Last active
May 22, 2019 05:57
-
-
Save gdahlm/2bf2f6a0a36fe8643c773595f83fcbda to your computer and use it in GitHub Desktop.
Apparmor profile for Keybase.io to prevent insecure and multi-user unfriendly use of /keybase; will prevent start unless run_keybase is modified.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <tunables/global> | |
| # At the time of writing requires changing /usr/bin/run_keybase | |
| # Partial diff, which may or may not work for your needs. | |
| # | |
| # - if fusermount -uz /keybase &> /dev/null ; then | |
| # + if fusermount -uz $HOME/Keybase &> /dev/null ; then | |
| # | |
| # - kbfsfuse -debug -log-to-file /keybase &>> "$logdir/keybase.start.log" & | |
| # + kbfsfuse -debug -log-to-file $HOME/Keybase &>> "$logdir/keybase.start.log" & | |
| # | |
| # Copy this file to /etc/apparmor.d/usr.bin.run_keybase and run: | |
| # | |
| # $ sudo aa-enforce usr.bin.run_keybase | |
| # Setting /etc/apparmor.d/usr.bin.run_keybase to enforce mode. | |
| /usr/bin/run_keybase { | |
| #include <abstractions/base> | |
| network, | |
| capability, | |
| file, | |
| umount, | |
| deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) | |
| # deny write to files not in /proc/<number>/** or /proc/sys/** | |
| deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, | |
| deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) | |
| deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ | |
| deny @{PROC}/sysrq-trigger rwklx, | |
| deny @{PROC}/mem rwklx, | |
| deny @{PROC}/kmem rwklx, | |
| deny @{PROC}/kcore rwklx, | |
| deny mount, | |
| deny /sys/[^f]*/** wklx, | |
| deny /sys/f[^s]*/** wklx, | |
| deny /sys/fs/[^c]*/** wklx, | |
| deny /sys/fs/c[^g]*/** wklx, | |
| deny /sys/fs/cg[^r]*/** wklx, | |
| deny /sys/firmware/efi/efivars/** rwklx, | |
| deny /sys/kernel/security/** rwklx, | |
| # deny access to keybase directory created in root. | |
| deny /keybase/** rwklx, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment