Skip to content

Instantly share code, notes, and snippets.

@fintanmm

fintanmm/wordpress

Last active March 16, 2023 11:27
Show Gist options
  • Save fintanmm/e50d8ad63a94137a73ab2bf558beef4a to your computer and use it in GitHub Desktop.
Save fintanmm/e50d8ad63a94137a73ab2bf558beef4a to your computer and use it in GitHub Desktop.
Download ZIP
apparmor profile for wordpress
Raw
wordpress
# iclude <tunables/global>
# profile wparmor flags=(attach_disconnected,mediate_deleted) {
# include <../abstractions/base>
network,
capability,
file,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny umount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
# deny @{base_path}/*/public/* wlx,
# deny @{base_path}/*/public/wp-admin/** wlx,
# deny @{base_path}/*/public/wp-includes/** wlx,
# deny @{base_path}/*/public/wp-content/* wlx,
# ***YOUR WORK HERE***
# Add additional rules to deny writing/executing every /var/www/html/wp-content directory except uploads
# You can test your work by spinning up the wordpress docker-compose instance,
# but you'll need to ensure you include the wparmor security option in the compose file as well
@{base_path}="/opt/bitnami/wordpress"
@{php_version}="7.4"
@{base_path}/*/public/** r,
@{base_path}/*/public/**.php r,
@{base_path}/*/public/**.js r,
audit @{base_path}/*/public/wordfence-waf.php rw,
@{base_path}/*/log/php-fpm.log w,
# WordPress
audit @{base_path}/*/public/wp-content/plugins/sitepress-multilingual-cms/sitepress.* ixw,
audit @{base_path}/*/public/wp-*/**/*comments.php ixw,
# audit deny @{base_path}/*/public/*.php w,
audit deny @{base_path}/*/public/*.php wmlx,
deny @{base_path}/*/public/template*.php rw,
audit deny @{base_path}/*/public/**/favicon_*.* rwx,
deny @{base_path}/*/public/reflect.php rwx,
deny @{base_path}/*/public/wp-admin/css/**/*.php rwx,
deny @{base_path}/*/public/wp-admin/images/**/*.php rwx,
deny @{base_path}/*/public/wp-admin/js/**/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/mediaelement/flashmediaelement.swf rwx,
deny @{base_path}/*/public/wp-includes/certificates/*.php rwx,
deny @{base_path}/*/public/wp-includes/css/*.php rwx,
deny @{base_path}/*/public/wp-includes/fonts/*.php rwx,
deny @{base_path}/*/public/wp-includes/images/*.php rwx,
deny @{base_path}/*/public/wp-includes/images/**/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/crop/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/imgareaselect/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/jquery/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/jquery/**/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/mediaemlement/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/plubload/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/swfupload/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/swfupload/**/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/thickbox/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/tinymce/*/**/*.php rwx,
deny @{base_path}/*/public/wp-includes/js/tinymce/wp-tinymce.php wx,
deny @{base_path}/*/public/wp-includes/widgets/[^c]* rw,
deny @{base_path}/*/public/wp-includes/SimplePie/Content/Type/[^S]* rw,
deny @{base_path}/*/public/wp-includes/SimplePie/HTTP/[^P]* rw,
deny @{base_path}/*/public/wp-includes/Requests/Auth/[^B]* rw,
deny @{base_path}/*/public/wp-includes/Requests/Exception/Transport/[^c]* rw,
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/css/**/*.php rwx,
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/images/**/*.php rwx,
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/js/**/*.php rwx,
deny @{base_path}/*/public/wp-content/uploads/*.php rw,
deny @{base_path}/*/public/wp-content/uploads/**/*.php rw,
deny @{base_path}/*/public/wp-content/themes/Divi/js/*.php rw,
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/*.php rw,
deny @{base_path}/*/public/wp-content/cache/*.php rw,
deny @{base_path}/*/public/wp-content/cache/et/**/*.php rw,
deny @{base_path}/*/public/wp-content/cache/wpml/twig/*.php rw,
deny @{base_path}/*/public/wp-content/plugins/shortcodes-ultimate/assets/**/*.php rw,
deny @{base_path}/*/public/wp-content/plugins/tiled-gallery-carousel-without-jetpack/math/[^c]* rwxl,
deny @{base_path}/*/public/wp-content/plugins/*/images/*.php rw,
deny @{base_path}/*/public/wp-content/plugins/*/images/**/*.php rw,
deny @{base_path}/*/public/wp-content/themes/Divi/et-pagebuilder/[^e]* rw,
deny @{base_path}/*/public/wp-content/themes/Divi/epanel/google-fonts/**/*.php rw,
deny @{base_path}/*/public/wp-content/themes/twenty*/page-templates/[^c]* rw,
deny @{base_path}/*/public/wp-content/themes/twenty*/page-templates/[^f]* rw,
deny @{base_path}/*/public/.user.ini rw,
# Wordfence
# @{base_path}/*/public/wp-content/wflogs/* rwk,
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
ptrace (trace,read) peer=/usr/sbin/php-fpm,
# docker daemon confinement requires explict allow rule for signal
signal (receive) set=(kill,term) peer=/usr/bin/docker,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment