1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
package apparmor
import (
"text/template"
)
var forkproxyProfileTpl = template.Must(template.New("forkproxyProfile").Parse(`#include <tunables/global>
profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
# Capabilities
capability chown,
capability dac_read_search,
capability dac_override,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
# Network access
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network unix stream,
# Forkproxy operation
{{ .logPath }}/** rw,
@{PROC}/** rw,
/ rw,
ptrace (read),
ptrace (trace),
/etc/machine-id r,
/run/systemd/resolve/stub-resolv.conf r,
/run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
/usr/lib/systemd/resolv.conf r,
# Allow /dev/shm and /dev/dri access (for X11/Wayland)
/dev/dri/** rwkl,
/dev/shm/** rwkl,
# Needed for the fork sub-commands
{{ .exePath }} mr,
@{PROC}/@{pid}/cmdline r,
/{etc,lib,usr/lib}/os-release r,
{{if .sockets -}}
{{range $index, $element := .sockets}}
{{$element}} rw,
{{- end }}
{{- end }}
# Things that we definitely don't need
deny @{PROC}/@{pid}/cgroup r,
deny /sys/module/apparmor/parameters/enabled r,
deny /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
deny /sys/devices/virtual/dmi/id/product_uuid r,
{{if .libraryPath }}
# Entries from LD_LIBRARY_PATH
{{range $index, $element := .libraryPath}}
{{$element}}/** mr,
{{- end }}
{{- end }}
}
`))
|
