Created
September 17, 2025 15:32
-
-
Save drzraf/cb67d149dec71bc6c39cf4d339643e0d to your computer and use it in GitHub Desktop.
limit data exfiltration from package dependencies malware: use apparmor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don't forget to set your | |
| # @{project_dirs} = {foo,bar,...} # relative to $HOME | |
| # inside some /etc/apparmor.d/tunables/home.d/*.conf file | |
| abi <abi/4.0>, | |
| include <tunables/global> | |
| include <local/my-ssh> | |
| profile node /usr/{local/,}bin/{node,deno} { | |
| deny capability sys_admin, | |
| /usr/{local/,}bin/{node,deno} ixr, | |
| # read anything within defined projects directories | |
| @{HOME}/@{js_project_dirs}{,/**} r, | |
| # (more restrictive option: only some specifics files are allowed to be read) | |
| @{HOME}/@{js_project_dirs}/{webpack.config.js,esbuild.config.mjs,.npmrc,.browserslistrc,.stylelintrc,.eslintignore,pnpm-workspace.yaml,jest.config.json,*_spec.js,tsconfig.json,tailwind.config.js,vite.config.mts,next.config.ts,next-env.d.ts} r, | |
| # specifics extensions are writable | |
| @{HOME}/@{js_project_dirs}/**.{js,mjs,jsx,ts,json,html,css,map} rwk, | |
| # specific lock/state writable files | |
| @{HOME}/@{js_project_dirs}/{pnpm-lock.yaml,yarn.lock,size-plugin.json,package.json,package-lock.json,{report,stats,meta{,data}}.{json,html}} rwk, | |
| # specific cache writable directories | |
| @{HOME}/@{js_project_dirs}/{.next,node_modules,.parcel-cache,parcel-bundle-reports}/{,**} rwkl, | |
| # common build writable directories | |
| @{HOME}/@{js_project_dirs}/{**/,}{dist,build,public*,}{,/**} rwk, | |
| include if exists <local/node> | |
| # Access to basic OS functions | |
| #include <abstractions/base> | |
| # Communicate with terminals | |
| #include <abstractions/consoles> | |
| # Access network | |
| network, | |
| # Read DNS resolver parameters | |
| /run/systemd/resolve/stub-resolv.conf r, | |
| /run/systemd/resolve/resolv.conf r, | |
| # Read procfs | |
| # /proc/{,**} r, | |
| # Read OS configuration | |
| /etc/{passwd,nsswitch.conf,hosts,host.conf,gitconfig,gai.conf} r, | |
| /run/systemd/userdb/* r, | |
| # Execute OS binaries | |
| /usr/bin/{sh,cat,tee,tail,dash,ldd,pkgconf,getconf,which.debianutils} ix, | |
| /usr/bin/ssh rmPx -> my-ssh, | |
| /usr/bin/ldd r, | |
| /etc/ld.so.cache r, | |
| @{HOME}/.npm/_npx/*/node_modules/@modelcontextprotocol/server-filesystem/dist/index.js rix, | |
| @{HOME}/.npm/_npx/*/node_modules/create-vite/index.js rix, | |
| /usr/lib/node_modules/npm/bin/npm-cli.js ixr, | |
| /usr/lib/node_modules/npm/bin/npx-cli.js ixr, | |
| /usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp ixr, | |
| # audit /usr/lib/node_modules/** rwkl, | |
| # audit /usr/bin/** rwkl, | |
| # git hooks (npm run) or git downloads | |
| /usr/bin/git ix, | |
| /usr/lib/git-core/git ix, | |
| /usr/lib/git-core/git-submodule ix, | |
| /usr/lib/git-core/git-remote-http ix, | |
| /usr/share/git-core/templates/{,**} r, | |
| /etc/ssl/certs/{,*} r, | |
| /etc/{passwd,nsswitch.conf,services,hosts,host.conf,gitconfig,gai.conf} r, | |
| /etc/ssh/ssh_config r, | |
| /etc/ssh/ssh_config.d/* r, | |
| /run/systemd/userdb/* r, | |
| /usr/share/ca-certificates/{,**} r, | |
| /run/user/1000/keyring/ssh rw, | |
| @{HOME}/**/.git/{config,HEAD,index,packed-refs} r, | |
| @{HOME}/**/.git/{refs,info,objects}/{,**} r, | |
| @{HOME}/.git{config,attributes} r, | |
| @{HOME}/**/.{gitconfig,git-diff-filter,gitconfig_local} r, | |
| # stylelint / eslint | |
| @{HOME}/**/{*.css,*.html,*.config.js,package.json} r, | |
| # ts | |
| @{HOME}/.cache/typescript{,/**} rwkl, | |
| # prisma | |
| @{HOME}/.cache/prisma-nodejs/{,**} rwk, | |
| @{HOME}/.cache/checkpoint-nodejs/{,**} rwk, | |
| @{HOME}/**/prisma/{,**} rwk, | |
| @{HOME}/**/@prisma/engines/schema-engine-debian-openssl-3.0.x ix, | |
| ### node-gyp horror | |
| /usr/bin/python3.[0-9]* ix, | |
| /usr/bin/uname ix, | |
| /usr/bin/touch ix, | |
| /usr/bin/make ix, | |
| /usr/bin/x86_64-linux-gnu-g++-13 ix, | |
| /usr/bin/x86_64-linux-gnu-as ix, | |
| /usr/libexec/gcc/x86_64-linux-gnu/13/cc1plus ix, | |
| /usr/bin/protoc Ux, | |
| /usr/lib/gcc/x86_64-linux-gnu/{,**} r, | |
| /usr/lib/x86_64-linux-gnu/{,**} r, | |
| /usr/include/{,**} r, | |
| /usr/share/dpkg/cputable r, | |
| /usr/share/dpkg/tupletable r, | |
| #include <abstractions/python> | |
| @{HOME}/@{js_project_dirs}/{logs,dist,build}{,/**} rwkl, | |
| @{HOME}/@{js_project_dirs}/node_modules/**/binding.node m, | |
| @{HOME}/@{js_project_dirs}/node_modules/**/{hooks,interactivity}_tmp_*/{,**} lm, | |
| @{HOME}/@{js_project_dirs}/node_modules/.bin/* ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/**/bin/*.{mjs,js} ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/**/{cli,index}.{mjs,js} ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/next/dist/bin/next ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/sass-embedded-linux-x64/dart-sass/src/dart ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/sass-embedded-linux-x64/dart-sass/src/*.snapshot rm, | |
| @{HOME}/@{js_project_dirs}/node_modules/typescript/bin/tsc ix, | |
| @{HOME}/@{js_project_dirs}/node_modules/{@parcel,@rollup,@next,@img,@lmdb,@tailwindcss,@msgpackr-extract,lightningcss*}/{**/,}*.node rmix, | |
| @{HOME}/@{js_project_dirs}/node_modules/{msgpackr-extract,parcel,prebuild-install,node-gyp*}/{,lib/}bin.js rix, | |
| @{HOME}/@{js_project_dirs}/node_modules/node-gyp*/build-test.js rix, | |
| @{HOME}/@{js_project_dirs}/node_modules/@mapbox/node-pre-gyp/bin/node-pre-gyp rix, | |
| @{HOME}/@{js_project_dirs}/node_modules/@protobuf-ts/protoc/protoc.js rix, | |
| # esbuild | |
| @{HOME}/@{js_project_dirs}/node_modules/esbuild/bin/esbuild rPx -> esbuild, | |
| @{HOME}/@{js_project_dirs}/node_modules/@swc/core-linux-x64-gnu/swc.linux-x64-gnu.node rm, | |
| @{HOME}/@{js_project_dirs}/node_modules/@esbuild/{linux-x64/,}bin/esbuild ix, | |
| # others | |
| @{HOME}/@{js_project_dirs}/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node rm, | |
| @{HOME}/@{js_project_dirs}/node_modules/bufferutil/prebuilds/linux-x64/node.napi.node rm, | |
| /etc/resolv.conf r, | |
| # Work with history in CLI mode | |
| /home/*/.node_repl_history rw, | |
| @{HOME}/.cache/deno/{,**} r, | |
| # Work with pnpm, npm and yarn | |
| @{HOME}/{.cache,.local/share}/pnpm/{,**} rwkl, | |
| @{HOME}/{.config,.local/state}/pnpm/* rwkl, | |
| @{HOME}/.config/nextjs-nodejs/** rw, | |
| @{HOME}/{.npm,.yarn,.cache/yarn}/{,**} rwl, | |
| @{HOME}/.npm/_npx/**/cli.js ix, | |
| @{HOME}/.cache/node-gyp/{,**} rwkl, | |
| @{HOME}/{.npmrc,.yarnrc} rw, | |
| # Work with tmp files | |
| /tmp/{,**} rw, | |
| # Cypress | |
| @{HOME}/.cache/Cypress/{,**} rwk, | |
| # Work with module configuration stored in user directory | |
| @{HOME}/.config/configstore/{,**} rw, | |
| /usr/share/nodejs/{,**} r, | |
| /usr/share/nodejs/npm/bin/* ix, | |
| /usr/local/lib/node_modules/{,**} r, | |
| owner @{PROC}/@{pid}/{stat,cgroup} r, | |
| @{PROC}/version_signature r, | |
| deny @{PROC}/version r, | |
| audit owner @{HOME}/.my.cnf r, | |
| /dev/ptmx rw, | |
| deny /sys/fs/cgroup/{,**} r, | |
| deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/{scaling_cur_freq,cpuinfo_max_freq} r, | |
| /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, | |
| # Run wp-cli from node: | |
| /usr/local/bin/wp rcx -> php_cli, | |
| @{HOME}/comp/sources/wp-cli/bin/wp rcx -> php_cli, | |
| /usr/bin/php8* rcx -> php_cli, | |
| /usr/bin/{mkdir,env} rix, | |
| # radare2 | |
| owner @{HOME}/.local/share/radare2/{,**} r, | |
| # vscode | |
| owner @{HOME}/.config/VSCodium/logs/** rwk, | |
| /usr/share/codium/v8_context_snapshot.bin r, | |
| } | |
| profile php_cli flags=(attach_disconnected) { | |
| include <abstractions/base> | |
| include <abstractions/php> | |
| include <local/abstractions/wp-cli> | |
| /usr/{local/,}bin/wp rix, | |
| /usr/bin/ssh rmPx -> my-ssh, | |
| unix (connect, send, receive, create) type=stream, | |
| signal (send,receive) peer=php-cli, | |
| /dev/pts/[0-9]* rw, | |
| /usr/bin/php8.* rix, | |
| /etc/php*/{,**} r, | |
| /usr/bin/env rix, | |
| /etc/ld.so.cache r, | |
| owner @{PROC}/@{pid}/{maps,mountinfo} r, | |
| /usr/lib/locale/{,**} r, | |
| /etc/gnutls/config r, | |
| /etc/ssl/openssl.cnf r, | |
| @{etc_ro}/host.conf r, | |
| @{etc_ro}/hosts r, | |
| @{etc_ro}/nsswitch.conf r, | |
| @{etc_ro}/resolv.conf r, | |
| # mysql, needs attach_disconnected flag | |
| unix (connect, send, receive) addr="@{,/}run/mysqld/mysqld.sock", | |
| /run/mysqld/mysqld.sock rw, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment