logo

badwolf

Minimalist and privacy-oriented WebKitGTK+ browser 
commit: b67d402a1b1fefe3b89a2319fea231eeab8ac49a
parent: 2e4298b105fab04e1ac092c99ce5d44dc90823af
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sun, 15 Dec 2019 17:58:09 +0100

usr.bin.badwolf: Add AppArmor example file


Diffstat:


MREADME.md2+-


Ausr.bin.badwolf81+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


2 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ Dependencies are:
 - POSIX make (works with GNU or BSD)
 - A pkg-config implementation (pkg-config and pkgconf are supported)
 
-Compilation is done with `make`, install with `make install`.
+Compilation is done with `make`, install with `make install`. An example AppArmor profile is provided at `usr.bin.badwolf`, please do runtime checks before deploying.
 
 ## Notes
 Most of the privacy/security stuff will be done with patches against WebKit as quite a lot isn’t into [WebKitSettings](https://webkitgtk.org/reference/webkit2gtk/stable/WebKitSettings.html) and with a generic WebKit extension that should be resuseable.
diff --git a/usr.bin.badwolf b/usr.bin.badwolf
@@ -0,0 +1,81 @@
+# BadWolf: Minimalist and privacy-oriented WebKitGTK+ browser
+# Copyright © 2019 Haelwenn (lanodan) Monnier <contact@hacktivis.me>
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Made on Gentoo Linux with PREFIX=/usr
+#include <tunables/global>
+
+/usr/bin/badwolf {
+	#include <abstractions/enchant>
+	#include <abstractions/gnome>
+	#include <abstractions/ibus>
+	#include <abstractions/uim>
+	#include <abstractions/private-files-strict>
+
+	/usr/bin/badwolf mr,
+	/usr/bin/bwrap Cx,
+	/usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess Cx,
+	/usr/libexec/webkit2gtk-4.0/WebKitWebProcess Cx,
+
+	owner @{PROC}/@{pid}/cmdline r,
+	owner @{PROC}/@{pid}/fd/ r,
+
+	owner @{HOME}/.local/share/badwolf/ r,
+	owner @{HOME}/.local/share/badwolf/** r,
+
+	deny @{HOME}/.local/share/webkitgtk/** rwmlk,
+
+	/ r,
+	/** r,
+
+	#include <local/usr.bin.badwolf>
+
+	profile /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess {
+		#include <abstractions/base>
+		#include <abstractions/nameservice>
+		#include <abstractions/ssl_certs>
+		#include <abstractions/private-files-strict>
+
+		network inet stream,
+		network inet6 stream,
+
+		/usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess mr,
+		/** r,
+		owner /** w,
+	}
+
+	profile /usr/libexec/webkit2gtk-4.0/WebKitWebProcess {
+		#include <abstractions/base>
+		#include <abstractions/fonts>
+		#include <abstractions/gnome>
+		#include <abstractions/gstreamer>
+		#include <abstractions/audio>
+		#include <abstractions/mesa>
+		#include <abstractions/dri-common>
+		#include <abstractions/dri-enumerate>
+
+		/usr/libexec/webkit2gtk-4.0/WebKitWebProcess mr,
+
+		owner @{PROC}/@{pid}/cmdline r,
+		owner @{PROC}/@{pid}/fd/ r,
+
+		/etc/passwd r,
+		/etc/group r,
+		/etc/nsswitch.conf r,
+		/dev/ r,
+
+		owner @{HOME}/.local/share/badwolf/webkit-web-extension/ r,
+		owner @{HOME}/.local/share/badwolf/webkit-web-extension/** mr,
+	}
+
+	profile /usr/bin/bwrap {
+		#include <abstractions/base>
+
+		deny capability sys_admin,
+
+		/usr/bin/bwrap mr,
+		@{PROC}/sys/kernel/overflowuid r,
+		@{PROC}/sys/kernel/overflowgid r,
+		owner @{PROC}/@{pid}/fd/ r,
+	}
+}