├── README.rst ├── profiles ├── abstractions │ ├── X │ ├── abi │ ├── audio │ ├── base │ ├── bash │ ├── consoles │ ├── dconf │ ├── fonts │ ├── freedesktop.org │ ├── gnome │ ├── nameservice │ ├── openssl │ ├── pulse │ ├── pulse-deny │ ├── site │ │ ├── base │ │ └── de │ ├── ssl-certs │ ├── user-download │ ├── user-tmp │ └── xdg-desktop ├── brave ├── chrome ├── electricsheep ├── pulseaudio ├── skypeforlinux ├── tunables │ └── global └── waterfox ├── scripts ├── apparmor_init ├── enabled.conf └── parse-logs └── server ├── abstractions ├── cgit ├── innd ├── ndppd ├── nginx ├── rsyslog ├── rsyslog-sink ├── transmission └── tunables /README.rst: -------------------------------------------------------------------------------- 1 | apparmor-profiles 2 | ================= 3 | 4 | AppArmor profiles I use for binary or potentially complex/dangerous/exposed apps 5 | like browsers, random electron and wine stuff, proprietary things, etc. 6 | 7 | Repository URLs: 8 | 9 | - https://github.com/mk-fg/apparmor-profiles 10 | - https://codeberg.org/mk-fg/apparmor-profiles 11 | - https://fraggod.net/code/git/apparmor-profiles 12 | 13 | On the desktop, even confined to user's uid, such apps still get unwanted access 14 | to a lot of things in $HOME and can read a lot of poorly-secured files on the system 15 | (like /etc/passwd or some non-chmodded config), which is obviously undesirable, 16 | and what AppArmor can help to fix. 17 | 18 | Some profiles and abstractions are reused from upstreams like ubuntu, suse and 19 | various misc other repos, but often found them too lax or bloated for specific 20 | system (currently Arch Linux), allowing stuff like ``@{HOME}/** r``, so prefer to 21 | use them just for reference, copying only obvious and safe access lines from there, 22 | getting (or confirming) the rest from audit logs. 23 | 24 | Main doc on rule syntax: 25 | https://gitlab.com/apparmor/apparmor/wikis/AppArmor_Core_Policy_Reference 26 | 27 | I use apparmor_init_ script (under "scripts" dir) to load these profiles with 28 | some caching and "--override-policy-abi" option to avoid needing boilerplate 29 | for it in every file - they are intended to always work together anyway. 30 | 31 | .. _apparmor_init: scripts/apparmor_init 32 | 33 | Important note 34 | -------------- 35 | 36 | This is more of a "my configuration" repository, and profiles here are mostly 37 | written in an ad-hoc fashion for my system, not to be generic fit for any linux 38 | (or even app usage scenario) out there. 39 | 40 | Plus I'm no security expert, so can - and do - miss some things, only making 41 | sure that the most obvious bad things can't happen (or will trigger a warning), 42 | not trying to build super-secure system or anything, thinking of it more like 43 | basic hygeine than hardening against a dedicated attacker. 44 | 45 | Therefore it might be wise to only use these profiles for reference 46 | (e.g. to get the general idea where app needs access), and not as a drop-in config. 47 | 48 | Some paths in profiles like @{HOME\_GIT} and @{SYS\_GIT} are specific to my 49 | systems (configuration git repos), and can/should be removed or updated to some 50 | other local paths. 51 | 52 | See also 53 | -------- 54 | 55 | - Flatpak, Snap, AppImage, Docker/Podman - one of the goals of these containers 56 | is security and isolation too, though usually not the primary one, 57 | but LSMs like AppArmor/SELinux can be added there too, to help with that. 58 | 59 | - `Landlock LSM`_ - relatively new (2021) unprivileged-sandboxing LSM, kinda like 60 | AppArmor except you load profile in a wrapper or when starting the app itself, 61 | without needing uid=root or any fancy capabilities for it. 62 | 63 | .. _Landlock LSM: https://landlock.io/ 64 | -------------------------------------------------------------------------------- /profiles/abstractions/X: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2009 Novell/SUSE 5 | # Copyright (C) 2009-2011 Canonical Ltd. 6 | # 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of version 2 of the GNU General Public 9 | # License published by the Free Software Foundation. 10 | # 11 | # ------------------------------------------------------------------ 12 | 13 | # .ICEauthority files required for X authentication, per user 14 | owner @{HOME}/.ICEauthority r, 15 | owner /run/user/*/ICEauthority r, 16 | 17 | # .Xauthority files required for X connections, per user 18 | owner @{HOME}/.Xauthority r, 19 | owner @{HOME}/.local/share/sddm/.Xauthority r, 20 | owner /{,var/}run/gdm{,3}/*/database r, 21 | owner /{,var/}run/lightdm/authority/[0-9]* r, 22 | owner /{,var/}run/lightdm/*/xauthority r, 23 | owner /{,var/}run/user/*/gdm/Xauthority r, 24 | owner /{,var/}run/user/*/X11/Xauthority r, 25 | 26 | # the unix socket to use to connect to the display 27 | /tmp/.X11-unix/* rw, 28 | unix (connect, receive, send) 29 | type=stream 30 | peer=(addr="@/tmp/.X11-unix/X[0-9]*"), 31 | unix (connect, receive, send) 32 | type=stream 33 | peer=(addr="@/tmp/.ICE-unix/[0-9]*"), 34 | 35 | /usr/include/X11/ r, 36 | /usr/include/X11/** r, 37 | 38 | # The X tree changes and is large -- grant read access to the whole thing 39 | /usr/X11R6/** r, 40 | /usr/share/X11/ r, 41 | /usr/share/X11/** r, 42 | /usr/X11R6/**.so* mr, 43 | 44 | # EGL 45 | /usr/lib/egl/*.so* mr, 46 | /usr/share/glvnd/** r, 47 | 48 | # DRI 49 | /usr/lib/dri/** mr, 50 | /usr/lib/fglrx/dri/** mr, 51 | /usr/lib/xorg/modules/dri/*.so* mr, 52 | /dev/dri/ r, 53 | /dev/dri/** mrw, 54 | /etc/drirc r, 55 | /usr/share/drirc.d/ r, 56 | /usr/share/drirc.d/* r, 57 | owner @{HOME}/.drirc r, 58 | 59 | # libva 60 | /etc/libva.conf r, 61 | /usr/share/libdrm/* r, 62 | 63 | # Xcompose 64 | owner @{HOME}/.XCompose r, 65 | /var/cache/libx11/compose/* r, 66 | deny /var/cache/libx11/compose/* wlk, 67 | 68 | # mouse themes 69 | /etc/X11/cursors/ r, 70 | /etc/X11/cursors/** r, 71 | -------------------------------------------------------------------------------- /profiles/abstractions/abi: -------------------------------------------------------------------------------- 1 | query {label {multi_transaction {yes 2 | } 3 | data {yes 4 | } 5 | perms {allow deny audit quiet 6 | } 7 | } 8 | } 9 | dbus {mask {acquire send receive 10 | } 11 | } 12 | signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost 13 | } 14 | } 15 | ptrace {mask {read trace 16 | } 17 | } 18 | caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf 19 | } 20 | } 21 | rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime 22 | } 23 | } 24 | capability {0xffffff 25 | } 26 | namespaces {pivot_root {no 27 | } 28 | profile {yes 29 | } 30 | } 31 | mount {mask {mount umount pivot_root 32 | } 33 | } 34 | network {af_unix {yes 35 | } 36 | af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp 37 | } 38 | } 39 | network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp 40 | } 41 | } 42 | file {mask {create read write exec append mmap_exec link lock 43 | } 44 | } 45 | domain {version {1.2 46 | } 47 | attach_conditions {xattr {yes 48 | } 49 | } 50 | computed_longest_left {yes 51 | } 52 | post_nnp_subset {yes 53 | } 54 | fix_binfmt_elf_mmap {yes 55 | } 56 | stack {yes 57 | } 58 | change_profile {yes 59 | } 60 | change_onexec {yes 61 | } 62 | change_hatv {yes 63 | } 64 | change_hat {yes 65 | } 66 | } 67 | policy {set_load {yes 68 | } 69 | versions {v8 {yes 70 | } 71 | v7 {yes 72 | } 73 | v6 {yes 74 | } 75 | v5 {yes 76 | } 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /profiles/abstractions/audio: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2009 Novell/SUSE 5 | # Copyright (C) 2009 Canonical Ltd. 6 | # 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of version 2 of the GNU General Public 9 | # License published by the Free Software Foundation. 10 | # 11 | # ------------------------------------------------------------------ 12 | 13 | 14 | 15 | /dev/admmidi* rw, 16 | /dev/adsp* rw, 17 | /dev/aload* rw, 18 | /dev/amidi* rw, 19 | /dev/audio* rw, 20 | /dev/dmfm* rw, 21 | /dev/dmmidi* rw, 22 | /dev/dsp* rw, 23 | /dev/midi* rw, 24 | /dev/mixer* rw, 25 | /dev/mpu401data rw, 26 | /dev/mpu401stat rw, 27 | /dev/patmgr* rw, 28 | /dev/phone* rw, 29 | /dev/radio* rw, 30 | /dev/rmidi* rw, 31 | /dev/sequencer rw, 32 | /dev/sequencer2 rw, 33 | /dev/smpte* rw, 34 | 35 | /dev/snd/* rw, 36 | /dev/sound/* rw, 37 | 38 | @{PROC}/asound/** rw, 39 | 40 | /usr/share/sounds/** r, 41 | /usr/share/alsa/** r, 42 | /usr/share/alsa-card-profile/** r, 43 | 44 | owner @{HOME}/.esd_auth r, 45 | owner @{HOME}/.asoundrc r, 46 | /etc/esound/esd.conf r, 47 | 48 | # libcanberra 49 | owner @{HOME}/.cache/event-sound-cache.* rwk, 50 | 51 | # pulse 52 | /etc/pulse/ r, 53 | /etc/pulse/** r, 54 | /{run,dev}/shm/ r, 55 | owner /{run,dev}/shm/pulse-shm* rwk, 56 | owner @{HOME}/.pulse-cookie rwk, 57 | owner @{HOME}/.pulse/ rw, 58 | owner @{HOME}/.pulse/* rwk, 59 | owner /{,var/}run/user/*/pulse/ rw, 60 | owner /{,var/}run/user/*/pulse/{native,pid} rwk, 61 | owner @{HOME}/.config/pulse/cookie rwk, 62 | owner /tmp/pulse-*/ rw, 63 | owner /tmp/pulse-*/* rw, 64 | 65 | # libgnome2 66 | /etc/sound/ r, 67 | /etc/sound/** r, 68 | 69 | # openal 70 | /etc/openal/alsoft.conf r, 71 | owner @{HOME}/.alsoftrc r, 72 | /usr/{,local/}share/openal/hrtf/{,**} r, 73 | owner @{HOME}/.local/share/openal/hrtf/{,**} r, 74 | 75 | # wildmidi 76 | /etc/wildmidi/wildmidi.cfg r, 77 | 78 | # pipewire 79 | /usr/share/pipewire/client.conf r, 80 | -------------------------------------------------------------------------------- /profiles/abstractions/base: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2009 Novell/SUSE 5 | # Copyright (C) 2009-2011 Canonical Ltd. 6 | # 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of version 2 of the GNU General Public 9 | # License published by the Free Software Foundation. 10 | # 11 | # ------------------------------------------------------------------ 12 | 13 | 14 | 15 | # (Note that the ldd profile has inlined this file; if you make 16 | # modifications here, please consider including them in the ldd 17 | # profile as well.) 18 | 19 | # The __canary_death_handler function writes a time-stamped log 20 | # message to /dev/log for logging by syslogd. So, /dev/log, timezones, 21 | # and localisations of date should be available EVERYWHERE, so 22 | # StackGuard, FormatGuard, etc., alerts can be properly logged. 23 | /dev/log w, 24 | /dev/random r, 25 | /dev/urandom r, 26 | /etc/locale/** r, 27 | /etc/locale.alias r, 28 | /etc/localtime r, 29 | /usr/share/locale-bundle/** r, 30 | /usr/share/locale-langpack/** r, 31 | /usr/share/locale/** r, 32 | /usr/share/**/locale/** r, 33 | /usr/share/zoneinfo{,-icu}/ r, 34 | /usr/share/zoneinfo{,-icu}/** r, 35 | /usr/share/X11/locale/** r, 36 | /run/systemd/journal/dev-log w, 37 | # systemd native journal API (see sd_journal_print(4)) 38 | /run/systemd/journal/socket w, 39 | # Nested containers and anything using systemd-cat need this. 'r' shouldn't 40 | # be required but applications fail without it. journald doesn't leak 41 | # anything when reading so this is ok. 42 | /run/systemd/journal/stdout rw, 43 | 44 | /usr/lib/locale/** mr, 45 | /usr/lib/gconv/*.so mr, 46 | /usr/lib/gconv/gconv-modules* mr, 47 | 48 | # used by glibc when binding to ephemeral ports 49 | /etc/bindresvport.blacklist r, 50 | 51 | # ld.so.cache and ld are used to load shared libraries; they are best 52 | # available everywhere 53 | /etc/ld.so.cache mr, 54 | /etc/ld.so.conf r, 55 | /etc/ld.so.conf.d/{,*.conf} r, 56 | /etc/ld.so.preload r, 57 | /etc/ld-musl-*.path r, 58 | 59 | # we might as well allow everything to use common libraries 60 | /usr/lib/** r, 61 | /usr/lib/*.so* mr, 62 | /usr/lib/**/*.so* mr, 63 | 64 | # /dev/null is pretty harmless and frequently used 65 | /dev/null rw, 66 | # as is /dev/zero 67 | /dev/zero rw, 68 | # recent glibc uses /dev/full in preference to /dev/null for programs 69 | # that don't have open fds at exec() 70 | /dev/full rw, 71 | 72 | # Sometimes used to determine kernel/user interfaces to use 73 | @{PROC}/sys/kernel/version r, 74 | # Depending on which glibc routine uses this file, base may not be the 75 | # best place -- but many profiles require it, and it is quite harmless. 76 | @{PROC}/sys/kernel/ngroups_max r, 77 | 78 | # glibc's sysconf(3) routine to determine free memory, etc 79 | @{PROC}/meminfo r, 80 | @{PROC}/stat r, 81 | @{PROC}/cpuinfo r, 82 | /sys/devices/system/cpu/ r, 83 | /sys/devices/system/cpu/online r, 84 | /sys/devices/system/cpu/possible r, 85 | 86 | # transparent hugepage support 87 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 88 | 89 | # glibc's *printf protections read the maps file 90 | @{PROC}/@{pid}/{maps,auxv,status} r, 91 | 92 | # libgcrypt reads some flags from /proc 93 | @{PROC}/sys/crypto/* r, 94 | 95 | # some applications will display license information 96 | /usr/share/common-licenses/** r, 97 | 98 | # glibc statvfs 99 | @{PROC}/filesystems r, 100 | 101 | # glibc malloc (man 5 proc) 102 | @{PROC}/sys/vm/overcommit_memory r, 103 | 104 | # Allow determining the highest valid capability of the running kernel 105 | @{PROC}/sys/kernel/cap_last_cap r, 106 | 107 | # Allow other processes to read our /proc entries, futexes, perf tracing and 108 | # kcmp for now (they will need 'read' in the first place). Administrators can 109 | # override with: 110 | # deny ptrace (readby) ... 111 | ptrace (readby), 112 | 113 | # Allow other processes to trace us by default (they will need 'trace' in 114 | # the first place). Administrators can override with: 115 | # deny ptrace (tracedby) ... 116 | ptrace (tracedby), 117 | 118 | # Allow us to ptrace read ourselves 119 | ptrace (read) peer=@{profile_name}, 120 | 121 | # Allow unconfined processes to send us signals by default 122 | signal (receive) peer=unconfined, 123 | 124 | # Allow us to signal ourselves 125 | signal peer=@{profile_name}, 126 | 127 | # Checking for PID existence is quite common so add it by default for now 128 | signal (receive, send) set=("exists"), 129 | 130 | # Allow us to create and use abstract and anonymous sockets 131 | unix peer=(label=@{profile_name}), 132 | 133 | # Allow unconfined processes to us via unix sockets 134 | unix (receive) peer=(label=unconfined), 135 | 136 | # Allow us to create abstract and anonymous sockets 137 | unix (create), 138 | 139 | # Allow us to getattr, getopt, setop and shutdown on unix sockets 140 | unix (getattr, getopt, setopt, shutdown), 141 | -------------------------------------------------------------------------------- /profiles/abstractions/bash: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------ 2 | # 3 | # Copyright (C) 2002-2006 Novell/SUSE 4 | # 5 | # This program is free software; you can redistribute it and/or 6 | # modify it under the terms of version 2 of the GNU General Public 7 | # License published by the Free Software Foundation. 8 | # 9 | # ------------------------------------------------------------------ 10 | 11 | # user-specific bash files 12 | @{HOMEDIRS} r, 13 | @{HOME}/.bashrc r, 14 | @{HOME}/.profile r, 15 | @{HOME}/.bash_profile r, 16 | @{HOME}/.bash_history rw, 17 | 18 | # system-wide bash configuration 19 | /etc/profile.dos r, 20 | /etc/profile r, 21 | /etc/profile.d/ r, 22 | /etc/profile.d/* r, 23 | /etc/bashrc r, 24 | /etc/bash.bashrc r, 25 | /etc/bash.bashrc.local r, 26 | /etc/bash_completion r, 27 | /etc/bash_completion.d/ r, 28 | /etc/bash_completion.d/* r, 29 | 30 | # bash relies on system-wide readline configuration 31 | /etc/inputrc r, 32 | 33 | # bash inspects filesystems at startup 34 | /etc/mtab r, 35 | @{PROC}/@{pid}/mounts r, 36 | @{PROC}/filesystems r, 37 | 38 | # probably readline wants to know terminal capabilities 39 | /usr/share/terminfo/** r, 40 | 41 | # run out of /etc/bash.bashrc 42 | /etc/DIR_COLORS r, 43 | /{usr/,}bin/ls mix, 44 | /usr/bin/dircolors mix, 45 | -------------------------------------------------------------------------------- /profiles/abstractions/consoles: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2005 Novell/SUSE 5 | # 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of version 2 of the GNU General Public 8 | # License published by the Free Software Foundation. 9 | # 10 | # ------------------------------------------------------------------ 11 | 12 | 13 | 14 | # there are three common ways to refer to consoles 15 | /dev/console rw, 16 | /dev/tty rw, 17 | # this next entry is a tad unfortunate; /dev/tty will always be 18 | # associated with the controlling terminal by the kernel, but if a 19 | # program uses the /dev/pts/ interface, it actually has access to 20 | # -all- xterm, sshd, etc, terminals on the system. 21 | /dev/pts/[0-9]* rw, 22 | /dev/pts/ r, 23 | 24 | -------------------------------------------------------------------------------- /profiles/abstractions/dconf: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | 3 | # permissions for querying dconf settings; granting write access should 4 | # be specified in a specific application's profile. 5 | 6 | /etc/dconf/** r, 7 | owner /{,var/}run/user/*/dconf/user r, 8 | owner @{HOME}/.config/dconf/user r, 9 | -------------------------------------------------------------------------------- /profiles/abstractions/fonts: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2009 Novell/SUSE 5 | # Copyright (C) 2009 Canonical Ltd. 6 | # 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of version 2 of the GNU General Public 9 | # License published by the Free Software Foundation. 10 | # 11 | # ------------------------------------------------------------------ 12 | 13 | /usr/share/AbiSuite/fonts/** r, 14 | 15 | /usr/lib/xorg/modules/fonts/**.so* mr, 16 | 17 | /usr/share/fonts/ r, 18 | /usr/share/fonts/** mr, 19 | 20 | /etc/fonts/** mr, 21 | /usr/share/fontconfig/conf.avail/ r, 22 | /usr/share/fontconfig/conf.avail/** mr, 23 | /usr/share/fontconfig/conf.avail.*/ r, 24 | /usr/share/fontconfig/conf.avail.*/** mr, 25 | 26 | /var/cache/fonts/** mr, 27 | /var/cache/fontconfig/** mr, 28 | /var/lib/defoma/** mr, 29 | 30 | /usr/share/a2ps/fonts/** mr, 31 | /usr/share/xfce/fonts/** mr, 32 | /usr/share/ghostscript/fonts/** mr, 33 | /usr/share/javascript/*/fonts/** mr, 34 | /usr/share/texmf/{,*/}fonts/** mr, 35 | /usr/share/texlive/texmf-dist/fonts/** mr, 36 | /var/lib/ghostscript/** mr, 37 | 38 | owner @{HOME}/.fonts.conf r, 39 | owner @{HOME}/.fonts/ r, 40 | owner @{HOME}/.fonts/** mr, 41 | owner @{HOME}/.local/share/fonts/ mr, 42 | owner @{HOME}/.local/share/fonts/** mr, 43 | owner @{HOME}/.fonts.cache-2 mr, 44 | owner @{HOME}/.{,cache/}fontconfig/ r, 45 | owner @{HOME}/.{,cache/}fontconfig/** mrl, 46 | owner @{HOME}/.fonts.conf.d/ r, 47 | owner @{HOME}/.fonts.conf.d/** mr, 48 | owner @{HOME}/.config/fontconfig/ r, 49 | owner @{HOME}/.config/fontconfig/** mr, 50 | owner @{HOME}/.Fontmatrix/Activated/ r, 51 | owner @{HOME}/.Fontmatrix/Activated/** r, 52 | 53 | /usr/local/share/fonts/ r, 54 | /usr/local/share/fonts/** mr, 55 | 56 | # poppler CMap tables 57 | /usr/share/poppler/cMap/** r, 58 | 59 | # data files for LibThai 60 | /usr/share/libthai/thbrk.tri r, 61 | 62 | deny @{HOME}/.cache/fontconfig/ w, 63 | deny @{HOME}/.cache/fontconfig/** w, 64 | deny /var/cache/fontconfig/ w, 65 | deny /var/cache/fontconfig/** w, 66 | deny /usr/share/fonts/** w, 67 | -------------------------------------------------------------------------------- /profiles/abstractions/freedesktop.org: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2009 Canonical Ltd. 5 | # 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of version 2 of the GNU General Public 8 | # License published by the Free Software Foundation. 9 | # 10 | # ------------------------------------------------------------------ 11 | 12 | # system configuration 13 | /usr/share/applications/ r, 14 | /usr/share/applications/defaults.list mr, 15 | /usr/share/applications/mimeinfo.cache mr, 16 | /usr/share/applications/*.desktop mr, 17 | /usr/share/icons/ r, 18 | /usr/share/icons/** mr, 19 | /usr/share/pixmaps/ r, 20 | /usr/share/pixmaps/** mr, 21 | /usr/local/share/icons/ r, 22 | /usr/local/share/icons/** mr, 23 | /usr/local/share/pixmaps/ r, 24 | /usr/local/share/pixmaps/** mr, 25 | 26 | # this should probably go elsewhere 27 | /usr/share/mime/** mr, 28 | 29 | # per-user configurations 30 | owner @{HOME}/.icons/{,**} mr, 31 | owner @{HOME}/.recently-used.xbel* mrw, 32 | owner @{HOME}/.local/share/recently-used.xbel* rmw, 33 | owner @{HOME}/.config/user-dirs.dirs mr, 34 | owner @{HOME}/.config/mimeapps.list mr, 35 | owner @{HOME}/.local/share/applications/ r, 36 | owner @{HOME}/.local/share/applications/*.desktop mr, 37 | owner @{HOME}/.local/share/applications/defaults.list mr, 38 | owner @{HOME}/.local/share/applications/mimeapps.list mr, 39 | owner @{HOME}/.local/share/applications/mimeinfo.cache mr, 40 | owner @{HOME}/.local/share/icons/{,**} mr, 41 | owner @{HOME}/.local/share/mime/{,**} mr, 42 | 43 | # xorg caches and mesa stuff 44 | owner @{HOME}/.cache/thumbnails/{,**} rw, 45 | owner @{HOME}/.cache/mesa{,_shader_cache,_shader_cache_db}/ rw, 46 | owner @{HOME}/.cache/mesa{,_shader_cache,_shader_cache_db}/** mrkw, 47 | @{PROC}/sys/dev/i915/perf_stream_paranoid r, 48 | /usr/share/vulkan/icd.d/{,*} r, 49 | -------------------------------------------------------------------------------- /profiles/abstractions/gnome: -------------------------------------------------------------------------------- 1 | # vim:syntax=apparmor 2 | # ------------------------------------------------------------------ 3 | # 4 | # Copyright (C) 2002-2009 Novell/SUSE 5 | # Copyright (C) 2009-2011 Canonical Ltd. 6 | # 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of version 2 of the GNU General Public 9 | # License published by the Free Software Foundation. 10 | # 11 | # ------------------------------------------------------------------ 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | # systemwide gtk defaults 20 | /etc/gnome/gtkrc* r, 21 | /etc/gtk/* r, 22 | /usr/lib/gtk/** mr, 23 | /usr/share/themes/ r, 24 | /usr/share/themes/** r, 25 | 26 | # for gnome 1 applications 27 | /etc/orbitrc r, 28 | 29 | # gtk-2 needed some new rights 30 | /etc/fonts/* r, 31 | /etc/gtk-*/* r, 32 | /etc/pango/* r, 33 | /usr/lib/pango/** mr, 34 | /usr/lib/gtk-*/** mr, 35 | /usr/lib/gdk-pixbuf-*/** mr, 36 | 37 | # per-user gtk configuration 38 | owner @{HOME}/.config/gtk-3.0/* r, 39 | owner @{HOME}/.gnome/Gnome r, 40 | owner @{HOME}/.gtk r, 41 | owner @{HOME}/.gtkrc r, 42 | owner @{HOME}/.gtkrc-2.0 r, 43 | owner @{HOME}/.gtk-bookmarks r, 44 | owner @{HOME}/.themes/ r, 45 | owner @{HOME}/.themes/** r, 46 | 47 | # for gtk file dialog 48 | owner @{HOME}/.config/gtk-2.0/** r, 49 | owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, 50 | 51 | # from evolution-mail 52 | owner @{HOME}/.gconfd/lock/* r, 53 | owner @{HOME}/.gnome/application-info r, 54 | 55 | # per-user font business 56 | owner @{HOME}/.fonts.cache-* rwl, 57 | 58 | # icon caches 59 | /var/cache/**/icon-theme.cache r, 60 | /usr/share/**/icon-theme.cache r, 61 | 62 | # GLib schemas 63 | /usr/{local/,}share/glib-[0-9]*/schemas/ r, 64 | /usr/{local/,}share/glib-[0-9]*/schemas/** r, 65 | 66 | # gnome VFS modules 67 | /etc/gnome-vfs-2.0/modules/ r, 68 | /etc/gnome-vfs-2.0/modules/* r, 69 | /usr/lib/gnome-vfs-2.0/modules/*.so mr, 70 | 71 | # gvfs 72 | /usr/share/gvfs/remote-volume-monitors/ r, 73 | /usr/share/gvfs/remote-volume-monitors/* r, 74 | @{PROC}/@{pid}/mounts r, 75 | 76 | # printing 77 | /etc/papersize r, 78 | /etc/cups/lpoptions r, 79 | /usr/share/cups/charmaps/** r, 80 | 81 | # holds MIT-MAGIC-COOKIE for gnome 82 | owner /{,var/}run/gdm/auth*/database r, 83 | 84 | # mime-types 85 | /etc/gnome/defaults.list r, 86 | /etc/xdg/*-mimeapps.list r, 87 | /usr/share/gnome/applications/ r, 88 | /usr/share/gnome/applications/mimeinfo.cache r, 89 | 90 | # Allow connecting to the GNOME vfs socket (still need corresponding DBus 91 | # rules) 92 | unix (send, receive, connect) 93 | type=stream 94 | peer=(addr="@/dbus-vfs-daemon/socket-*"), 95 | -------------------------------------------------------------------------------- /profiles/abstractions/nameservice: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------ 2 | # 3 | # Copyright (C) 2002-2009 Novell/SUSE 4 | # Copyright (C) 2009-2011 Canonical Ltd. 5 | # 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of version 2 of the GNU General Public 8 | # License published by the Free Software Foundation. 9 | # 10 | # ------------------------------------------------------------------ 11 | 12 | # Many programs wish to perform nameservice-like operations, such as 13 | # looking up users by name or id, groups by name or id, hosts by name 14 | # or IP, etc. These operations may be performed through files, dns, 15 | # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. 16 | /etc/group r, 17 | /etc/host.conf r, 18 | /etc/hosts r, 19 | /etc/nsswitch.conf r, 20 | /etc/gai.conf r, 21 | /etc/passwd r, 22 | /etc/protocols r, 23 | 24 | /etc/resolv.conf r, 25 | # On systems where /etc/resolv.conf is managed programmatically, it is 26 | # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. 27 | /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r, 28 | /etc/resolvconf/run/resolv.conf r, 29 | /{,var/}run/systemd/resolve/stub-resolv.conf r, 30 | 31 | /etc/samba/lmhosts r, 32 | /etc/services r, 33 | # db backend 34 | /var/lib/misc/*.db r, 35 | # The Name Service Cache Daemon can cache lookups, sometimes leading 36 | # to vast speed increases when working with network-based lookups. 37 | /{,var/}run/.nscd_socket rw, 38 | /{,var/}run/nscd/socket rw, 39 | /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, 40 | # nscd renames and unlinks files in it's operation that clients will 41 | # have open 42 | /{,var/}run/nscd/db* rmix, 43 | 44 | # systemd-245 45 | /run/systemd/userdb/ rw, 46 | /run/systemd/userdb/* rw, 47 | 48 | # The nss libraries are sometimes used in addition to PAM; make sure 49 | # they are available 50 | /usr/lib/libnss_*.so* mr, 51 | /etc/default/nss r, 52 | 53 | # avahi-daemon is used for mdns4 resolution 54 | /{,var/}run/avahi-daemon/socket rw, 55 | 56 | # libnl-3-200 via libnss-gw-name 57 | @{PROC}/@{pid}/net/psched r, 58 | /etc/libnl-*/classid r, 59 | 60 | # TCP/UDP network access 61 | network inet stream, 62 | network inet6 stream, 63 | network inet dgram, 64 | network inet6 dgram, 65 | 66 | # getaddrinfo uses this for iface addrs, not sure why 67 | network netlink raw, 68 | 69 | # interface details 70 | @{PROC}/@{pid}/net/route r, 71 | -------------------------------------------------------------------------------- /profiles/abstractions/openssl: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------ 2 | # 3 | # Copyright (C) 2011 Novell/SUSE 4 | # 5 | # This program is free software; you can redistribute it and/or 6 | # modify it under the terms of version 2 of the GNU General Public 7 | # License published by the Free Software Foundation. 8 | # 9 | # ------------------------------------------------------------------ 10 | 11 | /etc/ssl/openssl.cnf r, 12 | /etc/ssl/openssl-*.cnf r, 13 | /etc/ssl/{engdef,engines}.d/ r, 14 | /etc/ssl/{engdef,engines}.d/*.cnf r, 15 | /usr/share/ssl/openssl.cnf r, 16 | -------------------------------------------------------------------------------- /profiles/abstractions/pulse: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | # Started on-demand 4 | /usr/bin/pulseaudio pxrm, 5 | 6 | ## Site-local symlinks 7 | @{SYS_GIT}/sys/pulse/* r, 8 | @{SYS_GIT}/sys/asound.conf r, 9 | @{SYS_GIT}/sys/secure/pulse.cookie rk, 10 | 11 | /tmp/orcexec.* m, 12 | owner /run/user/*/orcexec.* rwkm, 13 | deny owner @{HOME}/orcexec.* m, 14 | -------------------------------------------------------------------------------- /profiles/abstractions/pulse-deny: -------------------------------------------------------------------------------- 1 | deny /usr/bin/pulseaudio xrm, 2 | 3 | deny /dev/shm/ r, 4 | deny /run/user/*/pulse/ rw, 5 | deny /usr/share/alsa/alsa.conf r, 6 | deny /dev/snd/* rw, 7 | 8 | deny /tmp/orcexec.* m, 9 | deny /run/user/*/orcexec.* rwkm, 10 | deny @{HOME}/orcexec.* m, 11 | 12 | ## Site-local symlinks 13 | deny @{SYS_GIT}/sys/pulse/* r, 14 | deny @{SYS_GIT}/sys/asound.conf r, 15 | deny @{SYS_GIT}/sys/secure/pulse.cookie r, 16 | -------------------------------------------------------------------------------- /profiles/abstractions/site/base: -------------------------------------------------------------------------------- 1 | /etc/machine-id r, 2 | 3 | /sys/devices/system/cpu/ r, 4 | /sys/devices/system/cpu/** r, 5 | 6 | owner @{PROC}/@{pid}/stat r, 7 | owner @{PROC}/@{pid}/cmdline r, 8 | 9 | # compatibility .so files from old packages 10 | /opt/compat/*.so* mr, 11 | 12 | # Blacklist here shouldn't be relied upon for actual deny, only for audit 13 | # private-tmp in wrapper scripts is the proper solution for not sharing stuff there 14 | audit deny /tmp/{ssh,gpg}-*/** rwlkmx, 15 | audit deny /tmp/{u,}screens/** rwlkmx, 16 | audit deny /tmp/tmux-*/** rwlkmx, 17 | audit deny /tmp/emacs*/** rwlkmx, 18 | audit deny /tmp/systemd-*/** rwlkmx, 19 | audit deny /tmp/claws-mail-*/** rwlkmx, 20 | audit deny /tmp/efreetd_* rwlkmx, 21 | -------------------------------------------------------------------------------- /profiles/abstractions/site/de: -------------------------------------------------------------------------------- 1 | /etc/pango/*/pango.modules r, 2 | /etc/mailcap r, 3 | @{SYS_GIT}/app/X/drirc r, 4 | 5 | owner @{HOME_GIT}/fonts.conf r, 6 | owner @{HOME_GIT}/app_defaults.list r, 7 | owner @{HOME_GIT}/gtkrc-2.0 r, 8 | owner @{HOME_GIT}/gtkrc-3.0 r, 9 | owner @{HOME_GIT}/gtk-bookmarks-2.0 r, 10 | owner @{HOME_GIT}/gtk-bookmarks-3.0 r, 11 | owner @{HOME_GIT}/gtk-3.0.css r, 12 | /usr/share/gtk-2.0/gtkrc r, 13 | /usr/share/gtk-3.0/settings.ini r, 14 | 15 | # Custom GTK3 theme/icon dirs 16 | owner @{HOME}/.themes/ r, 17 | owner @{HOME}/.themes/** r, 18 | owner @{HOME}/.icons/ r, 19 | owner @{HOME}/.icons/** r, 20 | 21 | # Custom xdg icon path, specs and such stuff 22 | owner @{HOME}/.xdg/** r, 23 | owner @{HOME_GIT}/xdg/** r, 24 | -------------------------------------------------------------------------------- /profiles/abstractions/ssl-certs: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------ 2 | # 3 | # Copyright (C) 2002-2005 Novell/SUSE 4 | # Copyright (C) 2010-2011 Canonical Ltd. 5 | # 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of version 2 of the GNU General Public 8 | # License published by the Free Software Foundation. 9 | # 10 | # ------------------------------------------------------------------ 11 | 12 | /etc/ssl/ r, 13 | /etc/ssl/certs/{,**} mr, 14 | /etc/pki/trust/{,**} mr, 15 | /etc/pki/trust/anchors/{,**} mr, 16 | /etc/ca-certificates/{,**} mr, 17 | /usr/share/ca-certificates/{,**} mr, 18 | /usr/share/ssl/certs/ca-bundle.crt mr, 19 | /var/lib/ca-certificates/{,**} mr, 20 | -------------------------------------------------------------------------------- /profiles/abstractions/user-download: -------------------------------------------------------------------------------- 1 | owner @{HOME}/[dD]ownload{,s}/ r, 2 | owner @{HOME}/[dD]ownload{,s}/** rwl, 3 | owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, 4 | owner @{HOME}/@{XDG_DESKTOP_DIR}/* rwl, 5 | owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, 6 | owner @{HOME}/@{XDG_DOWNLOAD_DIR}/* rwl, 7 | -------------------------------------------------------------------------------- /profiles/abstractions/user-tmp: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------ 2 | # 3 | # Copyright (C) 2002-2009 Novell/SUSE 4 | # Copyright (C) 2009-2010 Canonical Ltd. 5 | # 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of version 2 of the GNU General Public 8 | # License published by the Free Software Foundation. 9 | # 10 | # ------------------------------------------------------------------ 11 | 12 | # per-user tmp directories 13 | owner @{HOME}/tmp/** rwkl, 14 | owner @{HOME}/tmp/ rw, 15 | 16 | # global tmp directories 17 | owner /var/tmp/** rwkl, 18 | /var/tmp/ rw, 19 | owner /tmp/** rwkl, 20 | /tmp/ rw, 21 | -------------------------------------------------------------------------------- /profiles/abstractions/xdg-desktop: -------------------------------------------------------------------------------- 1 | owner @{HOME}/.cache/ rw, 2 | 3 | owner @{HOME}/.config/ rw, 4 | 5 | owner @{HOME}/.local/ rw, 6 | owner @{HOME}/.local/share/ rw, 7 | 8 | # fallbacks 9 | /usr/share/ r, 10 | /usr/local/share/ r, 11 | -------------------------------------------------------------------------------- /profiles/brave: -------------------------------------------------------------------------------- 1 | # For component build of brave in particular 2 | 3 | #include 4 | 5 | profile brave /usr/lib/brave/brave { 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | 20 | ### Main binary and sandboxing setup 21 | 22 | /usr/lib/brave/brave ix, 23 | /usr/lib/brave/** mr, 24 | /usr/lib/brave/brave mr, 25 | deny /usr/bin/xdg-{settings,desktop-menu} x, # "default browser" stuff 26 | 27 | # sandbox/linux/services/namespace_sandbox.cc credentials.cc 28 | capability sys_admin sys_chroot sys_ptrace, 29 | signal (receive) peer=unconfined, 30 | deny signal (send) peer=unconfined, 31 | /proc/sys/kernel/yama/ptrace_scope r, 32 | deny ptrace, # triggers on xdg handlers 33 | 34 | 35 | ### Main profile dirs, shm and various fs caches 36 | 37 | deny /etc/opt/ rw, # tries to create it 38 | 39 | /etc/chromium/** rk, # policies/managed and such 40 | owner @{HOME}/.pki/nssdb/** rwk, 41 | owner @{HOME}/.cache/thumbnails/** rw, 42 | owner @{HOME}/.{config,cache}/BraveSoftware/ rwk, 43 | owner @{HOME}/.{config,cache}/BraveSoftware/** rwk, 44 | 45 | deny /usr/lib/brave/extensions/ rw, 46 | 47 | # Chromium fills these paths with gigs of trash fast, not sure if Brave does too 48 | deny @{HOME}/.config/BraveSoftware/BrowserMetrics/ rw, 49 | deny @{HOME}/.config/BraveSoftware/BrowserMetrics/** rw, 50 | deny @{HOME}/.config/BraveSoftware/BrowserMetrics* rw, 51 | 52 | # Site-local stuff 53 | @{SYS_GIT}/app/X/vdpau_wrapper.cfg r, 54 | 55 | /{run,dev}/shm/.org.chromium.Chromium.* rwkm, 56 | /{run,dev}/shm/org.chromium.Chromium.shmem.* rwkm, 57 | 58 | 59 | ### Misc optional access 60 | 61 | # File selection dialogs 62 | deny @{HOME} r, 63 | /etc/fstab r, 64 | /run/mount/utab r, 65 | /proc/@{pid}/mountinfo r, 66 | /usr/share/glib-*/schemas/gschemas.compiled r, 67 | deny /{,var/}run/user/*/dconf/user w, 68 | 69 | # Platform stats/fingerprinting 70 | deny /etc/os-release r, 71 | deny /sys/devices/virtual/dmi/id/* r, 72 | 73 | # Imports from other browsers/apps 74 | deny @{HOME}/.config/chromium/** rw, 75 | 76 | # StorageMonitorLinux for Media Gallery API - http://crbug.com/141229 77 | deny /run/udev/data/** r, 78 | deny /sys/devices/virtual/tty/tty*/active r, 79 | deny /sys/class/*/ r, 80 | 81 | # V4L2 video API 82 | deny /dev/video* r, 83 | 84 | 85 | ### /proc and /dev 86 | 87 | /proc/ r, 88 | owner /proc/@{pid}/fd/ r, 89 | /proc/vmstat r, 90 | /proc/sys/fs/inotify/max_user_watches r, 91 | /proc/@{pid}/{stat,status} r, 92 | owner /proc/@{pid}/setgroups w, 93 | owner /proc/@{pid}/gid_map w, 94 | owner /proc/@{pid}/uid_map w, 95 | owner /proc/@{pid}/{mem,stat,statm} r, 96 | owner /proc/@{pid}/clear_refs w, 97 | owner /proc/@{pid}/task/ r, 98 | owner /proc/@{pid}/task/@{pid}/{stat,status} r, 99 | 100 | deny /sys/devices/virtual/tty/tty*/active r, 101 | deny /proc/@{pid}/oom_{,score_}adj rw, 102 | 103 | # Device access stuff - should allow for GPU, but nothing else, ideally 104 | /dev/ r, 105 | /etc/udev/udev.conf r, 106 | /sys/{bus,class}/ r, 107 | /sys/bus/pci/devices/ r, 108 | /sys/devices/pci[0-9:.]*/**/{uevent,resource,irq,vendor,device,class} r, 109 | /sys/devices/pci[0-9:.]*/**/{subsystem_vendor,subsystem_device,config} r, 110 | /sys/devices/pci[0-9:.]*/**/drm/ r, 111 | 112 | # Wildcard rule doesn't work here, as it overrides "/sys/bus/pci/devices/ r" 113 | deny /sys/bus/{clockevents,dax,platform,pci_express,serio,event_source}/devices/ r, 114 | deny /sys/bus/{machinecheck,cpu,hdaudio,scsi,clocksource,hid,edac}/devices/ r, 115 | deny /sys/bus/{pnp,usb,workqueue,virtio,container,acpi,i2c,snd_seq,mipi-dsi}/devices/ r, 116 | deny /sys/bus/{mdio_bus,nvmem,wmi,usb-serial}/devices/ r, 117 | 118 | 119 | ### Network 120 | 121 | network tcp, 122 | network udp, 123 | 124 | } 125 | -------------------------------------------------------------------------------- /profiles/chrome: -------------------------------------------------------------------------------- 1 | # For https://github.com/Eloston/ungoogled-chromium variant of chromium 2 | 3 | # NOTE: assumes kernel support for ns-sandbox, and not suid-sandbox 4 | # modern chromium uses ns-sandbox if it can, with suid as a fallback 5 | # see also: https://bugs.chromium.org/p/chromium/issues/detail?id=312380 6 | 7 | #include 8 | 9 | profile chromium-wrapper /usr/bin/chromium { 10 | #include 11 | #include 12 | 13 | /usr/lib/chromium/chromium cx -> chromium, 14 | 15 | profile chromium { 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | 30 | ### Main binary and sandboxing setup 31 | 32 | /usr/lib/chromium/chromium ix, 33 | /usr/lib/chromium/** mr, 34 | /usr/lib/chromium/chromium mr, 35 | deny /usr/bin/xdg-{settings,desktop-menu} x, # "default browser" stuff 36 | 37 | # sandbox/linux/services/namespace_sandbox.cc credentials.cc 38 | capability sys_admin sys_chroot sys_ptrace, 39 | signal (receive) peer=unconfined, 40 | deny signal (send) peer=unconfined, 41 | /proc/sys/kernel/yama/ptrace_scope r, 42 | deny ptrace, # triggers on xdg handlers 43 | 44 | 45 | ### Main profile dirs, shm and various fs caches 46 | 47 | /etc/chromium/** rk, # policies/managed and such 48 | /etc/gnutls/config r, # still uses gnutls, it seems 49 | deny @{HOME}/.pki/ w, 50 | owner @{HOME}/.pki/nssdb/{,**} rwk, 51 | owner @{HOME}/.cache/thumbnails/{,**} rw, 52 | owner @{HOME}/.{config,cache}/chromium/ rwk, 53 | owner @{HOME}/.{config,cache}/chromium/** rwk, 54 | 55 | # Keep dedicated extension dir read-only, never use system-wide ones 56 | audit deny @{HOME}/.config/chromium/Extensions/** w, 57 | deny /usr/lib/chromium/extensions/ rw, 58 | 59 | # Fills these paths with gigs of trash fast otherwise 60 | deny @{HOME}/.config/chromium/BrowserMetrics/{,**} rw, 61 | deny @{HOME}/.config/chromium/BrowserMetrics* rw, 62 | 63 | # Site-local stuff 64 | @{SYS_GIT}/app/X/vdpau_wrapper.cfg r, 65 | owner @{HOME}/.config/chromium/Extensions/_bin/xdg-open cUx, # dispatcher for magnet: and such 66 | 67 | @{HOME}/.local/share/.org.chromium.Chromium.* rwkm, # not sure what these are for, also shm? 68 | /{run,dev}/shm/.org.chromium.Chromium.* rwkm, 69 | /{run,dev}/shm/org.chromium.Chromium.shmem.* rwkm, 70 | 71 | 72 | ### Misc optional access 73 | 74 | # File selection dialogs 75 | deny @{HOME} r, 76 | /etc/fstab r, 77 | /run/mount/utab r, 78 | /proc/@{pid}/mountinfo r, 79 | /usr/share/glib-*/schemas/gschemas.compiled r, 80 | deny /{,var/}run/user/*/dconf/user w, 81 | 82 | # Platform stats/fingerprinting 83 | deny /etc/os-release r, 84 | deny /sys/devices/virtual/dmi/id/{,*} r, 85 | 86 | # Imports from other browsers/apps 87 | deny @{HOME}/.mozilla/firefox/{,**} rw, 88 | 89 | # Weird mmap probes 90 | deny @{HOME}/#[0-9]* m, 91 | /tmp/#[0-9]* m, 92 | 93 | 94 | ### /proc and /dev 95 | 96 | /proc/ r, 97 | /proc/vmstat r, 98 | /proc/sys/fs/inotify/max_user_watches r, 99 | /proc/@{pid}/{stat,statm,status} r, 100 | /proc/pressure/* r, 101 | owner /proc/@{pid}/mem r, 102 | owner /proc/@{pid}/{setgroups,uid_map,gid_map,clear_refs} w, 103 | owner /proc/@{pid}/{fd,task}/ r, 104 | 105 | deny /proc/@{pid}/task/*/status r, # hard to restrict to its own pids 106 | deny /sys/devices/virtual/tty/tty*/active r, 107 | deny /proc/@{pid}/oom_{,score_}adj rw, 108 | 109 | # Device access stuff - to allow at least enumeration and GPU access 110 | /dev/ r, 111 | /etc/udev/udev.conf r, 112 | /sys/{bus,class}/ r, 113 | /sys/class/*/ r, 114 | /sys/bus/*/devices/ r, 115 | /sys/devices/pci[0-9:.]*/**/{uevent,resource,irq,vendor,device,class,revision} r, 116 | /sys/devices/pci[0-9:.]*/**/{subsystem_vendor,subsystem_device,config} r, 117 | /sys/devices/pci[0-9:.]*/**/drm/ r, 118 | 119 | # U2F token, can be tested via https://webauthn.io/ 120 | /run/udev/data/* r, 121 | /sys/devices/pci*/*/usb*/ r, 122 | /sys/devices/pci**/usb*/**/{uevent,report_descriptor} r, 123 | /sys/class/hidraw/hidraw* r, 124 | /dev/hidraw* rw, 125 | 126 | # Things that I don't want chrome to use here anyway 127 | deny /dev/video* r, 128 | deny /sys/devices/system/node/** r, 129 | deny /sys/devices/pci[0-9:.]*/**/descriptors r, # block any further android-debug checks 130 | 131 | ### Network 132 | 133 | network tcp, 134 | network udp, 135 | network netlink raw, # tracks local netwok configuration 136 | 137 | } 138 | 139 | } 140 | -------------------------------------------------------------------------------- /profiles/electricsheep: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile electricsheep /usr/bin/electricsheep { 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | /usr/bin/bash ix, 13 | /usr/bin/xset ix, 14 | /usr/bin/which ix, 15 | 16 | /usr/share/electricsheep/ r, 17 | /usr/share/electricsheep/** r, 18 | @{HOME}/.electricsheep/ rwk, 19 | @{HOME}/.electricsheep/** rwk, 20 | 21 | network tcp, 22 | network udp, 23 | } 24 | -------------------------------------------------------------------------------- /profiles/pulseaudio: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile pulseaudio /usr/bin/pulseaudio { 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | /usr/lib/pulse-*/modules/* m, 13 | /usr/share/pulseaudio/** r, 14 | 15 | /etc/udev/udev.conf r, 16 | /run/udev/data/* r, 17 | 18 | /tmp/pulse-* k, 19 | /tmp/pulse-*/* k, 20 | /run/udev/queue.bin r, 21 | /run/systemd/users/* r, 22 | 23 | owner /run/user/*/pulse/* rwk, 24 | 25 | owner @{HOME}/.config/pulse/ rwk, 26 | owner @{HOME}/.config/pulse/** rwk, 27 | owner @{HOME}/.esd_auth r, 28 | 29 | owner /proc/@{pid}/fd/ r, 30 | owner /proc/@{pid}/fd/* r, 31 | owner /proc/@{pid}/mountinfo r, 32 | 33 | /proc/cmdline r, 34 | /proc/sys/kernel/osrelease r, 35 | 36 | /sys/bus/ r, 37 | /sys/class/ r, 38 | /sys/class/sound/ r, 39 | /sys/devices/virtual/dmi/id/*_vendor r, 40 | /sys/devices/**/sound/** r, 41 | /dev/ r, 42 | /dev/input/event* r, # module-mmkbd-evdev 43 | 44 | network tcp, 45 | network udp, 46 | network bluetooth, 47 | network netlink raw, 48 | 49 | ## Site-local symlinks 50 | /etc/alsa/conf.d/{,*} r, 51 | @{SYS_GIT}/sys/pulse/* r, 52 | @{SYS_GIT}/sys/asound.conf r, 53 | @{SYS_GIT}/sys/secure/pulse.cookie rk, 54 | # No need to ever write new cookies there: 55 | deny /etc/pulse/auth.tcp.cookie w, 56 | deny @{SYS_GIT}/sys/secure/pulse.cookie w, 57 | 58 | ## Gstreamer and TLS is checked from bluez rtp module, not needed here 59 | deny /usr/lib/gstreamer-*/gst-plugin-scanner x, 60 | deny @{HOME}/.cache/gstreamer-*/** rw, 61 | deny /etc/ssl/** r, 62 | deny /etc/gnutls/** r, 63 | } 64 | -------------------------------------------------------------------------------- /profiles/skypeforlinux: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile skypeforlinux /usr/share/skypeforlinux/skypeforlinux { 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | /usr/share/skypeforlinux/** kmr, 17 | /usr/share/skypeforlinux/skypeforlinux ix, 18 | 19 | owner @{HOME}/.config/skypeforlinux/ rw, 20 | owner @{HOME}/.config/skypeforlinux/** krwm, 21 | owner @{HOME}/[dD]ownload{,s}/** k, 22 | 23 | capability sys_admin sys_chroot sys_ptrace, 24 | signal (receive) peer=unconfined, 25 | deny signal (send) peer=unconfined, 26 | 27 | /proc/ r, 28 | /proc/vmstat r, 29 | /proc/sys/fs/inotify/max_user_watches r, 30 | /proc/@{pid}/stat r, 31 | owner /proc/@{pid}/fd/ r, 32 | owner /proc/@{pid}/setgroups w, 33 | owner /proc/@{pid}/gid_map w, 34 | owner /proc/@{pid}/uid_map w, 35 | owner /proc/@{pid}/{mem,stat,statm} r, 36 | owner /proc/@{pid}/clear_refs w, 37 | owner /proc/@{pid}/task/ r, 38 | owner /proc/@{pid}/task/@{pid}/stat r, 39 | owner /proc/@{pid}/task/@{pid}/status r, 40 | 41 | /dev/shm/shm-* rwkm, # required for screen sharing 42 | /tmp/.org.chromium.Chromium.*/ rw, 43 | /tmp/.org.chromium.Chromium.*/** rwmk, 44 | /{run,dev}/shm/.org.chromium.Chromium.* rwkm, 45 | /{run,dev}/shm/org.chromium.Chromium.shmem.* rwkm, 46 | 47 | /dev/ r, 48 | /sys/bus/pci/devices/ r, 49 | /sys/devices/pci[0-9:.]*/**//net/*/speed r, 50 | 51 | deny /dev/video* r, 52 | 53 | deny /etc/passwd rm, 54 | deny /proc/sys/kernel/yama/ptrace_scope r, 55 | deny @{HOME}/.config/autostart/** w, # autostart 56 | deny @{HOME}/.pki/** rw, 57 | deny @{HOME}/.rnd r, 58 | deny /tmp/skypeforlinux*/ rwkm, # crash dumps 59 | deny /tmp/skype-*/ rwkm, # probably locks, doesn't clean these up 60 | 61 | # Platform stats and fingerprinting on startup 62 | # None of these seem to be necessary in any way 63 | deny /dev/pts/* rw, 64 | deny /sys/devices/virtual/tty/tty*/active r, 65 | deny /etc/os-release r, 66 | deny /proc/sys/kernel/random/boot_id r, 67 | deny /usr/bin/locale x, 68 | deny /proc/sys/kernel/ostype r, 69 | deny /proc/sys/kernel/osrelease r, 70 | deny /proc/version r, 71 | deny /sys/devices/pci[0-9:.]*/**/{resource,irq} r, 72 | deny /sys/devices/virtual/dmi/id/board_vendor r, 73 | deny /sys/devices/virtual/dmi/id/product_name r, 74 | deny /etc/issue r, 75 | deny /etc/hostname r, 76 | deny /dev/disk/by-id/ r, 77 | deny /sys/class/net/ r, 78 | deny /sys/devices/virtual/net/** r, 79 | 80 | network tcp, 81 | network udp, 82 | 83 | } 84 | -------------------------------------------------------------------------------- /profiles/tunables/global: -------------------------------------------------------------------------------- 1 | ## Relevant global tunables used in upstream profiles 2 | 3 | @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9]} 4 | @{tid}=@{pid} 5 | @{PROC}=/proc/ 6 | @{HOMEDIRS}=/home/ 7 | @{HOME}=@{HOMEDIRS}/*/ /root/ 8 | 9 | @{XDG_DESKTOP_DIR}="Desktop" 10 | @{XDG_DOWNLOAD_DIR}="Downloads" 11 | @{XDG_TEMPLATES_DIR}="Templates" 12 | @{XDG_PUBLICSHARE_DIR}="Public" 13 | @{XDG_DOCUMENTS_DIR}="Documents" 14 | @{XDG_MUSIC_DIR}="Music" 15 | @{XDG_PICTURES_DIR}="Pictures" 16 | @{XDG_VIDEOS_DIR}="Videos" 17 | 18 | 19 | ## Site-local tunables 20 | 21 | # "dotfiles" git repo 22 | @{HOME_GIT}=@{HOME}/hatch/cFG/ 23 | 24 | # Have ~/bin path symlinked to a git repo, hence the abstraction 25 | @{HOME_BIN}=@{HOME}/bin/ @{HOME_GIT}/bin/ 26 | 27 | # "system-wide configs" git repo 28 | @{SYS_GIT}=/etc/core/ 29 | -------------------------------------------------------------------------------- /profiles/waterfox: -------------------------------------------------------------------------------- 1 | # For waterfox-current 2 | # See also https://github.com/mk-fg/waterfox 3 | 4 | #include 5 | 6 | profile waterfox /usr/lib/waterfox/waterfox { 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | /usr/lib/waterfox/waterfox cix, # tabs 22 | @{HOME}/.waterfox/url-handler cUx, # dispatcher for magnet: and such 23 | 24 | / r, 25 | /usr/lib/waterfox/** rm, 26 | 27 | /etc/mime.types r, 28 | /usr/share/glib-2.0/schemas/gschemas.compiled r, 29 | /usr/share/applications/screensavers/ r, 30 | 31 | # Special binary used with browser.runtime.sendNativeMessage API from new-tab ext 32 | @{HOME}/.waterfox/fs-access-check cix, 33 | deny /etc/motd r, # common file used for fs-access-check, should be silent-denied 34 | 35 | deny capability sys_admin, 36 | deny capability sys_chroot, 37 | deny capability sys_ptrace, 38 | deny /etc/os-release r, # probably just to display somewhere 39 | 40 | signal (receive) peer=unconfined, 41 | deny signal (send) peer=unconfined, 42 | 43 | owner @{HOME}/.waterfox/{,**} rwkm, 44 | 45 | # Tries to import/use chromium "Local State" and "Top Sites" db 46 | deny @{HOME}/.config/chromium/** rw, 47 | deny @{HOME}/.mozilla/{,**} rw, 48 | 49 | owner @{HOME}/.cache/waterfox/{,**} rwkm, 50 | 51 | owner /proc/@{pid}/fd/ r, 52 | owner /proc/@{pid}/{cgroup,mountinfo,statm,smaps} r, 53 | owner /proc/@{pid}/task/@{pid}/stat r, 54 | /proc/@{pid}/net/arp r, 55 | /proc/@{pid}/{setgroups,uid_map,gid_map} rw, 56 | deny /proc/[0-9]*/oom_{,score_}adj rw, 57 | 58 | owner /run/user/[0-9]*/dconf/user rw, 59 | 60 | /dev/ r, 61 | /dev/shm/org.chromium.* rwkm, 62 | /dev/shm/org.mozilla.ipc.* rwkm, 63 | 64 | # Must use TMPDIR=/tmp/waterfox/ env to have it store all its stuff there 65 | # Otherwise it creates a lot of different non-descriptive files/dirs in /tmp root 66 | /tmp/waterfox/{,**} rwk, 67 | /tmp/BrowserWorks*-cachePurge-* rwk, # might be waterfox-specific bug 68 | 69 | # GPU identification 70 | /sys/bus/pci/devices/ r, 71 | /sys/devices/pci[0-9:.]*/[0-9:.]*/** r, 72 | 73 | # fido2 usb device access, can be tested via https://webauthn.io/ 74 | /sys/devices/system/cpu/present r, 75 | /run/udev/data/* r, 76 | /sys/devices/pci*/ r, 77 | /sys/devices/pci*/*/ r, 78 | /sys/devices/pci*/*/usb*/ r, 79 | /sys/devices/pci*/*/usb*/**/uevent r, 80 | /sys/{bus,class,class/hidraw}/ r, 81 | /sys/class/hidraw/hidraw* r, 82 | /dev/hidraw* rw, 83 | 84 | # File selection dialogs 85 | deny @{HOME} r, 86 | deny @{HOME}/.local/share/gvfs-metadata/** r, 87 | deny /usr/share/gvfs/** r, 88 | /etc/fstab r, 89 | /run/mount/utab r, 90 | 91 | # TCP/UDP should be enough 92 | network tcp, 93 | network udp, 94 | 95 | # Unnecessary/undesirable access 96 | deny /usr/lib/waterfox/plugin-container x, 97 | deny /dev/video* r, 98 | 99 | 100 | ### Runs glxtest/vaapitest/etc to check GPU APIs 101 | 102 | /usr/lib/waterfox/glxtest cx -> glxtest, 103 | profile glxtest { 104 | #include 105 | #include 106 | #include 107 | #include 108 | 109 | # Inherited lock-fds, might be just leaks 110 | @{HOME}/.waterfox/*/.parentlock w, 111 | /tmp/waterfox/*/.parentlock w, 112 | 113 | /sys/bus/pci/devices/ r, 114 | /sys/devices/pci[0-9:.]*/[0-9:.]*/** r, 115 | 116 | /etc/passwd r, 117 | /etc/nsswitch.conf r, 118 | owner @{HOME}/.cache/mesa_shader_cache/{,**} rwk, 119 | owner @{HOME}/.cache/mesa_shader_cache_db/{,**} rwk, 120 | /proc/sys/dev/i915/perf_stream_paranoid r, 121 | } 122 | 123 | /usr/lib/waterfox/vaapitest cx -> vaapitest, 124 | profile vaapitest { 125 | #include 126 | #include 127 | 128 | # Inherited lock-fds, might be just leaks 129 | @{HOME}/.waterfox/*/.parentlock w, 130 | /tmp/waterfox/*/.parentlock w, 131 | 132 | /sys/devices/pci[0-9:.]*/[0-9:.]*/** r, 133 | network netlink raw, # not sure what for here 134 | 135 | owner @{HOME}/.cache/waterfox/{,**} rwkm, 136 | } 137 | 138 | } 139 | -------------------------------------------------------------------------------- /scripts/apparmor_init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | enabled_conf=/etc/apparmor/enabled.conf 4 | profiles_dir=/etc/apparmor.d 5 | profiles_dir_local=/etc/apparmor.local 6 | profiles_sysfs=/sys/kernel/security/apparmor/profiles 7 | cache_dir=/var/lib/apparmor 8 | err=0 9 | 10 | mkdir -p -m700 "$cache_dir" 11 | chown root: "$cache_dir" 12 | chmod 700 "$cache_dir" 13 | cache=( --cache-loc "$cache_dir" --write-cache ) 14 | abi=( --override-policy-abi "$profiles_dir"/abstractions/abi ) 15 | 16 | while read p; do 17 | [[ -e "$profiles_dir_local"/"$p" ]] \ 18 | && cd "$profiles_dir_local" || cd "$profiles_dir" 19 | apparmor_parser "${cache[@]}" "${abi[@]}" -r "$p" >&2 || err=1 20 | done < "$enabled_conf" 21 | 22 | if [[ -e "$profiles_sysfs" ]]; then 23 | enforce=() 24 | while read bin 25 | do enforce=( ${enforce[@]} $(bash -c "ls -1d $bin" 2>/dev/null) ) # bash is for wildcards 26 | done < <(awk '!/\s+\(enforce\)$/ {print $1}' "$profiles_sysfs") 27 | for p in "${enforce[@]}"; do aa-enforce "$p" >/dev/null; done 28 | 29 | awk '!/\s+\(enforce\)$/ {exit 1}' "$profiles_sysfs" \ 30 | || { echo >&2 "ERROR: non-enforced profiles are detected"; exit 1; } 31 | fi 32 | 33 | exit $err 34 | -------------------------------------------------------------------------------- /scripts/enabled.conf: -------------------------------------------------------------------------------- 1 | pulseaudio 2 | skype 3 | firefox 4 | wine 5 | -------------------------------------------------------------------------------- /scripts/parse-logs: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os, sys, re, pathlib as pl 4 | 5 | def iter_log_lines(files): 6 | if not files: yield from sys.stdin; return 7 | for p in files: 8 | with pl.Path(p).open() as src: yield from src 9 | 10 | def match_attr(name, line): 11 | if m := re.search(name + r'="([^"]+)"', line): return m[1] 12 | 13 | def main(argv=None): 14 | import argparse, textwrap 15 | dd = lambda text: re.sub( r' \t+', ' ', 16 | textwrap.dedent(text).strip('\n') + '\n' ).replace('\t', ' ') 17 | parser = argparse.ArgumentParser( 18 | formatter_class=argparse.RawTextHelpFormatter, 19 | usage='%(prog)s [opts] [[--] file...]', 20 | description='Parse apparmor audit log lines' 21 | ' to something readable and suitable for "sort -u".') 22 | parser.add_argument('log_file', nargs='*', 23 | help='File(s) with apparmor logging to process. None - use stdin.') 24 | opts = parser.parse_args(sys.argv[1:] if argv is None else argv) 25 | 26 | for line in iter_log_lines(opts.log_file): 27 | # 2024-02-03T20:25:22.438729+05:00 kern.notice kernel[-]: [538406.040879] 28 | # audit: type=1400 audit(1706973922.437:997): apparmor="AUDIT" operation="getattr" 29 | # class="file" profile="chromium-wrapper//chromium" name="/sys/devices/virtual/dmi/id/" 30 | # pid=564554 comm="ThreadPoolForeg" requested_mask="r" fsuid=1000 ouid=0 31 | if not ((m := re.search( 32 | r'(?:^|\s)\[[ \d]+\.\d+\] audit: (.*)', line )) and (line := m[1])): continue 33 | print(' '.join( (match_attr(k, line) or '-') for k in 34 | 'profile class operation name requested_mask'.split() )) 35 | 36 | if __name__ == '__main__': 37 | try: sys.exit(main()) 38 | except BrokenPipeError: # stdout pipe closed 39 | os.dup2(os.open(os.devnull, os.O_WRONLY), sys.stdout.fileno()) 40 | sys.exit(1) 41 | -------------------------------------------------------------------------------- /server/abstractions: -------------------------------------------------------------------------------- 1 | ../profiles/abstractions -------------------------------------------------------------------------------- /server/cgit: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile cgit /usr/lib/cgit/cgit.cgi { 4 | /usr/lib/** rm, 5 | /etc/ld.so.* r, 6 | /dev/null rw, 7 | /usr/share/webapps/cgit/** r, 8 | /usr/share/zoneinfo/** r, 9 | 10 | /etc/cgitrc r, 11 | /srv/scm/git/repositories/** r, 12 | /usr/lib/cgit/filters/about-formatting.sh Ux, 13 | /etc/cgit.banner.html r, 14 | 15 | network unix, 16 | 17 | signal (receive) peer=unconfined, 18 | 19 | /usr/bin/zstd cx -> packer, 20 | /usr/bin/gzip cx -> packer, 21 | profile packer { 22 | /usr/bin/{gzip,zstd} rm, 23 | /usr/lib/** rm, 24 | /etc/ld.so.* r, 25 | /sys/devices/system/cpu/online r, 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /server/innd: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile innd /usr/local/bin/exec-innd { 4 | /usr/local/bin/exec-innd rm, 5 | 6 | /usr/bin/innernet-server ix, 7 | /usr/bin/innernet-server rm, 8 | /etc/innernet-server/ rw, 9 | /etc/innernet-server/* rw, 10 | /var/lib/innernet-server/ rw, 11 | /var/lib/innernet-server/* rwlk, 12 | 13 | # Runs within same profile to work with NoNewPrivileges=yes 14 | /usr/bin/ip ix, 15 | /usr/bin/ip rm, 16 | 17 | /usr/lib/** rm, 18 | /etc/ld.so.* r, 19 | /dev/urandom r, 20 | /dev/null rw, 21 | owner /proc/@{pid}/{maps,cgroup,mountinfo} r, 22 | 23 | network inet, 24 | network inet6, 25 | network netlink raw, 26 | network netlink dgram, 27 | network unix, # systemd journal stdout/stderr 28 | 29 | capability net_admin, 30 | signal (receive) peer=unconfined, 31 | } 32 | -------------------------------------------------------------------------------- /server/ndppd: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile ndppd /usr/bin/ndppd { 4 | /usr/bin/ndppd rm, 5 | /etc/ndppd.conf r, 6 | 7 | /usr/lib/** rm, 8 | /etc/ld.so.* r, 9 | /proc/@{pid}/net/ipv6_route r, 10 | 11 | network inet6 raw, 12 | network inet6 dgram, 13 | network packet raw, 14 | network unix, # systemd journal stdout/stderr 15 | 16 | capability net_raw net_admin, 17 | signal (receive) peer=unconfined, 18 | } 19 | -------------------------------------------------------------------------------- /server/nginx: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile nginx /usr/bin/nginx { 4 | #include 5 | #include 6 | 7 | /etc/nginx/** r, 8 | /etc/ssl/** r, 9 | /etc/core/** r, # site-local config dir 10 | 11 | /run/nginx.pid rwk, 12 | /var/{log,lib,cache}/nginx/** rwmk, 13 | /run/uwsgi/** rw, 14 | 15 | /usr/share/nginx/html r, 16 | /usr/share/nginx/html/** r, 17 | /srv/www/{,**} r, 18 | /var/empty/{,**} r, 19 | 20 | # Checks for lot of capabilities on start, fails if check is denied 21 | capability dac_read_search dac_override net_bind_service setuid setgid, 22 | /proc/sys/kernel/random/boot_id r, 23 | 24 | # systemd modules in nsswitch.conf 25 | deny /proc/sys/kernel/osrelease r, 26 | deny /proc/1/environ r, 27 | deny /proc/cmdline r, 28 | 29 | network tcp, 30 | network udp, 31 | network icmp, 32 | } 33 | -------------------------------------------------------------------------------- /server/rsyslog: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile rsyslog /usr/bin/rsyslogd { 4 | /usr/bin/rsyslogd rm, 5 | /usr/bin/rsyslogd ix, 6 | 7 | /etc/{,core/sys/watch/}rsyslog*.conf r, 8 | /var/spool/rsyslog/* rwk, 9 | /var/log/{syslog,processing}/** rwk, 10 | signal peer=rsyslog, 11 | 12 | # Client-side syslog access 13 | capability syslog sys_admin, 14 | capability dac_read_search dac_override, # checks on start 15 | /proc/kmsg r, 16 | 17 | # PrivDropToUserID / PrivDropToGroupID 18 | capability setuid setgid, 19 | /etc/{passwd,group} r, 20 | /run/systemd/userdb/ r, 21 | /proc/sys/kernel/osrelease r, 22 | /proc/sys/vm/overcommit_memory r, 23 | /proc/sys/net/ipv6/conf/all/disable_ipv6 r, 24 | /proc/{,1/}cmdline r, 25 | /proc/sys/kernel/random/boot_id r, 26 | deny /proc/1/environ r, # systemd in nsswitch 27 | 28 | /etc/{ld.so.*,hosts} r, 29 | /etc/{nsswitch,resolv,host,gai}.conf r, 30 | /etc/dns{,.resolv}/* r, 31 | /etc/gnutls/config r, 32 | /usr/share/zoneinfo/** r, 33 | /usr/lib/** rm, 34 | 35 | /dev/urandom r, 36 | /run/host/container-manager r, 37 | owner /proc/@{pid}/status r, 38 | 39 | signal (receive) peer=unconfined, 40 | network inet tcp, network inet udp, 41 | network inet6 tcp, network inet6 udp, 42 | network unix, # systemd journal stdout/stderr 43 | } 44 | -------------------------------------------------------------------------------- /server/rsyslog-sink: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile rsyslog-sink /usr/local/bin/exec-rsyslog-sink { 4 | /usr/local/bin/exec-rsyslog-sink rm, 5 | 6 | /usr/bin/rsyslogd rm, 7 | /usr/bin/rsyslogd ix, 8 | 9 | /etc/rsyslog.sink.conf r, 10 | /etc/gnutls/config r, 11 | /var/spool/rsyslog-sink/* rwk, 12 | /srv/log-sink/** rwk, 13 | signal peer=rsyslog-sink, 14 | 15 | deny network netlink, # routes for getaddrinfo() 16 | 17 | /etc/{ld.so.*,hosts} r, 18 | /etc/{nsswitch,resolv,host,gai}.conf r, 19 | /etc/dns{,.resolv}/* r, 20 | /etc/gnutls/config r, 21 | /usr/share/zoneinfo/** r, 22 | /usr/lib/** rm, 23 | 24 | /dev/urandom r, 25 | /run/host/container-manager r, 26 | owner /proc/@{pid}/status r, 27 | 28 | signal (receive) peer=unconfined, 29 | network inet tcp, network inet udp, 30 | network inet6 tcp, network inet6 udp, 31 | network unix, # systemd journal stdout/stderr 32 | } 33 | -------------------------------------------------------------------------------- /server/transmission: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | profile transmission /usr/bin/transmission-daemon { 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | /srv/p2p/bt rwkm, 10 | /srv/p2p/bt/** rwkm, 11 | /srv/p2p/scripts/transmission-*.sh Ux, 12 | /tmp/tr_session_id_* rwk, 13 | 14 | owner /proc/@{pid}/mounts r, 15 | /proc/sys/net/ipv6/conf/all/disable_ipv6 r, 16 | 17 | network inet tcp, network inet udp, 18 | network inet6 tcp, network inet6 udp, 19 | } 20 | -------------------------------------------------------------------------------- /server/tunables: -------------------------------------------------------------------------------- 1 | ../profiles/tunables --------------------------------------------------------------------------------