Skip to content

Instantly share code, notes, and snippets.

@pandaninjas

pandaninjas/actual_apparmor.aa

Last active June 9, 2023 16:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pandaninjas/8552252edf74a80cf04dde789d6e67b1 to your computer and use it in GitHub Desktop.
Save pandaninjas/8552252edf74a80cf04dde789d6e67b1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
actual_apparmor.aa
# Last Modified: Thu Jun 8 22:06:17 2023
include <tunables/global>
# vim:syntax=apparmor
# AppArmor policy for main.sh
# ###AUTHOR### The Fight Against Malware
# ###COPYRIGHT### MIT License
# ###COPYRIGHT### Copyright (c) 2022 thefightagainstmalware on github.com
# ###COPYRIGHT### Permission is hereby granted, free of charge, to any person obtaining a copy
# ###COPYRIGHT### of this software and associated documentation files (the "Software"), to deal
# ###COPYRIGHT### in the Software without restriction, including without limitation the rights
# ###COPYRIGHT### to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# ###COPYRIGHT### copies of the Software, and to permit persons to whom the Software is
# ###COPYRIGHT### furnished to do so, subject to the following conditions:
# ###COPYRIGHT### The above copyright notice and this permission notice shall be included in all
# ###COPYRIGHT### copies or substantial portions of the Software.
# ###COPYRIGHT### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# ###COPYRIGHT### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# ###COPYRIGHT### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# ###COPYRIGHT### AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# ###COPYRIGHT### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# ###COPYRIGHT### OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# ###COPYRIGHT### SOFTWARE.
# ###COMMENT### Minecraft server AppArmor rules. Report bugs at https://github.com/thefightagainstmalware/SandboxGame
# No template variables specified
@{SERVER_DIR} = @{HOME}/paper/
/home/pandaninjas/paper/main.sh {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/consoles>
include <abstractions/X>
network tcp,
network udp,
network unix,
network inet,
/dev/ r,
/etc/fonts/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/java-*/jvm-*.cfg r,
/etc/java-*/** r,
/etc/ld.so.cache r,
/etc/ld.so.preload r,
/etc/lsb-release r,
/etc/modprobe.d/ r,
/etc/modprobe.d/* r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,
/etc/timezone r,
@{HOME}/.cache/fontconfig/* rw,
@{HOME}/.cache/JNA/temp/* mrw,
@{HOME}/.cache/JNA/temp/ r,
owner @{SERVER_DIR} rwk,
owner @{SERVER_DIR}/** rwk,
owner /proc/@{pid}/cgroup r,
owner /proc/@{pid}/coredump_filter rw,
owner /proc/@{pid}/fd/ r,
owner /proc/@{pid}/mountinfo r,
/proc/cgroups r,
/proc/cmdline r,
/proc/devices r,
/proc/@{pid}/** r,
/proc/scsi/ r,
/proc/scsi/sg/ r,
/run/systemd/resolve/stub-resolv.conf r,
/sys/bus/cpu/devices/ r,
/sys/bus/memory/devices/ r,
/sys/bus/pci/devices/ r,
/sys/bus/pci/slots/*/address r,
/sys/bus/pci/slots/ r,
/sys/bus/pnp/devices/ r,
/sys/bus/ r,
/sys/bus/virtio/devices/ r,
/sys/class/mmc_host/ r,
/sys/class/nvme/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/** r,
/sys/devices/system/cpu/** r,
owner /sys/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*/memory.max r,
/tmp/ r,
/tmp/*.so.lck rw,
/tmp/*.so mrw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/** rw,
/usr/bin/bash ix,
/usr/bin/java ix,
/usr/bin/lshw ix,
/usr/bin/lspci ix,
/usr/bin/stty ix,
/usr/bin/tty ix,
/usr/bin/uname ix,
/usr/lib64/ r,
/usr/lib/jvm/*/bin/java ix,
/usr/lib/jvm/*/lib/jspawnhelper ix,
/usr/lib/ r,
/usr/local/share/fonts/** r,
/usr/sbin/dmidecode ix,
/usr/sbin/ldconfig ixr,
/usr/sbin/ldconfig.real ix,
/usr/share/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/hwdata/pnp.ids r,
/usr/share/icons/** r,
/usr/share/java/* r,
/usr/share/misc/pci.ids r,
/var/cache/fontconfig/* r,
}
Raw
template_suitable.aa
include <tunables/global>
# vim:syntax=apparmor
# AppArmor policy for main.sh
# ###AUTHOR### The Fight Against Malware
# ###COPYRIGHT### MIT License
# ###COPYRIGHT### Copyright (c) 2022 thefightagainstmalware on github.com
# ###COPYRIGHT### Permission is hereby granted, free of charge, to any person obtaining a copy
# ###COPYRIGHT### of this software and associated documentation files (the "Software"), to deal
# ###COPYRIGHT### in the Software without restriction, including without limitation the rights
# ###COPYRIGHT### to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# ###COPYRIGHT### copies of the Software, and to permit persons to whom the Software is
# ###COPYRIGHT### furnished to do so, subject to the following conditions:
# ###COPYRIGHT### The above copyright notice and this permission notice shall be included in all
# ###COPYRIGHT### copies or substantial portions of the Software.
# ###COPYRIGHT### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# ###COPYRIGHT### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# ###COPYRIGHT### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# ###COPYRIGHT### AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# ###COPYRIGHT### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# ###COPYRIGHT### OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# ###COPYRIGHT### SOFTWARE.
# ###COMMENT### Minecraft server AppArmor rules. Report bugs at https://github.com/thefightagainstmalware/SandboxGame
@{SERVER_DIR} = $MC_SERVER_DIR
@{HOME} = $USER_HOME # @{HOME} from tunables/global is too broad, we can do better
$MC_SERVER_DIR/main.sh {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/consoles>
include <abstractions/X>
network tcp,
network udp,
network unix,
network inet,
/dev/ r,
/etc/fonts/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/java-*/jvm-*.cfg r,
/etc/java-*/** r,
/etc/ld.so.cache r,
/etc/ld.so.preload r,
/etc/lsb-release r,
/etc/modprobe.d/ r,
/etc/modprobe.d/* r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,
/etc/timezone r,
@{HOME}/.cache/fontconfig/* rw,
@{HOME}/.cache/JNA/temp/* mrw,
@{HOME}/.cache/JNA/temp/ r,
owner @{SERVER_DIR} rwk,
owner @{SERVER_DIR}/** rwk,
owner /proc/@{pid}/cgroup r,
owner /proc/@{pid}/coredump_filter rw,
owner /proc/@{pid}/fd/ r,
owner /proc/@{pid}/mountinfo r,
/proc/cgroups r,
/proc/cmdline r,
/proc/devices r,
/proc/@{pid}/** r,
/proc/scsi/ r,
/proc/scsi/sg/ r,
/run/systemd/resolve/stub-resolv.conf r,
/sys/bus/cpu/devices/ r,
/sys/bus/memory/devices/ r,
/sys/bus/pci/devices/ r,
/sys/bus/pci/slots/*/address r,
/sys/bus/pci/slots/ r,
/sys/bus/pnp/devices/ r,
/sys/bus/ r,
/sys/bus/virtio/devices/ r,
/sys/class/mmc_host/ r,
/sys/class/nvme/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/** r,
/sys/devices/system/cpu/** r,
owner /sys/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*/memory.max r,
/tmp/ r,
/tmp/*.so.lck rw,
/tmp/*.so mrw,
owner /tmp/hsperfdata_*/ rw,
owner /tmp/hsperfdata_*/** rw,
/usr/bin/bash ix,
/usr/bin/java ix,
/usr/bin/lshw ix,
/usr/bin/lspci ix,
/usr/bin/stty ix,
/usr/bin/tty ix,
/usr/bin/uname ix,
/usr/lib64/ r,
/usr/lib/jvm/*/bin/java ix,
/usr/lib/jvm/*/lib/jspawnhelper ix,
/usr/lib/ r,
/usr/local/share/fonts/** r,
/usr/sbin/dmidecode ix,
/usr/sbin/ldconfig ixr,
/usr/sbin/ldconfig.real ix,
/usr/share/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/hwdata/pnp.ids r,
/usr/share/icons/** r,
/usr/share/java/* r,
/usr/share/misc/pci.ids r,
/var/cache/fontconfig/* r,
}
@thegu5
Copy link

thegu5 commented Jun 9, 2023

!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment