Merge pull request #43 from madaidan/fixes

Fixes
Kicksecure · Mar 4, 2020 · 1c23b45 · 1c23b45
2 parents 20a6c9f + 0e19bcc
commit 1c23b45
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/etc/apparmor.d/abstractions/dangerous-files b/etc/apparmor.d/abstractions/dangerous-files
@@ -141,8 +141,13 @@
   audit deny /dev/disk/** rw,
   audit deny /dev/block/ rw,
   audit deny /dev/block/* rw,
+  audit deny /sys/devices/pci**/block/vda/dev rw,
 
   ## Deny access to /proc/kcore and /dev/core. /proc/kcore represents all
   ## physical memory of the system and /dev/core is a symlink to it.
   audit deny /proc/kcore rw,
   audit deny /dev/core rw,
+
+  ## CAP_NET_ADMIN allows modifying the firewall which we don't want as it
+  ## allows root on the gateway to leak the user's IP.
+  audit deny capability net_admin,
diff --git a/etc/apparmor.d/apt-get b/etc/apparmor.d/apt-get
@@ -27,6 +27,10 @@ profile /usr/bin/rapt flags=(attach_disconnected) {
   capability sys_tty_config,
   capability sys_resource,
 
+  ## Allow rapt to send itself SIGINT signals.
+  signal send set=int peer=/usr/bin/rapt,
+  signal receive set=int peer=/usr/bin/rapt,
+
   ## Network access.
   ##
   ## Only IPv4 TCP traffic is allowed as Whonix
@@ -104,7 +108,7 @@ profile /usr/bin/rapt flags=(attach_disconnected) {
   owner /proc/*/{,environ,sched,mountinfo,mounts,loginuid} r,
   owner /proc/{,cmdline,modules,swaps,devices} r,
   owner /proc/sys/kernel/random/boot_id r,
-  owner /proc/sys/kernel/osrelease r,
+  owner /proc/sys/kernel/{,osrelease,ngroups_max} r,
 
   ## Tmpfs access.
   ##