|
| 1 | +# AppArmor profile for /usr/bin/arbor-daemon |
| 2 | +# |
| 3 | +# *** UNTESTED *** |
| 4 | +# |
| 5 | +# This profile is provided as a starting point for hardening Arbor's |
| 6 | +# privilege daemon under AppArmor on Gentoo (USE flag apparmor on |
| 7 | +# sys-apps/apparmor and a kernel built with CONFIG_SECURITY_APPARMOR). |
| 8 | +# It has *not* been validated against a full emerge workflow yet. |
| 9 | +# Treat it as a draft and iterate against real installs on a test box. |
| 10 | +# |
| 11 | +# To activate (manual, opt-in): |
| 12 | +# sudo cp apparmor/usr.bin.arbor-daemon /etc/apparmor.d/ |
| 13 | +# sudo apparmor_parser -r /etc/apparmor.d/usr.bin.arbor-daemon |
| 14 | +# sudo rc-service arbor-daemon restart # or systemctl restart arbor-daemon |
| 15 | +# |
| 16 | +# To run in complain-mode while iterating: |
| 17 | +# sudo aa-complain /etc/apparmor.d/usr.bin.arbor-daemon |
| 18 | +# When happy: |
| 19 | +# sudo aa-enforce /etc/apparmor.d/usr.bin.arbor-daemon |
| 20 | + |
| 21 | +#include <tunables/global> |
| 22 | + |
| 23 | +profile arbor-daemon /usr/bin/arbor-daemon { |
| 24 | + #include <abstractions/base> |
| 25 | + #include <abstractions/python> |
| 26 | + #include <abstractions/openssl> |
| 27 | + |
| 28 | + # ---- capabilities ---- |
| 29 | + capability chown, |
| 30 | + capability dac_override, |
| 31 | + capability dac_read_search, |
| 32 | + capability fowner, |
| 33 | + capability fsetid, |
| 34 | + capability setgid, |
| 35 | + capability setuid, |
| 36 | + capability sys_chroot, |
| 37 | + capability mknod, |
| 38 | + capability kill, |
| 39 | + capability sys_admin, |
| 40 | + capability sys_ptrace, |
| 41 | + capability setpcap, |
| 42 | + capability sys_resource, |
| 43 | + |
| 44 | + # Explicitly deny what setpriv / CapabilityBoundingSet would also drop. |
| 45 | + audit deny capability net_raw, |
| 46 | + audit deny capability net_admin, |
| 47 | + audit deny capability sys_module, |
| 48 | + audit deny capability sys_boot, |
| 49 | + audit deny capability sys_time, |
| 50 | + audit deny capability syslog, |
| 51 | + audit deny capability bpf, |
| 52 | + audit deny capability perfmon, |
| 53 | + |
| 54 | + # ---- network ---- |
| 55 | + # Daemon only listens on /run/arbor/daemon.sock; no inet sockets. |
| 56 | + network unix, |
| 57 | + audit deny network inet, |
| 58 | + audit deny network inet6, |
| 59 | + audit deny network netlink, |
| 60 | + audit deny network raw, |
| 61 | + |
| 62 | + # ---- arbor own state ---- |
| 63 | + /usr/bin/arbor-daemon mr, |
| 64 | + /usr/bin/setpriv ix, |
| 65 | + /usr/lib/arbor/** mr, |
| 66 | + /etc/arbor/ r, |
| 67 | + /etc/arbor/arbor.env r, |
| 68 | + /etc/arbor/ipc.key r, |
| 69 | + /etc/arbor/totp.secret r, |
| 70 | + /var/lib/arbor/ rw, |
| 71 | + /var/lib/arbor/** rwk, |
| 72 | + /var/log/arbor/ rw, |
| 73 | + /var/log/arbor/** rw, |
| 74 | + /run/arbor/ rw, |
| 75 | + /run/arbor/** rwk, |
| 76 | + |
| 77 | + # ---- Portage paths ---- |
| 78 | + /etc/portage/ r, |
| 79 | + /etc/portage/** rw, |
| 80 | + /var/db/pkg/ rw, |
| 81 | + /var/db/pkg/** rwk, |
| 82 | + /var/db/repos/ r, |
| 83 | + /var/db/repos/** r, |
| 84 | + /var/cache/distfiles/ rw, |
| 85 | + /var/cache/distfiles/** rwk, |
| 86 | + /var/cache/binpkgs/ rw, |
| 87 | + /var/cache/binpkgs/** rwk, |
| 88 | + /var/cache/edb/ rw, |
| 89 | + /var/cache/edb/** rwk, |
| 90 | + /var/tmp/portage/ rw, |
| 91 | + /var/tmp/portage/** rwklmix, |
| 92 | + /var/lib/portage/ rw, |
| 93 | + /var/lib/portage/** rwk, |
| 94 | + |
| 95 | + # ---- emerge tools the daemon execs ---- |
| 96 | + /usr/bin/emerge ix, |
| 97 | + /usr/bin/portageq ix, |
| 98 | + /usr/bin/eselect ix, |
| 99 | + /usr/bin/ebuild ix, |
| 100 | + /usr/bin/eclean ix, |
| 101 | + /usr/bin/equery ix, |
| 102 | + /usr/sbin/etc-update ix, |
| 103 | + /usr/sbin/dispatch-conf ix, |
| 104 | + /usr/bin/python3* ix, |
| 105 | + /usr/bin/find ix, |
| 106 | + /bin/sh ix, |
| 107 | + /bin/bash ix, |
| 108 | + |
| 109 | + # ---- system bits emerge needs ---- |
| 110 | + /proc/ r, |
| 111 | + /proc/sys/kernel/random/uuid r, |
| 112 | + /proc/[0-9]*/ r, |
| 113 | + /proc/[0-9]*/status r, |
| 114 | + /proc/[0-9]*/cmdline r, |
| 115 | + /proc/[0-9]*/stat r, |
| 116 | + /sys/devices/system/cpu/ r, |
| 117 | + /sys/devices/system/cpu/** r, |
| 118 | + /dev/null rw, |
| 119 | + /dev/zero rw, |
| 120 | + /dev/urandom r, |
| 121 | + /dev/random r, |
| 122 | + /dev/tty rw, |
| 123 | + /tmp/ r, |
| 124 | + /tmp/** rw, |
| 125 | + |
| 126 | + # ---- explicit deny on sensitive paths ---- |
| 127 | + audit deny /home/** rwklx, |
| 128 | + audit deny /root/** rwklx, |
| 129 | + audit deny /etc/shadow* rwklx, |
| 130 | + audit deny /etc/sudoers* rwklx, |
| 131 | + audit deny /etc/ssh/ssh_host_*_key rwklx, |
| 132 | + audit deny /proc/sys/kernel/core_pattern w, |
| 133 | + audit deny /proc/sys/kernel/modprobe w, |
| 134 | + audit deny /sys/kernel/security/** w, |
| 135 | +} |
0 commit comments