Last active
March 16, 2023 11:27
-
-
Save fintanmm/e50d8ad63a94137a73ab2bf558beef4a to your computer and use it in GitHub Desktop.
apparmor profile for wordpress
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# iclude <tunables/global> | |
# profile wparmor flags=(attach_disconnected,mediate_deleted) { | |
# include <../abstractions/base> | |
network, | |
capability, | |
file, | |
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) | |
# deny write to files not in /proc/<number>/** or /proc/sys/** | |
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, | |
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) | |
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ | |
deny @{PROC}/sysrq-trigger rwklx, | |
deny @{PROC}/mem rwklx, | |
deny @{PROC}/kmem rwklx, | |
deny @{PROC}/kcore rwklx, | |
deny mount, | |
deny umount, | |
deny /sys/[^f]*/** wklx, | |
deny /sys/f[^s]*/** wklx, | |
deny /sys/fs/[^c]*/** wklx, | |
deny /sys/fs/c[^g]*/** wklx, | |
deny /sys/fs/cg[^r]*/** wklx, | |
deny /sys/firmware/efi/efivars/** rwklx, | |
deny /sys/kernel/security/** rwklx, | |
# deny @{base_path}/*/public/* wlx, | |
# deny @{base_path}/*/public/wp-admin/** wlx, | |
# deny @{base_path}/*/public/wp-includes/** wlx, | |
# deny @{base_path}/*/public/wp-content/* wlx, | |
# ***YOUR WORK HERE*** | |
# Add additional rules to deny writing/executing every /var/www/html/wp-content directory except uploads | |
# You can test your work by spinning up the wordpress docker-compose instance, | |
# but you'll need to ensure you include the wparmor security option in the compose file as well | |
@{base_path}="/opt/bitnami/wordpress" | |
@{php_version}="7.4" | |
@{base_path}/*/public/** r, | |
@{base_path}/*/public/**.php r, | |
@{base_path}/*/public/**.js r, | |
audit @{base_path}/*/public/wordfence-waf.php rw, | |
@{base_path}/*/log/php-fpm.log w, | |
# WordPress | |
audit @{base_path}/*/public/wp-content/plugins/sitepress-multilingual-cms/sitepress.* ixw, | |
audit @{base_path}/*/public/wp-*/**/*comments.php ixw, | |
# audit deny @{base_path}/*/public/*.php w, | |
audit deny @{base_path}/*/public/*.php wmlx, | |
deny @{base_path}/*/public/template*.php rw, | |
audit deny @{base_path}/*/public/**/favicon_*.* rwx, | |
deny @{base_path}/*/public/reflect.php rwx, | |
deny @{base_path}/*/public/wp-admin/css/**/*.php rwx, | |
deny @{base_path}/*/public/wp-admin/images/**/*.php rwx, | |
deny @{base_path}/*/public/wp-admin/js/**/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/mediaelement/flashmediaelement.swf rwx, | |
deny @{base_path}/*/public/wp-includes/certificates/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/css/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/fonts/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/images/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/images/**/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/crop/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/imgareaselect/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/jquery/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/jquery/**/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/mediaemlement/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/plubload/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/swfupload/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/swfupload/**/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/thickbox/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/tinymce/*/**/*.php rwx, | |
deny @{base_path}/*/public/wp-includes/js/tinymce/wp-tinymce.php wx, | |
deny @{base_path}/*/public/wp-includes/widgets/[^c]* rw, | |
deny @{base_path}/*/public/wp-includes/SimplePie/Content/Type/[^S]* rw, | |
deny @{base_path}/*/public/wp-includes/SimplePie/HTTP/[^P]* rw, | |
deny @{base_path}/*/public/wp-includes/Requests/Auth/[^B]* rw, | |
deny @{base_path}/*/public/wp-includes/Requests/Exception/Transport/[^c]* rw, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/css/**/*.php rwx, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/images/**/*.php rwx, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/js/**/*.php rwx, | |
deny @{base_path}/*/public/wp-content/uploads/*.php rw, | |
deny @{base_path}/*/public/wp-content/uploads/**/*.php rw, | |
deny @{base_path}/*/public/wp-content/themes/Divi/js/*.php rw, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/assets/*.php rw, | |
deny @{base_path}/*/public/wp-content/cache/*.php rw, | |
deny @{base_path}/*/public/wp-content/cache/et/**/*.php rw, | |
deny @{base_path}/*/public/wp-content/cache/wpml/twig/*.php rw, | |
deny @{base_path}/*/public/wp-content/plugins/shortcodes-ultimate/assets/**/*.php rw, | |
deny @{base_path}/*/public/wp-content/plugins/tiled-gallery-carousel-without-jetpack/math/[^c]* rwxl, | |
deny @{base_path}/*/public/wp-content/plugins/*/images/*.php rw, | |
deny @{base_path}/*/public/wp-content/plugins/*/images/**/*.php rw, | |
deny @{base_path}/*/public/wp-content/themes/Divi/et-pagebuilder/[^e]* rw, | |
deny @{base_path}/*/public/wp-content/themes/Divi/epanel/google-fonts/**/*.php rw, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/page-templates/[^c]* rw, | |
deny @{base_path}/*/public/wp-content/themes/twenty*/page-templates/[^f]* rw, | |
deny @{base_path}/*/public/.user.ini rw, | |
# Wordfence | |
# @{base_path}/*/public/wp-content/wflogs/* rwk, | |
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container | |
ptrace (trace,read) peer=docker-default, | |
ptrace (trace,read) peer=/usr/sbin/php-fpm, | |
# docker daemon confinement requires explict allow rule for signal | |
signal (receive) set=(kill,term) peer=/usr/bin/docker, | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment