commit: d201816fcafc1acccf22ff63c73cd0a779ee15f1
parent a076f713bc866d7fdf6f30b075a2794a1987703b
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Mon, 19 Oct 2020 10:13:30 +0200
Fixup badwolf and WebKit, consider bwrap as enough
Diffstat:
3 files changed, 55 insertions(+), 52 deletions(-)
diff --git a/WebKitNetworkProcess b/WebKitNetworkProcess
@@ -0,0 +1,19 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile WebKitNetworkProcess /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess mr,
+ /** r,
+ owner /** w,
+}
diff --git a/WebKitWebProcess b/WebKitWebProcess
@@ -0,0 +1,29 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/libexec/webkit2gtk-4.0/WebKitWebProcess {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ # #include <abstractions/gstreamer>
+ #include <abstractions/audio>
+ #include <abstractions/mesa>
+ #include <abstractions/dri-common>
+ #include <abstractions/dri-enumerate>
+
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess mr,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ /etc/passwd r,
+ /etc/group r,
+ /etc/nsswitch.conf r,
+ /dev/ r,
+
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/ r,
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/** mr,
+}
diff --git a/usr.bin.badwolf b/usr.bin.badwolf
@@ -9,6 +9,8 @@
#include <tunables/global>
/usr/bin/badwolf {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
#include <abstractions/enchant>
#include <abstractions/gnome>
#include <abstractions/ibus>
@@ -16,9 +18,11 @@
#include <abstractions/private-files-strict>
/usr/bin/badwolf mr,
- /usr/bin/bwrap Cx,
- /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess Cx,
- /usr/libexec/webkit2gtk-4.0/WebKitWebProcess Cx,
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess Px,
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess Px,
+
+ # Consider that the bwrap sandbox on itself is enough
+ /usr/bin/bwrap Ux,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
@@ -32,53 +36,4 @@
/** r,
# #include <local/usr.bin.badwolf>
-
- profile /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess {
- #include <abstractions/base>
- #include <abstractions/nameservice>
- #include <abstractions/ssl_certs>
- #include <abstractions/private-files-strict>
-
- network inet stream,
- network inet6 stream,
-
- /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess mr,
- /** r,
- owner /** w,
- }
-
- profile /usr/libexec/webkit2gtk-4.0/WebKitWebProcess {
- #include <abstractions/base>
- #include <abstractions/fonts>
- #include <abstractions/gnome>
- # #include <abstractions/gstreamer>
- #include <abstractions/audio>
- #include <abstractions/mesa>
- #include <abstractions/dri-common>
- #include <abstractions/dri-enumerate>
-
- /usr/libexec/webkit2gtk-4.0/WebKitWebProcess mr,
-
- owner @{PROC}/@{pid}/cmdline r,
- owner @{PROC}/@{pid}/fd/ r,
-
- /etc/passwd r,
- /etc/group r,
- /etc/nsswitch.conf r,
- /dev/ r,
-
- owner @{HOME}/.local/share/badwolf/webkit-web-extension/ r,
- owner @{HOME}/.local/share/badwolf/webkit-web-extension/** mr,
- }
-
- profile /usr/bin/bwrap {
- #include <abstractions/base>
-
- deny capability sys_admin,
-
- /usr/bin/bwrap mr,
- @{PROC}/sys/kernel/overflowuid r,
- @{PROC}/sys/kernel/overflowgid r,
- owner @{PROC}/@{pid}/fd/ r,
- }
}
