Kicksecure · adrelanos · Dec 20, 2019 · Dec 12, 2019 · Dec 14, 2019
diff --git a/etc/apparmor.d/abstractions/init-systemd b/etc/apparmor.d/abstractions/init-systemd
@@ -0,0 +1,292 @@
+  ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+  ## See the file COPYING for copying conditions.
+
+  #include <abstractions/gnome>
+  #include <abstractions/dangerous-files>
+
+  ## TODO: Further restict these. Use extended capability rules.
+  ## TODO: Create sdwdate AppArmor profile and remove sys_time.
+  ## TODO: Create systemd-modules-load profile and remove sys_module.
+  ## TODO: Create whonix-firewall profile and remove net_admin.
+  ## TODO: Create auditd(/journald?) profile and remove audit_*.
+  ## TODO: Create journald profile and remove syslog.
+  ## TODO: Create logind profile and remove sys_tty_config.
+  capability audit_control,
+  capability audit_read,
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability ipc_owner,
+  capability ipc_lock,
+  capability kill,
+  capability mknod,
+  capability net_admin,
+  capability setgid,
+  capability setpcap,
+  capability setuid,
+  capability sys_admin,
+  capability sys_boot,
+  capability sys_chroot,
+  capability sys_module,
+  capability sys_nice,
+  capability sys_ptrace,
+  capability sys_resource,
+  capability sys_time,
+  capability sys_tty_config,
+  capability syslog,
+
+  ## Allow us to send ourselves signals.
+  ## TODO: Restrict.
+  signal,
+
+  ## Allow us to ptrace processes.
+  ## TODO: Restrict.
+  ptrace (read, readby, tracedby),
+
+  ## TODO: Restrict if possible.
+  unix,
+
+  ## Network access.
+  ##
+  ## Only IPv4 TCP traffic is allowed as Whonix
+  ## disables IPv6 and Tor only supports TCP.
+  network inet tcp,
+
+  ## Allow DBus.
+  ## TODO: Restrict access.
+  dbus,
+
+  ## Allow mounting, unmounting and remounting.
+  ## TODO: Restrict access.
+  mount,
+  umount,
+  remount,
+  / r,
+
+  ## Home directory access.
+  ##
+  ## Only executing the Tor Browser is allowed.
+  ## TODO: Restrict access.
+  /home/ r,
+  owner /home/** rwlk,
+
+  ## Only "start-tor-browser" and "firefox" is executable as the
+  ## Tor Browser AppArmor profile will handle the rest.
+  owner /home/*/.tb/tor-browser/Browser/{,start-tor-browser,firefox} rpix,
+
+  ## Prevents any malicious modifications to the Tor Browser.
+  ## Updates will be handled by the Tor Browser's profile.
+  deny /home/*/.tb/tor-browser/** wlkm,
+
+  owner /root/ r,
+  owner /root/** rwlk,
+
+  ## Programs and libraries.
+  ##
+  ## All programs and libraries except ones in /opt are read-only to prevent malware from
+  ## compromising a specific program. Updates will be handled by APT.
+  ##
+  ## /opt is read-write (for the owner) so the user can place their own custom
+  ## programs in there.
+  /usr/ r,
+  /{,usr/,usr/local/}{,s}bin/ r,
+  /{,usr/,usr/local/}{,s}bin/** rpix,
+  /usr/{,local/}games/ r,
+  /usr/{,local/}games/** rpix,
+  /{,usr/,usr/local/}lib{,32,64}/ r,
+  /{,usr/,usr/local/}lib{,32,64}/** rmpix,
+  /usr/{,local/}share/ r,
+  /usr/{,local/}share/** rpix,
+  /usr/{,local/}include/ r,
+  /usr/{,local/}include/** rpix,
+  owner /usr/lib/python3/dist-packages/*/__pycache__/ rwm,
+  owner /usr/lib/python3/dist-packages/*/__pycache__/** rwm,
+  /opt/ r,
+  /opt/** rpix,
+  owner /opt/** rwmpix,
+
+  ## Sysfs access.
+  /sys/ r,
+  /sys/devices/ r,
+  /sys/devices/**/{,uevent,config} r,
+  owner /sys/devices/**/{,name,id,type,online,sw,phys,ev,abs,bustype,rel,key,properties} r,
+  /sys/devices/pci[0-9]*/**/ r,
+  /sys/devices/pci[0-9]*/**/{,resource,boot_vga,class,vendor,device,irq,revision,subsystem_vendor,port_no} r,
+  owner /sys/devices/pci[0-9]*/**/{,subsystem_device,removable,size,rotational,ro} r,
+  owner /sys/devices/pci[0-9]*/**/sas_port/*/num_phys r,
+  owner /sys/devices/pci[0-9]*/**/block/sda/dev r,
+  owner /sys/devices/pci[0-9]*/**/block/sda/sda[0-9]*/{,partition,start} r,
+  /sys/devices/pci[0-9]*/**/drm/**/{,enabled,status} r,
+  /sys/devices/pci[0-9]*/**/sound/**/pcm_class r,
+  /sys/devices/pci[0-9]*/**/backlight/**/* rw,
+  /sys/devices/virtual/tty/tty[0-9]*/active r,
+  /sys/devices/virtual/tty/console/active r,
+  /sys/devices/virtual/dmi/id/{,sys,board,bios}_vendor r,
+  owner /sys/devices/virtual/dmi/id/{,modalias,product_name} r,
+  owner /sys/devices/virtual/net/lo/address r,
+  owner /sys/devices/virtual/block/loop[0-9]*/{,removable,size,ro,removable} r,
+  owner /sys/devices/virtual/block/loop[0-9]*/loop/{,backing_file,autoclear} r,
+  owner /sys/devices/virtual/block/dm-0/dm/uuid r,
+  owner /sys/devices/virtual/block/dm-0/{,removable,size,ro} r,
+  owner /sys/devices/virtual/bdi/[0-9]*:[0-9]*/read_ahead_kb r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  /sys/devices/system/cpu/present r,
+  /sys/devices/system/cpu/cpu[0-9]*/cache/index2/size r,
+  owner /sys/devices/platform/rtc_cmos/rtc/rtc[0-9]*/hctosys r,
+  /sys/class/ r,
+  /sys/class/{,tty,input,drm,sound}/ r,
+  owner /sys/class/{,leds,power_supply,block}/ r,
+  /sys/bus/ r,
+  /sys/bus/pci/devices/ r,
+  owner /sys/bus/*/drivers/*/uevent r,
+  /sys/fs/cgroup/** rwm,
+  owner /sys/kernel/debug/ r,
+  /sys/kernel/kexec_loaded r,
+  owner /sys/module/*/ r,
+  owner /sys/module/printk/parameters/time r,
+  owner /sys/module/vt/parameters/default_utf8 r,
+  owner /sys/module/*/{,refcnt,coresize,uevent,initstate} r,
+  owner /sys/module/*/holders/ r,
+  owner /sys/firmware/dmi/tables/{,DMI,smbios_entry_point} r,
+  owner /sys/kernel/security/apparmor/ r,
+  owner /sys/kernel/security/apparmor/.{,access,remove,replace} rw,
+  owner /sys/kernel/security/apparmor/profiles r,
+  /sys/module/apparmor/parameters/enabled r,
+
+  ## TODO: Verify use. Probably not needed.
+  deny /sys/fs/ r,
+  deny /sys/fs/fuse/connections/ r,
+
+  ## Procfs access.
+  ## TODO: Make systemd-sysctl profile and prevent writing to /proc/sys.
+  owner /proc/ r,
+  owner /proc/*/{,environ,limits,mountinfo,mounts,uid_map,gid_map,setgroups} r,
+  owner /proc/*/fdinfo/* r,
+  owner /proc/*/oom_score_adj rw,
+  /proc/*/{,cgroup,cmdline,comm,sessionid,mounts,stat,status,sched,maps,auxv} r,
+  /proc/*/attr/current r,
+  /proc/*/attr/exec rw,
+  /proc/*/loginuid rw,
+  /proc/*/fd/ r,
+  /proc/*/task/*/stat r,
+  /proc/*/net/ r,
+  /proc/*/net/dev r,
+  /proc/{,stat,cpuinfo,filesystems,meminfo,swaps,cmdline,uptime} r,
+  /proc/sys/** r,
+  /proc/asound/card[0-9]*/ r,
+  /proc/asound/card[0-9]*/pcm[0-9]*/ r,
+  /proc/asound/card[0-9]*/pcm[0-9]*/sub[0-9]*/status r,
+  owner /proc/sys/** rw,
+  owner /proc/mtrr rw,
+  owner /proc/*/{,setgroups,gid_map,uid_map} w,
+  owner /proc/{,kmsg,devices,modules} r,
+  owner /proc/tty/drivers r,
+
+  ## Tmpfs access.
+  ##
+  ## Read-only access is given to files the user is not an owner of
+  ## and read-write access is given to files the user is owner of.
+  /{,var/}tmp/ r,
+  /{,var/}tmp/** rpix,
+  owner /{,var/}tmp/ rw,
+  owner /{,var/}tmp/** rwmpixl,
+
+  ## Systemd's PrivateTmp option requires rw access to tmp directories
+  ## they aren't owner of. Rather than giving rw access to all of /tmp,
+  ## just give rw access to all systemd private tmps.
+  /tmp/systemd-private-*-*.service-*/tmp/tmp.*/ rw,
+  /tmp/systemd-private-*-*.service-*/tmp/tmp.*/** rw,
+
+  ## Config files.
+  ## TODO: Restrict access.
+  /{,usr/local/}etc/ r,
+  /{,usr/local/}etc/** rpix,
+  owner /{,usr/local/}etc/** rwmlkpix,
+
+  ## Device access.
+  ## TODO: autofs can automount filesystems which might be dangerous.
+  ## TODO: Swap is disabled yet access to /dev/mapper/swapfile is needed - https://github.com/Whonix/swap-file-creator
+  ## TODO: Remove write permission where it's not needed.
+  /dev/ r,
+  /dev/console rw,
+  /dev/random rw,
+  /dev/urandom rw,
+  /dev/null rw,
+  /dev/zero rw,
+  /dev/full rw,
+  /dev/core r,
+  /dev/stdin rw,
+  /dev/stdout r,
+  /dev/stderr rw,
+  /dev/tty rw,
+  /dev/tty[0-9]* rw,
+  /dev/ptmx rw,
+  /dev/pts/ r,
+  /dev/pts/* rw,
+  /dev/input/ r,
+  /dev/input/** rw,
+  /dev/uinput rw,
+  /dev/vbox{,user,guest,sf} rw,
+  /dev/kvm rw,
+  owner /dev/sr0 rwk,
+  /dev/log rw,
+  owner /dev/sd* rwmk,
+  owner /dev/kmsg rw,
+  owner /dev/fb0 rw,
+  owner /dev/vga_arbiter rw,
+  /dev/dri/ r,
+  owner /dev/snd/ r,
+  /dev/snd/* rw,
+  owner /dev/mqueue/ rw,
+  /dev/shm/ r,
+  owner /dev/shm/** rwm,
+  owner /dev/autofs rw,
+  owner /dev/vcs{,a,u} w,
+  owner /dev/vcs{,a,u}[0-9]* w,
+  owner /dev/char/ r,
+  owner /dev/char/[0-9]*:[0-9]* w,
+  owner /dev/sg[0-9]* rwmk,
+  owner /dev/ttyS[0-9]* rw,
+  owner /dev/disk/ r,
+  owner /dev/disk/by-path/pci-*-sas-phy[0-9]-lun-[0-9] w,
+  owner /dev/disk/by-path/pci-*-sas-phy[0-9]-lun-[0-9]-part[0-9] w,
+  owner /dev/disk/by-partuuid/[0-9]*-[0-9]* w,
+  owner /dev/bsg/ r,
+  owner /dev/block/ r,
+  owner /dev/hugepages/ rw,
+  owner /dev/net/ r,
+  owner /dev/mapper/ r,
+  owner /dev/vfio/ r,
+  owner /dev/btrfs-control w,
+  owner /dev/loop-control rw,
+  owner /dev/loop[0-9]* rw,
+  owner /dev/mapper/control rw,
+  owner /dev/dm-0 rw,
+  owner /dev/mapper/swapfile w,
+  owner /dev/vport2p1 rw,
+
+  ## Removable media.
+  owner /media/ r,
+  owner /media/** rw,
+
+  ## /var and /run access.
+  /var/ r,
+  /var/{,cache,lib,log,spool}/ r,
+  /var/cache/** r,
+  /var/cache/man/*/*[0-9]/ rw,
+  /var/{,lib,log}/** rw,
+  /var/lib/dpkg/info/** rpix,
+  owner /var/{,cache,lib,db}/** rwkl,
+  owner /var/log/wtmp rwk,
+  owner /var/spool/cron/crontabs/ r,
+  /{,var/}run/ r,
+  /{,var/}run/** rw,
+  /{,var/}run/shm/** rwl,
+  owner /{,var/}run/** rwk,
+  owner /var/swapfile rw,
+  owner /var/backups/apt.extended_states w,
+
+  /srv/ r,