# veilor-os AppArmor profile — veilor-power # # Scope: # Confine /usr/local/bin/veilor-power, the power profile switcher. The # script is small but invokes sudo to talk to tuned-adm; we want a tight # surface so a compromised user shell cannot abuse the sudoers entry to # pivot beyond profile switching. # # Mode: # enforce — this binary is ours, the surface is small, no need for a # complain runway. Verified rules at write time. # # Manual enable: # sudo install -m 0644 scripts/apparmor/usr.bin.veilor-power /etc/apparmor.d/ # sudo apparmor_parser -r /etc/apparmor.d/usr.bin.veilor-power # sudo aa-enforce /etc/apparmor.d/usr.bin.veilor-power # # to debug: # sudo aa-complain /etc/apparmor.d/usr.bin.veilor-power # # NOT enabled in kickstart by default. v0.5 work. #include profile veilor-power /usr/local/bin/veilor-power flags=(enforce) { #include #include #include # ---- the script itself + bash ---- /usr/local/bin/veilor-power r, /usr/bin/bash ix, /usr/bin/awk ix, /usr/bin/cat ix, # ---- read CPU + ASUS sysfs for status ---- /sys/devices/system/cpu/cpufreq/ r, /sys/devices/system/cpu/cpufreq/** r, /sys/devices/system/cpu/cpu*/cpufreq/ r, /sys/devices/system/cpu/cpu*/cpufreq/** r, /sys/devices/platform/asus-nb-wmi/ r, /sys/devices/platform/asus-nb-wmi/** r, # ---- sudo handoff to tuned-adm ---- /usr/bin/sudo Cx -> sudo_tuned, /usr/bin/tuned-adm Pix, # ---- forbidden ---- deny network, deny ptrace, deny capability sys_ptrace, deny capability sys_module, deny capability sys_rawio, deny /dev/kmem rwk, deny /dev/mem rwk, deny /etc/shadow r, deny /etc/sudoers w, deny /etc/sudoers.d/** w, deny @{HOME}/.ssh/** rwk, deny @{HOME}/.gnupg/** rwk, # ---- child profile for the sudo subprocess ---- profile sudo_tuned { #include #include #include /usr/bin/sudo mr, /etc/sudoers r, /etc/sudoers.d/ r, /etc/sudoers.d/veilor-power r, /usr/bin/tuned-adm Pix, /var/log/sudo* w, /var/db/sudo/** rwk, capability setuid, capability setgid, capability audit_write, deny network, } }