commit: 14fe01d46bc886a61cf62d84c3be8c5b84a1ffaa
parent 4ab737502cffb1b426a36655f669f06ba4cb1c6c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 15 Apr 2020 13:32:36 +0200
Start adding own files
Diffstat:
12 files changed, 353 insertions(+), 0 deletions(-)
diff --git a/bin.dmesg b/bin.dmesg
@@ -0,0 +1,17 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/bin/dmesg {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+
+ /bin/dmesg mr,
+
+ capability syslog,
+
+ /etc/terminfo/** r,
+
+ /dev/kmsg r,
+}
diff --git a/bin.su b/bin.su
@@ -0,0 +1,26 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/bin/su {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/authentication>
+
+ audit deny network,
+
+ /bin/su mr,
+
+ /{usr/,}bin/*sh rmpx,
+ /usr/bin/xauth rmpx,
+
+ /etc/environment r,
+ /etc/shells r,
+ /run/utmp rk,
+
+ capability setuid,
+ capability setgid,
+
+ @{PROC}/@{pid}/loginuid r,
+}
diff --git a/global b/global
@@ -0,0 +1,20 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile global /** (complain) {
+ #include <abstractions/private-files-strict>
+
+ / rwlk,
+ /** rwlkmpux,
+
+ mount,
+
+ # AppArmor 3.0 TODO: Deny listen
+ network,
+
+ dbus,
+
+ ptrace,
+}
diff --git a/header.txt b/header.txt
@@ -0,0 +1,3 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
diff --git a/lib.rc.sh.openrc-run.sh b/lib.rc.sh.openrc-run.sh
@@ -0,0 +1,19 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/{lib/rc/sh/openrc-run.sh,sbin/openrc-run} {
+ / rwlk,
+ /** rwlkmpux,
+
+ audit deny network,
+
+ audit deny @{HOME}/{,**} mrwkl,
+
+ signal receive,
+ signal send,
+
+ capability mac_admin,
+ capability dac_override,
+}
diff --git a/sbin.apparmor_parser b/sbin.apparmor_parser
@@ -0,0 +1,24 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /sbin/apparmor_parser (complain) {
+ #include <abstractions/base>
+
+ /sbin/apparmor_parser mr,
+
+ capability mac_admin,
+
+ allow /etc/apparmor/ r,
+ allow /etc/apparmor/** r,
+ allow /etc/apparmor.d/ r,
+ allow /etc/apparmor.d/** r,
+
+ allow /sys/kernel/security/apparmor/ rw,
+ allow /sys/kernel/security/apparmor/** rw,
+
+ allow /proc/sys/kernel/osrelease r,
+
+ allow @{PROC}/@{pid}/mounts r,
+}
diff --git a/shell b/shell
@@ -0,0 +1,34 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile shell /{,usr/}bin/*sh flags=(complain) {
+ / rwlk,
+ /** rwlkmpux,
+
+ audit deny network,
+
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/{,**} mrwkl,
+ audit deny @{HOME}/.mutt** mrwkl,
+ audit deny @{HOME}/.viminfo** mrwkl,
+
+ allow @{HOME}/.ssh/agent.pid r,
+
+ allow @{HOME}/.*shrc rwlkmpux,
+ allow @{HOME}/.*profile rwlkmpux,
+ allow @{HOME}/.*log{in,out} rwlkmpux,
+ allow @{HOME}/.*history rwlkmpux,
+
+ # bash
+ allow @{HOME}/.inputrc mrk,
+ allow @{HOME}/.bash* mrk,
+
+ # zsh
+ allow @{HOME}/.zshenv rwlkmpux,
+
+ signal receive,
+}
diff --git a/usr.bin.badwolf b/usr.bin.badwolf
@@ -0,0 +1,84 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+# BadWolf: Minimalist and privacy-oriented WebKitGTK+ browser
+# Copyright © 2019-2020 Badwolf Authors <https://hacktivis.me/projects/badwolf>
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Made on Gentoo Linux with PREFIX=/usr
+#include <tunables/global>
+
+/usr/bin/badwolf {
+ #include <abstractions/enchant>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ # #include <abstractions/uim>
+ #include <abstractions/private-files-strict>
+
+ /usr/bin/badwolf mr,
+ /usr/bin/bwrap Cx,
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess Cx,
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess Cx,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ owner @{HOME}/.local/share/badwolf/ r,
+ owner @{HOME}/.local/share/badwolf/** r,
+
+ deny @{HOME}/.local/share/webkitgtk/** rwmlk,
+
+ / r,
+ /** r,
+
+ # #include <local/usr.bin.badwolf>
+
+ profile /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess mr,
+ /** r,
+ owner /** w,
+ }
+
+ profile /usr/libexec/webkit2gtk-4.0/WebKitWebProcess {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ # #include <abstractions/gstreamer>
+ #include <abstractions/audio>
+ #include <abstractions/mesa>
+ #include <abstractions/dri-common>
+ #include <abstractions/dri-enumerate>
+
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess mr,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ /etc/passwd r,
+ /etc/group r,
+ /etc/nsswitch.conf r,
+ /dev/ r,
+
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/ r,
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/** mr,
+ }
+
+ profile /usr/bin/bwrap {
+ #include <abstractions/base>
+
+ deny capability sys_admin,
+
+ /usr/bin/bwrap mr,
+ @{PROC}/sys/kernel/overflowuid r,
+ @{PROC}/sys/kernel/overflowgid r,
+ owner @{PROC}/@{pid}/fd/ r,
+ }
+}
diff --git a/usr.bin.gpg b/usr.bin.gpg
@@ -0,0 +1,62 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/bin/gpg{,2} flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+
+ /{,**} rw,
+
+ /usr/bin/gpg{,2} mr,
+ /dev/tty rw,
+
+ /usr/bin/gpg-agent mrix,
+ /usr/libexec/scdaemon mrcx,
+ /usr/bin/pinentry-qt mrcx,
+
+ @{HOME}/.gnupg/{,**} mrwkl,
+
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/{,**} mrwkl,
+ audit deny @{HOME}/.mutt** mrwkl,
+ audit deny @{HOME}/.viminfo** mrwkl,
+
+ signal receive peer=/usr/bin/gpg{,2}///usr/libexec/scdaemon,
+
+ network,
+
+ profile /usr/libexec/scdaemon {
+ #include <abstractions/base>
+
+ /usr/libexec/scdaemon mr,
+
+ @{HOME}/.gnupg/S.scdaemon mrwk,
+ @{HOME}/.gnupg/reader_*.status mrwk,
+
+ signal send peer=/usr/bin/gpg{,2},
+
+ @{PROC}/@{pid}/task/** rw,
+ @{PROC}/@{pid}/mountinfo rw,
+
+ /dev/ r,
+ /dev/bus/usb/{,**} rw,
+ /sys/bus/ r,
+ /sys/bus/usb/{,**} rw,
+ /sys/devices/{,**} r,
+ /etc/udev/udev.conf r,
+ /run/udev/data/** r,
+ /sys/class/ r,
+ }
+
+ profile /usr/bin/pinentry-qt {
+ #include <abstractions/base>
+ #include <abstractions/X>
+ #include <abstractions/mesa>
+ #include <abstractions/qt5>
+
+ /usr/bin/pinentry-qt mr,
+ }
+}
diff --git a/usr.bin.redshift b/usr.bin.redshift
@@ -0,0 +1,30 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+/usr/bin/redshift {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/X>
+
+ owner @{HOME}/.config/redshift.conf r,
+}
diff --git a/usr.bin.ssh b/usr.bin.ssh
@@ -0,0 +1,19 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/bin/ssh {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/consoles>
+
+ /usr/bin/ssh mr,
+
+ @{HOME}/.ssh/{,**} mrl,
+ /etc/ssh/** mr,
+
+ @{PROC}/@{pid}/fd/ r,
+
+ network,
+}
diff --git a/usr.sbin.mtr b/usr.sbin.mtr
@@ -0,0 +1,15 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/sbin/mtr {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_raw,
+ network inet raw,
+ network inet6 raw,
+
+ /etc/terminfo/** r,
+}