From b0bcbff0297b0eddbed7ee59d7bfb025363d7752 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Tue, 3 Mar 2020 20:57:38 +0000
Subject: [PATCH 1/2] Rapt fixes

---
 etc/apparmor.d/apt-get | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/etc/apparmor.d/apt-get b/etc/apparmor.d/apt-get
index 817ed18..6e18272 100644
--- a/etc/apparmor.d/apt-get
+++ b/etc/apparmor.d/apt-get
@@ -27,6 +27,10 @@ profile /usr/bin/rapt flags=(attach_disconnected) {
   capability sys_tty_config,
   capability sys_resource,
 
+  ## Allow rapt to send itself SIGINT signals.
+  signal send set=int peer=/usr/bin/rapt,
+  signal receive set=int peer=/usr/bin/rapt,
+
   ## Network access.
   ##
   ## Only IPv4 TCP traffic is allowed as Whonix
@@ -104,7 +108,7 @@ profile /usr/bin/rapt flags=(attach_disconnected) {
   owner /proc/*/{,environ,sched,mountinfo,mounts,loginuid} r,
   owner /proc/{,cmdline,modules,swaps,devices} r,
   owner /proc/sys/kernel/random/boot_id r,
-  owner /proc/sys/kernel/osrelease r,
+  owner /proc/sys/kernel/{,osrelease,ngroups_max} r,
 
   ## Tmpfs access.
   ##

From 0e19bcc441b6efa5d6079134c8b134a3d8b80608 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Tue, 3 Mar 2020 21:01:18 +0000
Subject: [PATCH 2/2] Deny CAP_NET_ADMIN and sysfs hard drive files

---
 etc/apparmor.d/abstractions/dangerous-files | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/apparmor.d/abstractions/dangerous-files b/etc/apparmor.d/abstractions/dangerous-files
index 2459d4e..0e90dc2 100644
--- a/etc/apparmor.d/abstractions/dangerous-files
+++ b/etc/apparmor.d/abstractions/dangerous-files
@@ -141,8 +141,13 @@
   audit deny /dev/disk/** rw,
   audit deny /dev/block/ rw,
   audit deny /dev/block/* rw,
+  audit deny /sys/devices/pci**/block/vda/dev rw,
 
   ## Deny access to /proc/kcore and /dev/core. /proc/kcore represents all
   ## physical memory of the system and /dev/core is a symlink to it.
   audit deny /proc/kcore rw,
   audit deny /dev/core rw,
+
+  ## CAP_NET_ADMIN allows modifying the firewall which we don't want as it
+  ## allows root on the gateway to leak the user's IP.
+  audit deny capability net_admin,