From 9cc1a1ad4817fadb1f82cb1119a1088c1e76c82a Mon Sep 17 00:00:00 2001
From: Matt Smith <matt@offtopica.uk>
Date: Wed, 22 Jul 2020 22:05:07 +0100
Subject: [PATCH] utils: Add AppArmor profiles

Add AppArmor profiles to lock down daemon and cli wallet.
---
 utils/apparmor/usr.bin.wownero-wallet-cli | 23 +++++++++++++++++++++++
 utils/apparmor/usr.bin.wownerod           | 19 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 utils/apparmor/usr.bin.wownero-wallet-cli
 create mode 100644 utils/apparmor/usr.bin.wownerod

diff --git a/utils/apparmor/usr.bin.wownero-wallet-cli b/utils/apparmor/usr.bin.wownero-wallet-cli
new file mode 100644
index 000000000..2650e70cb
--- /dev/null
+++ b/utils/apparmor/usr.bin.wownero-wallet-cli
@@ -0,0 +1,23 @@
+#include <tunables/global>
+
+# Change to wherever you store your wallet files and start wallet from.
+@{WALLET_DIR} = /home/*/Documents/Wownero
+
+profile wownero-wallet-cli /usr/{,local/}bin/wownero-wallet-cli {
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+
+  # TODO: Use <abstractions/nameservice> when it is fixed.
+  /etc/gai.conf r,
+  /etc/host.conf r,
+  /etc/hosts r,
+  /etc/nsswitch.conf r,
+  /etc/resolv.conf r,
+
+  /etc/inputrc r,
+  /etc/terminfo/** r,
+
+  owner /home/*/.wow-shared-ringdb/* rwk,
+  owner @{WALLET_DIR}/* rwk,
+
+}
diff --git a/utils/apparmor/usr.bin.wownerod b/utils/apparmor/usr.bin.wownerod
new file mode 100644
index 000000000..a01fa9d2d
--- /dev/null
+++ b/utils/apparmor/usr.bin.wownerod
@@ -0,0 +1,19 @@
+#include <tunables/global>
+
+profile wownerod /usr/{,local/}bin/wownerod {
+  #include <abstractions/base>
+  #include <abstractions/openssl>
+
+  /etc/inputrc r,
+  /etc/terminfo/** r,
+
+  /sys/devices/**/rotational r,
+
+  owner /home/*/.wownero/{,/testnet/,/stagenet/} w,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}lmdb/ w,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}lmdb/* rwk,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}p2pstate.bin rw,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}wownero.conf r,
+  owner /home/*/.wownero/{,/testnet/,/stagenet/}wownero.log w,
+
+}