Home Explore Help
Sign In
fphammerle
/
systemctl-mqtt
mirror of https://github.com/fphammerle/systemctl-mqtt
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

added apparmor profile

Fabian Peter Hammerle 4 years ago
parent
be2191e2ad
commit
dd143746c7
3 changed files with 65 additions and 5 deletions
Unified View Show Diff Stats
  1. 3 1
      README.md
  2. 52 0
      apparmor-profile
  3. 10 4
      docker-compose.yml

+ 3 - 1
README.md
View File 

@@ -54,7 +54,9 @@ homeassistant:
 
 
 
 1. Clone this repository.
 
 1. Clone this repository.
 
 2. Edit `docker-compose.yml`.
 
 2. Edit `docker-compose.yml`.
 
-3. `docker-compose up --build`
 
+3. Load [AppArmor](https://en.wikipedia.org/wiki/AppArmor) profile:
 
+   `sudo apparmor_parser ./apparmor-profile`
 
+4. `sudo docker-compose up --build`
 
 
 
 ## MQTT Authentication
 
 ## MQTT Authentication

+ 52 - 0
apparmor-profile
View File 

@@ -0,0 +1,52 @@
 
+# systemctl-mqtt - MQTT client triggering shutdown on systemd-based systems
 
+#
 
+# Copyright (C) 2020 Fabian Peter Hammerle <fabian@hammerle.me>
 
+#
 
+# This program is free software: you can redistribute it and/or modify
 
+# it under the terms of the GNU General Public License as published by
 
+# the Free Software Foundation, either version 3 of the License, or
 
+# any later version.
 
+#
 
+# This program is distributed in the hope that it will be useful,
 
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
+# GNU General Public License for more details.
 
+#
 
+# You should have received a copy of the GNU General Public License
 
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
+
 
+#include <tunables/global>
 
+
 
+profile systemctl-mqtt flags=(attach_disconnected) {
 
+  #include <abstractions/base>
 
+
 
+  network inet,
 
+
 
+  # https://jlk.fjfi.cvut.cz/arch/manpages/man/apparmor.d.5#Access_Modes
 
+  /systemctl-mqtt/ r,
 
+  /systemctl-mqtt/** r,
 
+  /systemctl-mqtt/.venv/lib/python3.8/site-packages/_dbus_bindings.so m,
 
+  # https://presentations.nordisch.org/apparmor/#/25
 
+  /systemctl-mqtt/.venv/bin/systemctl-mqtt rix,
 
+  /etc/** r,
 
+  /usr/lib/** rm,
 
+  /var/** r,
 
+  deny /bin/** rwklx,
 
+  deny @{PROC}/** rwklx,
 
+  deny /sys/** rwklx,
 
+
 
+  # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorDBus
 
+  #include <abstractions/dbus-strict>
 
+  dbus (send, receive)
 
+       bus=system
 
+       path=/org/freedesktop/login1
 
+       interface=org.freedesktop.DBus.Introspectable
 
+       member=Introspect
 
+       peer=(label=unconfined),
 
+  dbus (send)
 
+       bus=system
 
+       path=/org/freedesktop/login1
 
+       interface=org.freedesktop.login1.Manager
 
+       member=ScheduleShutdown
 
+       peer=(label=unconfined),
 
+}

+ 10 - 4
docker-compose.yml
View File 

@@ -15,12 +15,18 @@ services:
 
       --mqtt-username raspberrypi
 
       --mqtt-username raspberrypi
 
       --mqtt-password-file /etc/systemctl-mqtt/mqtt-password
 
       --mqtt-password-file /etc/systemctl-mqtt/mqtt-password
 
     hostname: raspberrypi
 
     hostname: raspberrypi
 
-    network_mode: host # TODO verify required
 
-    userns_mode: host # required for host network mode
 
-    user: root # TODO
 
+    network_mode: host # TODO verify if required
 
+    userns_mode: host
 
+    # prefering explicit user specification over "USER 0" in Dockerfile
 
+    # to avoid accidental container startup without
 
+    # secure apparmor profile and dropped capabilities
 
+    user: '0'
 
+    read_only: true
 
+    cap_drop: [all]
 
     security_opt:
 
     security_opt:
 
     - no-new-privileges
 
     - no-new-privileges
 
-    - apparmor=unconfined # TODO
 
+    # $ sudo apparmor_parser --replace ./apparmor-profile
 
+    - apparmor=systemctl-mqtt
 
     # docker-compose >=2.2,<3
 
     # docker-compose >=2.2,<3
 
     cpus: 0.4
 
     cpus: 0.4
 
     mem_limit: 32M
 
     mem_limit: 32M