i have created a small apparmor profile for theonionbox. Copy it to /etc/apparmor.d with a nice name and load it with "apparmor_parser -r [fullpath]".
#include <tunables/global>
/opt/theonionbox/theonionbox.py {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/python>
#include <abstractions/user-tmp>
# Set to where tob is installed, also look at the ".py" line above between the includes
/opt/theonionbox/ r,
/opt/theonionbox/** r,
/opt/theonionbox/theonionbox.py ixr,
# If owned by root, the user cannot write these anyway. So remove the noise.
deny /opt/theonionbox/tob/*.pyc mrwxkl,
/bin/{da,ba,z,a,k}sh ixr,
/bin/uname ixr,
/etc/network/resolv.conf* r,
/etc/timezone r,
@{PROC}/uptime r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/mounts r,
/sbin/ldconfig{,.real} ixr,
/sys/{devices/virtual,class}/thermal/** r,
/usr/bin/python{2.[4-7]*,3.[0-9]*} ixr,
/var/log/theonionbox/ r,
/var/log/theonionbox/* rw,
}
Due to some outdated python libs (psutil in example) I do not know, if some rules are missing. My profile works quite well. For me ;)
Hi,
i have created a small apparmor profile for theonionbox. Copy it to /etc/apparmor.d with a nice name and load it with "apparmor_parser -r [fullpath]".
Due to some outdated python libs (psutil in example) I do not know, if some rules are missing. My profile works quite well. For me ;)