feat(full): add default bwrap profiles.

On full system policy, use the new bwrap profile (and bwrap-app) to confine sandboxed application. It is not enabled by default as the sandbox profile is quite large. Also integrate with the gnome app that use bwrap as sandbox manager. Update other related profiles See Full system policy #252
roddhjav · Nov 26, 2023 · e41779f · e41779f
1 parent 3da0ad2
commit e41779f
Show file tree

Hide file tree

Showing 8 changed files with 146 additions and 26 deletions.
diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap
@@ -0,0 +1,74 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for bwrap.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/bwrap
+profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+  include <abstractions/dbus>
+  include <abstractions/fontconfig-cache-write>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+  capability sys_resource,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount,
+  umount,
+
+  pivot_root oldroot=/newroot/ -> /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
+
+  ptrace peer=bwrap//&bwrap-app,
+
+  signal peer=bwrap//&bwrap-app,
+  signal (receive) set=(kill),
+
+  @{bin}/**                         rm,
+  @{lib}/**                         rm,
+  /opt/*/**                         rm,
+  /usr/share/*/*                    rm,
+
+  @{bin}/**                         Px -> bwrap//&bwrap-app,
+  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
+  @{lib}/**                         Px -> bwrap//&bwrap-app,
+  /opt/*/**                         Px -> bwrap//&bwrap-app,
+  /usr/share/*/*                    Px -> bwrap//&bwrap-app,
+
+  /usr/.ref rk,
+
+  /bindfile@{rand6} rw,
+  /newroot/{,**} rw,
+  /tmp/newroot/ w,
+  /tmp/oldroot/ w,
+
+  owner /var/cache/ w,
+
+  owner @{run}/ld-so-cache-dir/* rw,
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces w,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <usr/bwrap.d>
+  include if exists <local/bwrap>
+}
diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app
@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for user sandboxed application
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+  include <abstractions/fontconfig-cache-write>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  ptrace peer=bwrap//&bwrap-app,
+
+  signal peer=bwrap//&bwrap-app,
+
+  @{bin}/**                       rmix,
+  @{lib}/**                       rmix,
+  /opt/*/**                       rmix,
+  /usr/share/*/*                  rmix,
+
+  owner /var/cache/ w,
+
+  include if exists <usr/bwrap-app.d>
+  include if exists <local/bwrap-app>
+}
diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
@@ -16,15 +16,18 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/consoles>
   include <abstractions/dbus-session>
   include <abstractions/dconf-write>
-  include <abstractions/deny-sensitive-home>
+  include <abstractions/devices-usb>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
   include <abstractions/gnome>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
   include <abstractions/video>
   include <abstractions/vulkan>
   include <abstractions/zsh>
@@ -41,8 +44,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   signal (receive) set=(hup),
 
-  @{bin}/{,**} r,
-  @{bin}/bwrap           rPx -> default-bwrap,
+  @{bin}/bwrap           rPx -> bwrap,
   @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
   @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
   @{bin}/su              rPx -> default-sudo,
@@ -55,26 +57,30 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{bin}/exo-open        rPx -> child-open,
   @{bin}/xdg-open        rPx -> child-open,
+  @{lib}/gio-launch-desktop rPx -> child-open,
 
   audit @{bin}/**        Pix,
   audit @{lib}/**        Pix,
   audit /opt/*/**        Pix,
   audit /usr/share/*/*   Pix,
 
+  @{bin}/{,**} r,
+  @{lib}/{,**} r,
   /usr/share/** r,
 
   /etc/xdg/** r,
+  /etc/gnutls/config r,
 
   # Full access to user's data
   / r,
   /*/ r,
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rwl,
-  owner @{HOME}/{,**} rwl,
+  owner @{HOME}/{,**} rwlk,
   owner @{run}/user/@{uid}/{,**} rw,
-  owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/**,
-  owner @{user_share_dirs}/** rwkl -> @{user_share_dirs}/**,
+  owner @{user_config_dirs}/** rwkl,
+  owner @{user_share_dirs}/** rwkl,
   owner /tmp/{,**} rwk,
 
   owner @{run}/user/@{uid}/{,**} rw,
@@ -86,16 +92,22 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
+  @{sys}/ r,
   @{sys}/bus/ r,
+  @{sys}/bus/pci/devices/ r,
   @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/class/hidraw/ r,
   @{sys}/class/input/ r,
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
+  @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/firmware/acpi/pm_profile r,
-
-  @{sys}/devices/**/uevent r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
-        @{PROC}/@{pid}/loginuid r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/core_pattern r,
         @{PROC}/sys/kernel/random/boot_id r,
@@ -104,6 +116,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/mem r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

diff --git a/apparmor.d/groups/_full/default-app b/apparmor.d/groups/_full/default-app
diff --git a/apparmor.d/groups/_full/default-bwrap b/apparmor.d/groups/_full/default-bwrap
diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo
@@ -31,6 +31,15 @@ profile default-sudo @{exec_path} {
 
   ptrace (read),
 
+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.logi1.Manager
+       member=CreateSession
+       peer=(name=org.freedesktop.login1),
+
+  dbus (send receive) bus=session path=/org/freedesktop/systemd1
+         interface=org.freedesktop.systemd.Manager
+         member={JobRemoved,StartTransientUnit},
+
   @{bin}/sudo     mr,
   @{bin}/su       mr,
   @{lib}/sudo/**  mr,

diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
@@ -16,7 +16,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd
-profile systemd-user flags=(attach_disconnected) {
+profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>

diff --git a/dists/flags/main.flags b/dists/flags/main.flags
@@ -1,12 +1,12 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'
 
+bwrap attach_disconnected,mediate_deleted,complain
+bwrap-app attach_disconnected,mediate_deleted,complain
 default attach_disconnected,mediate_deleted,complain
-default-app attach_disconnected,complain
-default-bwrap attach_disconnected,complain
 default-sudo complain
 systemd attach_disconnected,mediate_deleted,complain
-systemd-user attach_disconnected,complain
+systemd-user attach_disconnected,mediate_deleted,complain
 
 aa-load complain
 acpid attach_disconnected,complain