Merge pull request #35 from madaidan/apparmor

Apparmor profiles

debian/control

@@ -5,7 +5,7 @@ Source: security-misc
 Section: misc
 Priority: optional
 Maintainer: Patrick Schleizer <adrelanos@riseup.net>
-Build-Depends: debhelper (>= 12), genmkfile, config-package-dev
+Build-Depends: debhelper (>= 12), genmkfile, config-package-dev, dh-apparmor
 Homepage: https://github.com/Whonix/security-misc
 Vcs-Browser: https://github.com/Whonix/security-misc
 Vcs-Git: https://github.com/Whonix/security-misc.git

debian/rules

@@ -10,3 +10,8 @@
 
 override_dh_installchangelogs:
 	dh_installchangelogs changelog.upstream upstream
+	
+override_dh_install:
+	dh_apparmor --profile-name='usr.lib.security-misc.pam_tally2-info'
+	dh_apparmor --profile-name='usr.lib.security-misc.permission-lockdown'
+	dh_install

etc/apparmor.d/usr.lib.security-misc.pam_tally2-info

@@ -0,0 +1,36 @@
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+#include <tunables/global>
+
+/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) {
+  #include <abstractions/bash>
+
+  capability dac_override,
+  capability dac_read_search,
+
+  /bin/bash ix,
+  /bin/cat mrix,
+  /bin/grep mrix,
+  /usr/bin/cut mrix,
+  /usr/bin/tail mrix,
+  /sbin/pam_tally2 mrix,
+  /usr/lib/security-misc/pam_tally2-info r,
+
+  /etc/ld.so.cache r,
+  /etc/locale.alias r,
+
+  /{usr/,}lib{,32,64}/** mr,
+
+  owner /etc/nsswitch.conf r,
+  owner /etc/pam.d/* r,
+  owner /etc/passwd r,
+
+  owner /usr/share/zoneinfo/** r,
+  owner /var/log/tallylog rw,
+
+  /dev/tty rw,
+  owner /dev/pts/[0-9]* rw,
+  
+  #include <local/usr.lib.security-misc.pam_tally2-info>
+}

etc/apparmor.d/usr.lib.security-misc.permission-lockdown

@@ -0,0 +1,38 @@
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+#include <tunables/global>
+
+/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) {
+  #include <abstractions/bash>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+
+  /bin/bash ix,
+  /bin/chmod mrix,
+  /bin/echo mrix,
+  /bin/mkdir mrix,
+  /bin/touch mrix,
+  /usr/bin/basename mrix,
+  /usr/bin/touch mrix,
+  /usr/lib/security-misc/permission-lockdown r,
+
+  /home/*/ w,
+
+  /{usr/,}lib{,32,64}/** mr,
+
+  /etc/ld.so.cache r,
+  owner /etc/locale.alias r,
+  owner /etc/nsswitch.conf r,
+  owner /etc/passwd r,
+
+  owner /var/cache/security-misc/state-files/ rw,
+  owner /var/cache/security-misc/state-files/* rw,
+
+  /dev/tty rw,
+  
+  #include <local/usr.lib.security-misc.permission-lockdown>
+}