utils: Add AppArmor profiles

Add AppArmor profiles to lock down daemon and cli wallet.
4 years ago · a3c9befbb5
parent 08a0e737f9
commit a3c9befbb5
2 changed files with 42 additions and 0 deletions
--- a/utils/apparmor/usr.bin.wownero-wallet-cli
+++ b/utils/apparmor/usr.bin.wownero-wallet-cli
@ -0,0 +1,23 @@
+#include <tunables/global>
+
+# Change to wherever you store your wallet files and start wallet from.
+@{WALLET_DIR} = /home/*/Documents/Wownero
+
+profile wownero-wallet-cli /usr/{,local/}bin/wownero-wallet-cli {
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+
+  # TODO: Use <abstractions/nameservice> when it is fixed.
+  /etc/gai.conf r,
+  /etc/host.conf r,
+  /etc/hosts r,
+  /etc/nsswitch.conf r,
+  /etc/resolv.conf r,
+
+  /etc/inputrc r,
+  /etc/terminfo/** r,
+
+  owner /home/*/.wow-shared-ringdb/* rwk,
+  owner @{WALLET_DIR}/* rwk,
+
+}
--- a/utils/apparmor/usr.bin.wownerod
+++ b/utils/apparmor/usr.bin.wownerod
@ -0,0 +1,19 @@
+#include <tunables/global>
+
+profile wownerod /usr/{,local/}bin/wownerod {
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+
+  /etc/inputrc r,
+  /etc/terminfo/** r,
+
+  /sys/devices/**/rotational r,
+
+  owner /home/*/.wownero/{,/testnet/,/stagenet/} w,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}lmdb/ w,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}lmdb/* rwk,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}p2pstate.bin rw,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}wownero.conf r,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}wownero.log w,
+
+}