Merge pull request #38 from mdegat01/add-apparmor

Add custom apparmor profile
mdegat01 · Apr 10, 2021 · 03a34d3 · 03a34d3
2 parents efc1c41 + cc15fb5
commit 03a34d3
Show file tree

Hide file tree

Showing 5 changed files with 140 additions and 5 deletions.
diff --git a/loki/Dockerfile b/loki/Dockerfile
@@ -41,9 +41,13 @@ RUN set -eux; \
     nginx -v; \
     rm -f -r /etc/nginx; \
     mkdir -p \
+        /var/lib/nginx/tmp/client_body \
+        /var/lib/nginx/tmp/fastcgi \
+        /var/lib/nginx/tmp/proxy \
+        /var/lib/nginx/tmp/scgi \
+        /var/lib/nginx/tmp/uwsgi \
         /var/log/nginx \
-        /var/lib/nginx \
-        /var/tmp/nginx \
+        /run/nginx \
         ; \
     touch /var/log/nginx/error.log;
 

diff --git a/loki/apparmor.txt b/loki/apparmor.txt
@@ -0,0 +1,128 @@
+include <tunables/global>
+
+# Nginx data dirs
+@{nginx_data}=/usr/lib/nginx/ /usr/share/nginx/ /var/lib/nginx/
+
+profile loki flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+
+  # Send signals to children
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # Capabilities
+  capability kill,
+  capability dac_override,
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability setuid,
+  capability setgid,
+
+  # S6-Overlay
+  /init                           rix,
+  /bin/**                         rix,
+  /usr/bin/**                     rix,
+  @{etc_ro}/s6/**                 rix,
+  @{etc_rw}/services.d/{,**}      rwix,
+  @{etc_rw}/cont-init.d/{,**}     rwix,
+  @{etc_rw}/cont-finish.d/{,**}   rwix,
+  @{etc_rw}/fix-attrs.d/{,**}     rw,
+  @{run}/s6/**                    rwix,
+  @{run}/**                       rwk,
+  /dev/tty                        rw,
+  @{etc_ro}/group                 r,
+  @{etc_ro}/passwd                r,
+  @{etc_ro}/hosts                 r,
+  @{etc_ro}/ssl/openssl.cnf       r,
+  /dev/null                       k,
+
+  # Bashio
+  /usr/lib/bashio/**              ix,
+  /tmp/**                         rw,
+
+  # Options.json & addon data
+  /data/**                        rw,
+
+  # Needed for setup
+  @{etc_rw}/loki/**               rw,
+  @{etc_rw}/nginx/{,**}           rw,
+  @{nginx_data}/{,**}             rw,
+  /var/log/nginx/{,**}            rw,
+  /ssl/**                         r,
+
+  # Programs
+  /usr/bin/loki                   cx,
+  /usr/sbin/nginx                 Cx,
+
+  # Shell access
+  owner @{HOME}/*                 rw,
+
+  profile /usr/bin/loki flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+
+    # Receive signals from S6-Overlay & ourselves
+    signal receive,
+    signal peer=@{profile_name},
+
+    # Send & receive tcp traffic
+    network tcp,
+
+    # Executables
+    /bin/**                         rix,
+    /usr/bin/**                     rix,
+
+    # Addon data
+    /data/**                        r,
+    /data/loki/**                   rw,
+
+    # Config
+    @{etc_ro}loki/*                 r,
+    /share/**                       r,
+
+    # Runtime usage
+    @{etc_ro}/hosts                 r,
+    @{etc_ro}/resolv.conf           r,
+    @{etc_ro}/nsswitch.conf         r,
+    @{PROC}/sys/net/core/somaxconn  r,
+    @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  }
+
+  profile /usr/sbin/nginx flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+
+    # Receive signals from S6-Overlay & ourselves
+    signal receive peer=*_loki,
+    signal peer=@{profile_name},
+
+    # Send & receive tcp traffic
+    network tcp,
+
+    # Capabilities
+    capability dac_override,
+    capability mknod,
+    capability setuid,
+    capability setgid,
+    ptrace (read) peer=*_loki,
+
+    # Executables
+    /bin/**                     rix,
+    /usr/bin/**                 rix,
+
+    # Config files
+    @{etc_ro}/nginx/**          r,
+    /ssl/**                     r,
+
+    # Service data
+    @{nginx_data}/**            r,
+    /var/lib/nginx/tmp/**       rw,
+    /var/log/nginx/*            w,
+
+    # Runtime usage
+    /usr/sbin/nginx             rm,
+    @{etc_ro}/group             r,
+    @{etc_ro}/passwd            r,
+    @{etc_ro}/ssl/openssl.cnf   r,
+    @{run}/nginx.pid            rw,
+    @{PROC}/1/fd/1              w,
+  }
+}
diff --git a/loki/rootfs/etc/fix-attrs.d/permissions b/loki/rootfs/etc/fix-attrs.d/permissions
@@ -1,3 +1,6 @@
 /data/loki true abc 0755 0755
+/etc/nginx true abc 0755 0755
 /var/lib/nginx true abc 0755 0755
-/var/tmp/nginx true abc 0755 0755
+/var/log/nginx true abc 0755 0755
+/usr/lib/nginx true abc 0755 0755
+/usr/share/nginx true abc 0755 0755
diff --git a/loki/rootfs/etc/services.d/loki/run b/loki/rootfs/etc/services.d/loki/run
@@ -50,4 +50,4 @@ fi
 
 bashio::log.info "Handing over control to Loki..."
 exec s6-setuidgid abc \
-    loki "${loki_args[@]}"
+    /usr/bin/loki "${loki_args[@]}"
diff --git a/loki/rootfs/etc/services.d/nginx/run b/loki/rootfs/etc/services.d/nginx/run
@@ -7,4 +7,4 @@
 bashio::net.wait_for 8080
 bashio::log.info "Starting NGinx..."
 
-exec nginx
+exec /usr/sbin/nginx