diff --git a/.gitmodules b/.gitmodules index a6452efb7..3c4c1dc89 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "subprojects/python-xlib"] path = subprojects/python-xlib url = https://github.com/python-xlib/python-xlib.git +[submodule "subprojects/apparmor"] + path = subprojects/apparmor + url = https://gitlab.com/apparmor/apparmor.git diff --git a/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu b/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu deleted file mode 120000 index 9c2d83eec..000000000 --- a/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu +++ /dev/null @@ -1 +0,0 @@ -/usr/share/apparmor/extra-profiles/bwrap-userns-restrict \ No newline at end of file diff --git a/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu b/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu new file mode 100644 index 000000000..9de2afc63 --- /dev/null +++ b/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu @@ -0,0 +1,85 @@ +# This profile allows almost everything and only exists to allow bwrap +# to work on a system with user namespace restrictions being enforced. +# bwrap is allowed access to user namespaces and capabilities within +# the user namespace, but its children do not have capabilities, +# blocking bwrap from being able to be used to arbitrarily by-pass the +# user namespace restrictions. + +# Note: the bwrap child is stacked against the bwrap profile due to +# bwraps use of no-new-privs. + +abi , + +include + +profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) { + allow capability, + # not allow all, to allow for pix stack on systems that don't support + # rule priority. + # + # sadly we have to allow 'm' every where to allow children to work under + # profile stacking atm. + allow file rwlkm /{**,}, + allow network, + allow unix, + allow ptrace, + allow signal, + allow mqueue, + allow io_uring, + allow userns, + allow mount, + allow umount, + allow pivot_root, + allow dbus, + + # stacked like this due to no-new-privs restriction + # this will stack a target profile against bwrap and unpriv_bwrap + # Ideally + # - there would be a transition at userns creation first. This would allow + # for the bwrap profile to be tighter, and looser within the user + # ns. bwrap will still have to fairly loose until a transition at + # namespacing in general (not just user ns) is available. + # - there would be an independent second target as fallback + # This would allow for select target profiles to be used, and not + # necessarily stack the unpriv_bwrap in cases where this is desired + # + # the ix works here because stack will apply to ix fallback + # Ideally we would sanitize the environment across a privilege boundry + # (leaving bwarp into application) but flatpak etc use environment glibc + # sanitized environment variables as part of the sandbox setup. + allow pix /** -> &bwrap//&unpriv_bwrap, + + # the local include should not be used without understanding the userns + # restriction. + # Site-specific additions and overrides. See local/README for details. + include if exists +} + +# The unpriv_bwrap profile is used to strip capabilities within the userns +profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) { + # not allow all, to allow for pix stack + allow file rwlkm /{**,}, + allow network, + allow unix, + allow ptrace, + allow signal, + allow mqueue, + allow io_uring, + allow userns, + allow mount, + allow umount, + allow pivot_root, + allow dbus, + + # bwrap profile does stacking against itself this will keep the target + # profile from having elevated privileges in the container. + # If done recursively the stack will remove any duplicate + allow pix /** -> &unpriv_bwrap, + + audit deny capability, + + # the local include should not be used without understanding the userns + # restriction. + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/subprojects/apparmor b/subprojects/apparmor new file mode 160000 index 000000000..8e431ebcd --- /dev/null +++ b/subprojects/apparmor @@ -0,0 +1 @@ +Subproject commit 8e431ebcd915216a03ebc8d01e72b1741bb2f855