veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/scripts/apparmor/usr.bin.veilor-power
s8n 3cbffaf714 sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) 
Co-authored-by: veilor-org <admin@veilor.org>
2026-05-02 04:39:39 +01:00

78 lines
3.2 KiB
Text
Raw Blame History

# veilor-os AppArmor profile — veilor-power
#
# Scope:
# Confine /usr/local/bin/veilor-power, the power profile switcher. The
# script is small but invokes sudo to talk to tuned-adm; we want a tight
# surface so a compromised user shell cannot abuse the sudoers entry to
# pivot beyond profile switching.
#
# Mode:
# enforce — this binary is ours, the surface is small, no need for a
# complain runway. Verified rules at write time.
#
# Manual enable:
# sudo install -m 0644 scripts/apparmor/usr.bin.veilor-power /etc/apparmor.d/
# sudo apparmor_parser -r /etc/apparmor.d/usr.bin.veilor-power
# sudo aa-enforce /etc/apparmor.d/usr.bin.veilor-power
# # to debug:
# sudo aa-complain /etc/apparmor.d/usr.bin.veilor-power
#
# NOT enabled in kickstart by default. v0.5 work.
#include <tunables/global>
profile veilor-power /usr/local/bin/veilor-power flags=(enforce) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
# ---- the script itself + bash ----
/usr/local/bin/veilor-power r,
/usr/bin/bash ix,
/usr/bin/awk ix,
/usr/bin/cat ix,
# ---- read CPU + ASUS sysfs for status ----
/sys/devices/system/cpu/cpufreq/ r,
/sys/devices/system/cpu/cpufreq/** r,
/sys/devices/system/cpu/cpu*/cpufreq/ r,
/sys/devices/system/cpu/cpu*/cpufreq/** r,
/sys/devices/platform/asus-nb-wmi/ r,
/sys/devices/platform/asus-nb-wmi/** r,
# ---- sudo handoff to tuned-adm ----
/usr/bin/sudo Cx -> sudo_tuned,
/usr/bin/tuned-adm Pix,
# ---- forbidden ----
deny network,
deny ptrace,
deny capability sys_ptrace,
deny capability sys_module,
deny capability sys_rawio,
deny /dev/kmem rwk,
deny /dev/mem rwk,
deny /etc/shadow r,
deny /etc/sudoers w,
deny /etc/sudoers.d/** w,
deny @{HOME}/.ssh/** rwk,
deny @{HOME}/.gnupg/** rwk,
# ---- child profile for the sudo subprocess ----
profile sudo_tuned {
#include <abstractions/base>
#include <abstractions/authentication>
#include <abstractions/nameservice>
/usr/bin/sudo mr,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/veilor-power r,
/usr/bin/tuned-adm Pix,
/var/log/sudo* w,
/var/db/sudo/** rwk,
capability setuid,
capability setgid,
capability audit_write,
deny network,
}
}
Reference in a new issue View git blame Copy permalink