diff --git a/global/v4.0/baremetal/bootactions/apparmor-profiles.yaml b/global/v4.0/baremetal/bootactions/apparmor-profiles.yaml new file mode 100644 index 000000000..2ab2bbc8c --- /dev/null +++ b/global/v4.0/baremetal/bootactions/apparmor-profiles.yaml @@ -0,0 +1,47 @@ +--- +schema: 'drydock/BootAction/v1' +metadata: + schema: 'metadata/Document/v1' + name: apparmor-profiles + storagePolicy: 'cleartext' + layeringDefinition: + abstract: false + layer: global + substitutions: + - src: + schema: pegleg/AppArmorProfile/v1 + name: airship-default + path: .savePath + dest: + path: .assets[0].path + - src: + schema: pegleg/AppArmorProfile/v1 + name: airship-default + path: .content + dest: + path: .assets[0].data + - src: + schema: pegleg/AppArmorProfile/v1 + name: airship-apparmor-loader + path: .savePath + dest: + path: .assets[1].path + - src: + schema: pegleg/AppArmorProfile/v1 + name: airship-apparmor-loader + path: .content + dest: + path: .assets[1].data + +data: + signaling: false + assets: + - type: file + permissions: '600' + data_pipeline: + - utf8_decode + - type: file + permissions: '600' + data_pipeline: + - utf8_decode +... diff --git a/global/v4.0/profiles/security/apparmor_loader.yaml b/global/v4.0/profiles/security/apparmor_loader.yaml new file mode 100644 index 000000000..9b764f750 --- /dev/null +++ b/global/v4.0/profiles/security/apparmor_loader.yaml @@ -0,0 +1,80 @@ +--- +schema: 'pegleg/AppArmorProfile/v1' +metadata: + schema: 'metadata/Document/v1' + name: airship-apparmor-loader + storagePolicy: 'cleartext' + layeringDefinition: + abstract: false + layer: global +data: + savePath: /etc/apparmor.d/profile_airship_loader + content: | + #include + + profile airship-apparmor-loader flags=(attach_disconnected,mediate_deleted) { + #include + + network inet tcp, + network inet udp, + network inet icmp, + + deny network raw, + + deny network packet, + + file, + umount, + + deny /bin/** wl, + deny /boot/** wl, + deny /dev/** wl, + deny /etc/** wl, + deny /home/** wl, + deny /lib/** wl, + deny /lib64/** wl, + deny /media/** wl, + deny /mnt/** wl, + deny /opt/** wl, + deny /proc/** wl, + deny /root/** wl, + deny /sbin/** wl, + deny /srv/** wl, + deny /tmp/** wl, + deny /sys/** wl, + deny /usr/** wl, + audit /etc/apparmor.d/airship_* rwl, + + audit /** w, + + deny /bin/dash mrwklx, + deny /bin/sh mrwklx, + deny /usr/bin/top mrwklx, + + capability chown, + # Allow Apparmor profiles to be loaded + capability mac_admin, + capability dac_override, + capability setuid, + capability setgid, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/kernel/security/** rwklx, + } diff --git a/global/v4.0/profiles/security/default_apparmor.yaml b/global/v4.0/profiles/security/default_apparmor.yaml new file mode 100644 index 000000000..2b07923eb --- /dev/null +++ b/global/v4.0/profiles/security/default_apparmor.yaml @@ -0,0 +1,78 @@ +--- +schema: 'pegleg/AppArmorProfile/v1' +metadata: + schema: 'metadata/Document/v1' + name: airship-default + storagePolicy: 'cleartext' + layeringDefinition: + abstract: false + layer: global +data: + savePath: /etc/apparmor.d/profile_airship_default + content: | + #include + + profile airship-default flags=(attach_disconnected,mediate_deleted) { + #include + + network inet tcp, + network inet udp, + network inet icmp, + + deny network raw, + + deny network packet, + + file, + umount, + + deny /bin/** wl, + deny /boot/** wl, + deny /dev/** wl, + deny /etc/** wl, + deny /home/** wl, + deny /lib/** wl, + deny /lib64/** wl, + deny /media/** wl, + deny /mnt/** wl, + deny /opt/** wl, + deny /proc/** wl, + deny /root/** wl, + deny /sbin/** wl, + deny /srv/** wl, + deny /tmp/** wl, + deny /sys/** wl, + deny /usr/** wl, + + audit /** w, + + deny /bin/dash mrwklx, + deny /bin/sh mrwklx, + deny /usr/bin/top mrwklx, + + capability chown, + capability dac_override, + capability setuid, + capability setgid, + capability net_bind_service, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny mount, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/kernel/security/** rwklx, + } diff --git a/global/v4.0/schemas/pegleg/AppArmorProfile/v1.yaml b/global/v4.0/schemas/pegleg/AppArmorProfile/v1.yaml new file mode 100644 index 000000000..29fa070c3 --- /dev/null +++ b/global/v4.0/schemas/pegleg/AppArmorProfile/v1.yaml @@ -0,0 +1,17 @@ +--- +schema: 'deckhand/DataSchema/v1' +metadata: + schema: metadata/Control/v1 + name: pegleg/AppArmorProfile/v1 + labels: + application: pegleg +data: + $schema: 'http://json-schema.org/schema#' + type: 'object' + additionalProperties: false + properties: + savePath: + type: 'string' + content: + type: 'string' + required: ['savePath', 'content']