,firewall50user}
+profile whonix-firewall-edit @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh            rix,
+  @{bin}/gsudoedit             rix,
+
+  /etc/whonix_firewall.d/*.conf rw,
+
+  include if exists <local/whonix-firewall-edit>
+}
+
diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter
new file mode 100644
index 00000000..4d208326
--- /dev/null
+++ b/apparmor.d/groups/whonix/whonix-firewall-restarter
@@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/whonix-firewall/firewall-restarter
+profile whonix-firewall-restarter @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability net_admin,
+
+  ptrace read, # peer=,
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/chown              rix,
+  @{bin}/inotifywait        rix,
+  @{bin}/mkdir              rix,
+  @{bin}/mkfifo             rix,
+  @{bin}/mktemp             rix,
+  @{bin}/rm                 rix,
+  @{bin}/systemctl          rix,
+
+  /etc/machine-id r,
+
+  /{run,var}/log/journal/ r,
+  /{run,var}/log/journal/@{md5}/ r,
+  /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{md5}/system.journal* r,
+  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+
+ owner /tmp/tmp.@{rand10} rw,
+
+       @{run}/sdwdate/{,*} rw,
+ owner @{run}/updatesproxycheck/{,*} rw,
+
+  include if exists <local/whonix-firewall-restarter>
+}
+
diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld
new file mode 100644
index 00000000..835c679d
--- /dev/null
+++ b/apparmor.d/groups/whonix/whonix-firewalld
@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall
+profile whonix-firewall @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/date               rix,
+  @{bin}/id                 rix,
+  @{bin}/mkdir              rix,
+  @{bin}/rm                 rix,
+  @{bin}/touch              rix,
+  @{bin}/whonix-*-firewall  rix,
+  @{bin}/xtables-nft-multi  rix,
+
+  @{bin}/qubesdb-read      rPUx,
+  @{bin}/qubesdb-cmd       rPUx,
+
+  /etc/whonix_firewall.d/{,**} r,
+  /usr/local/etc/whonix_firewall.d/{,**} r,
+
+  /var/lib/whonix-firewall/{,**} rw,
+
+        @{run}/updatesproxycheck/ r,
+  owner @{run}/anon-firewall/{,**} rw,
+  owner @{run}/qubes-service/{,**} rw,
+  owner @{run}/updatesproxycheck/{,**} rw,
+  owner @{run}/whonix_firewall/{,**} rw,
+
+  include if exists <local/whonix-firewall>
+}
diff --git a/apparmor.d/tunables/home.d/whonix b/apparmor.d/tunables/home.d/whonix
new file mode 100644
index 00000000..08ba1336
--- /dev/null
+++ b/apparmor.d/tunables/home.d/whonix
@@ -0,0 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+alias /usr/bin/apt -> /usr/bin/apt.anondist,
+alias /usr/bin/apt -> /usr/bin/apt.anondist-orig,