diff --git a/profiles/apparmor.d/wg b/profiles/apparmor.d/wg new file mode 100644 index 000000000..9698a7ac4 --- /dev/null +++ b/profiles/apparmor.d/wg @@ -0,0 +1,35 @@ +#------------------------------------------------------------------ +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +#------------------------------------------------------------------ +# vim: ft=apparmor +# +abi , + +include + +profile wg /usr/bin/wg flags=(attach_disconnected){ + include + include + + capability net_admin, + capability net_bind_service, + + # Network access rules + network netlink raw, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + # wireguard configuration and key files + file rw @{etc_rw}/wireguard/{,**}, + + file mr /usr/bin/wg, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/wg-quick b/profiles/apparmor.d/wg-quick new file mode 100644 index 000000000..68b191c86 --- /dev/null +++ b/profiles/apparmor.d/wg-quick @@ -0,0 +1,115 @@ +#------------------------------------------------------------------ +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +#------------------------------------------------------------------ +# vim: ft=apparmor +# +abi , + +include + +profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { + include + include + + capability dac_read_search, + capability net_admin, + + # Network access rules + network netlink raw, + network unix stream, + + # use wg aa profile + file mrpx /usr/bin/wg -> wg, + + # binaries called from within wg-quick + file mrix /usr/bin/readlink, + file mrix /usr/bin/stat, + file mrix /usr/bin/cat, + file mrix /usr/bin/rm, + file mrix /usr/bin/mv, + file mrix /usr/bin/sync, + file mrix /usr/bin/sort, + file mrix /usr/sbin/xtables-nft-multi, + file mrix /usr/bin/resolvectl, + file mrix /usr/sbin/resolvconf, + + # dbus access + file rw @{run}/dbus/system_bus_socket, + + dbus (send) + bus=system + path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member="SetLink{DNSEx,Domains}" + peer=(name=org.freedesktop.resolve1, label=unconfined), + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member="Hello" + peer=(name=org.freedesktop.DBus, label=unconfined), + + # Sub-profile for nft tool restrictions + file mrCx /usr/sbin/nft, + profile nft /usr/sbin/nft { + include + + capability net_admin, + + # Allow executable mapping and read for the binary + file mr /usr/sbin/nft, + + # Network access rules + network netlink raw, + + file r /usr/share/iproute2/rt_realms, + file r /usr/share/iproute2/group, + } + + # Sub-profile for IP tool restrictions + file mrCx /usr/bin/ip, + profile ip /usr/bin/ip { + include + + capability net_admin, + capability sys_module, + + # Allow executable mapping and read for the binary + file mr /usr/bin/ip, + + # Network access rules + network netlink raw, + + file r /usr/share/iproute2/group, + file r /usr/share/iproute2/rt_tables, + file r @{run}/netns/{,**}, + } + + # Sub-profile for sysctl tool restrictions + file mrCx /usr/sbin/sysctl, + profile sysctl /usr/sbin/sysctl { + include + + # Allow executable mapping and read for the binary + file mr /usr/sbin/sysctl, + + file w @{PROC}/sys/net/ipv4/conf/all/src_valid_mark, + } + + # wireguard configuration and key files + file rw @{etc_rw}/wireguard/{,**}, + + # Allow executable mapping and read for the binary + file mr /usr/bin/wg-quick, + + # Process-specific access + file r @{PROC}/@{pid}/net/ip_tables_names, + + # Site-specific additions and overrides. See local/README for details. + include if exists +}