From e41779f576b680d0de18bf54af882bf6f6f45797 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Nov 2023 23:12:35 +0000 Subject: [PATCH] feat(full): add default bwrap profiles. On full system policy, use the new bwrap profile (and bwrap-app) to confine sandboxed application. It is not enabled by default as the sandbox profile is quite large. Also integrate with the gnome app that use bwrap as sandbox manager. Update other related profiles See Full system policy #252 --- apparmor.d/groups/_full/bwrap | 74 +++++++++++++++++++++++++++ apparmor.d/groups/_full/bwrap-app | 35 +++++++++++++ apparmor.d/groups/_full/default | 35 +++++++++---- apparmor.d/groups/_full/default-app | 6 --- apparmor.d/groups/_full/default-bwrap | 5 -- apparmor.d/groups/_full/default-sudo | 9 ++++ apparmor.d/groups/_full/systemd-user | 2 +- dists/flags/main.flags | 6 +-- 8 files changed, 146 insertions(+), 26 deletions(-) create mode 100644 apparmor.d/groups/_full/bwrap create mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default-app delete mode 100644 apparmor.d/groups/_full/default-bwrap diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap new file mode 100644 index 000000000..0efe0a6bf --- /dev/null +++ b/apparmor.d/groups/_full/bwrap @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for bwrap. + +abi , + +include + +@{exec_path} = @{bin}/bwrap +profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setpcap, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + mount, + umount, + + pivot_root oldroot=/newroot/ -> /newroot/, + pivot_root oldroot=/tmp/oldroot/ -> /tmp/, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + signal (receive) set=(kill), + + @{bin}/** rm, + @{lib}/** rm, + /opt/*/** rm, + /usr/share/*/* rm, + + @{bin}/** Px -> bwrap//&bwrap-app, + @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, + @{lib}/** Px -> bwrap//&bwrap-app, + /opt/*/** Px -> bwrap//&bwrap-app, + /usr/share/*/* Px -> bwrap//&bwrap-app, + + /usr/.ref rk, + + /bindfile@{rand6} rw, + /newroot/{,**} rw, + /tmp/newroot/ w, + /tmp/oldroot/ w, + + owner /var/cache/ w, + + owner @{run}/ld-so-cache-dir/* rw, + + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/user/max_user_namespaces w, + owner @{PROC}/@{pid}/gid_map rw, + owner @{PROC}/@{pid}/setgroups rw, + owner @{PROC}/@{pid}/uid_map rw, + + include if exists + include if exists +} diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app new file mode 100644 index 000000000..8895c8941 --- /dev/null +++ b/apparmor.d/groups/_full/bwrap-app @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for user sandboxed application + +abi , + +include + +profile bwrap-app flags=(attach_disconnected,mediate_deleted) { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + + @{bin}/** rmix, + @{lib}/** rmix, + /opt/*/** rmix, + /usr/share/*/* rmix, + + owner /var/cache/ w, + + include if exists + include if exists +} diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index ec74ebab9..027dc15fe 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -16,15 +16,18 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include - include - include include include include + include + include + include include + include + include include include include @@ -41,8 +44,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(hup), - @{bin}/{,**} r, - @{bin}/bwrap rPx -> default-bwrap, + @{bin}/bwrap rPx -> bwrap, @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, @{bin}/pulseaudio rPx -> systemd//&pulseaudio, @{bin}/su rPx -> default-sudo, @@ -55,15 +57,19 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/exo-open rPx -> child-open, @{bin}/xdg-open rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, audit @{bin}/** Pix, audit @{lib}/** Pix, audit /opt/*/** Pix, audit /usr/share/*/* Pix, + @{bin}/{,**} r, + @{lib}/{,**} r, /usr/share/** r, /etc/xdg/** r, + /etc/gnutls/config r, # Full access to user's data / r, @@ -71,10 +77,10 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwl, + owner @{HOME}/{,**} rwlk, owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/**, - owner @{user_share_dirs}/** rwkl -> @{user_share_dirs}/**, + owner @{user_config_dirs}/** rwkl, + owner @{user_share_dirs}/** rwkl, owner /tmp/{,**} rwk, owner @{run}/user/@{uid}/{,**} rw, @@ -86,16 +92,22 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/hidraw/ r, @{sys}/class/input/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, - - @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - @{PROC}/@{pid}/loginuid r, @{PROC}/cmdline r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, @@ -104,6 +116,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/_full/default-app b/apparmor.d/groups/_full/default-app deleted file mode 100644 index 9b195ea90..000000000 --- a/apparmor.d/groups/_full/default-app +++ /dev/null @@ -1,6 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - diff --git a/apparmor.d/groups/_full/default-bwrap b/apparmor.d/groups/_full/default-bwrap deleted file mode 100644 index 0ecde79e8..000000000 --- a/apparmor.d/groups/_full/default-bwrap +++ /dev/null @@ -1,5 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo index 09a343191..84213813f 100644 --- a/apparmor.d/groups/_full/default-sudo +++ b/apparmor.d/groups/_full/default-sudo @@ -31,6 +31,15 @@ profile default-sudo @{exec_path} { ptrace (read), + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.logi1.Manager + member=CreateSession + peer=(name=org.freedesktop.login1), + + dbus (send receive) bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd.Manager + member={JobRemoved,StartTransientUnit}, + @{bin}/sudo mr, @{bin}/su mr, @{lib}/sudo/** mr, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 144c24dc9..9cdc29ee3 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -16,7 +16,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected) { +profile systemd-user flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 64518e807..71b18da30 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,12 +1,12 @@ # Common profile flags definition for all distributions # One profile by line using the format: ' ' +bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,mediate_deleted,complain default attach_disconnected,mediate_deleted,complain -default-app attach_disconnected,complain -default-bwrap attach_disconnected,complain default-sudo complain systemd attach_disconnected,mediate_deleted,complain -systemd-user attach_disconnected,complain +systemd-user attach_disconnected,mediate_deleted,complain aa-load complain acpid attach_disconnected,complain