Merge profiles/apparmor.d: add wireguard profile

Add AA profiles for wireguard tools: `wg` and `wg-quick`. This profile has been tested on the latest oracular wireguard version `1.0.20210914-1.1ubuntu1` and the latest upstream version. In particular, this has been tested using the upstream tests in: - https://git.zx2c4.com/wireguard-linux-compat/tree/src/tests/netns.sh - https://git.zx2c4.com/wireguard-tools/tree/contrib/ncat-client-server - https://git.zx2c4.com/wireguard-tools/tree/contrib/json - https://git.zx2c4.com/wireguard-tools/tree/contrib/reresolve-dns Similarly to the MR !1319 for `socat`, Few CI tests are failing due to the inclusion of apparmor.d/abstractions/strict-nameservice. Signed-off-by: Evan Caville <evan.caville@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1323 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2025-02-07 07:34:53 +00:00 · 2025-02-07 07:34:53 +00:00 · 13caf52705
commit 13caf52705
parent da7288c710 4c79c382cf
2 changed files with 150 additions and 0 deletions
--- a/profiles/apparmor.d/wg
+++ b/profiles/apparmor.d/wg
@ -0,0 +1,35 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile wg /usr/bin/wg flags=(attach_disconnected){
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability net_bind_service,
+
+  # Network access rules
+  network netlink raw,
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  # wireguard configuration and key files
+  file rw @{etc_rw}/wireguard/{,**},
+
+  file mr /usr/bin/wg,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/wg>
+}
--- a/profiles/apparmor.d/wg-quick
+++ b/profiles/apparmor.d/wg-quick
@ -0,0 +1,115 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+  capability net_admin,
+
+  # Network access rules
+  network netlink raw,
+  network unix stream,
+
+  # use wg aa profile 
+  file mrpx /usr/bin/wg -> wg,
+
+  # binaries called from within wg-quick
+  file mrix /usr/bin/readlink,
+  file mrix /usr/bin/stat,
+  file mrix /usr/bin/cat,
+  file mrix /usr/bin/rm,
+  file mrix /usr/bin/mv,
+  file mrix /usr/bin/sync,
+  file mrix /usr/bin/sort,
+  file mrix /usr/sbin/xtables-nft-multi,
+  file mrix /usr/bin/resolvectl,
+  file mrix /usr/sbin/resolvconf,
+
+  # dbus access
+  file rw @{run}/dbus/system_bus_socket,
+
+  dbus (send)
+      bus=system
+      path=/org/freedesktop/resolve1
+      interface=org.freedesktop.resolve1.Manager
+      member="SetLink{DNSEx,Domains}"
+      peer=(name=org.freedesktop.resolve1, label=unconfined),
+
+  dbus (send)
+      bus=system
+      path=/org/freedesktop/DBus
+      interface=org.freedesktop.DBus
+      member="Hello"
+      peer=(name=org.freedesktop.DBus, label=unconfined),
+
+  # Sub-profile for nft tool restrictions
+  file mrCx /usr/sbin/nft,
+  profile nft /usr/sbin/nft {
+    include <abstractions/base> 
+
+    capability net_admin,
+
+    # Allow executable mapping and read for the binary
+    file mr /usr/sbin/nft,
+
+    # Network access rules
+    network netlink raw,
+
+    file r /usr/share/iproute2/rt_realms,
+    file r /usr/share/iproute2/group,
+  }
+
+  # Sub-profile for IP tool restrictions
+  file mrCx /usr/bin/ip,
+  profile ip /usr/bin/ip {
+    include <abstractions/base>
+
+    capability net_admin,
+    capability sys_module,
+
+    # Allow executable mapping and read for the binary
+    file mr /usr/bin/ip,
+
+    # Network access rules
+    network netlink raw,
+
+    file r /usr/share/iproute2/group,
+    file r /usr/share/iproute2/rt_tables,
+    file r @{run}/netns/{,**},
+  }
+  
+  # Sub-profile for sysctl tool restrictions
+  file mrCx /usr/sbin/sysctl,
+  profile sysctl /usr/sbin/sysctl {
+    include <abstractions/base> 
+    
+    # Allow executable mapping and read for the binary
+    file mr /usr/sbin/sysctl,
+ 
+    file w @{PROC}/sys/net/ipv4/conf/all/src_valid_mark,
+  }
+
+  # wireguard configuration and key files
+  file rw @{etc_rw}/wireguard/{,**},
+
+  # Allow executable mapping and read for the binary
+  file mr /usr/bin/wg-quick,
+
+  # Process-specific access
+  file r @{PROC}/@{pid}/net/ip_tables_names,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/wg-quick>
+}