A restrictive AppArmor profile to help enforce Tor usage

agl · Feb 17, 2013 · 9edd852 · cboltz · Jun 20, 2014 · 9edd852
1 parent f68247f
commit 9edd852
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/xmpp-client.apparmor b/xmpp-client.apparmor
@@ -0,0 +1,48 @@
+#
+#    AppArmor xmpp-client profile for Ubuntu 11.04 and later
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+
+#include <tunables/global>
+/usr/bin/xmpp-client {
+  #include <abstractions/consoles>
+  #include <abstractions/ssl_certs>
+
+  # IPv4 TCP
+  network inet stream,
+  # We disable the following to enforce Tor usage
+  # IPv4 UDP for DNS resolution
+  #network inet dgram,
+
+  # Allow reading of /etc/xmpp-client/
+  /etc/xmpp-client/*/** r,
+
+  # Allow reading/writing of xmpp-client dot files
+  /home/*/.xmpp-client rw,
+  /home/*/.xmpp-client* rw,
+
+  # Allow reading of libs and /tmp
+  /etc/ld.so.cache r,
+
+  # Random number generation requires these two
+  /dev/random r,
+  /dev/urandom r,
+
+  # Various xmpp-client denials that make life easier
+  /etc/ssl/certs/ca-certificates.crt r,
+  /proc/sys/net/core/somaxconn r,
+  /etc/localtime r,
+
+  # Allow mapping of shared libraries
+  /lib/* rm,
+  /lib32/* rm,
+  /lib64/* rm,
+  /usr/lib/* rm,
+  /lib/x86_64-linux-gnu/* rm,
+
+  # We'll allow xmpp-client to write debug logs
+  /tmp/xmpp-client*.log rw,
+}