I’ve recently been looking into securing my system with AppArmor (which I think should be spelt AppArmour, but anyway…). I thought that it wouldn’t be too hard to make one for Syncthing/Pulse, in the event that an exploit is discovered and someone tries to do something nasty. So, here is my profile:
# This profile assumes that Syncthing is being run by the
# user who owns the files and folders being synchronised and that
# only files in ~/Documents, ~/Downloads, ~/Pictures, ~/Public,
# or ~/Videos are being synced. Access is denied to all other folders.
# It also assumes the install directory of the Syncthing binary is
# in /opt/syncthing/<username>/, and that the binary is called "syncthing".
#include <tunables/global>
/opt/syncthing/*/syncthing {
#include <abstractions/base>
# Obviously needs Internet access to work.
network inet,
network inet6,
# Wants read access to SOMAXCONN
/proc/sys/net/core/somaxconn r,
# Allow memory-map access to binary location.
# Write access is given so that auto-updates work, although
# this could be more secure if auto-update was disabled.
/opt/syncthing/ r,
/opt/syncthing/** rw,
/opt/syncthing/*/syncthing mrw,
# Needs to be able to read these to work properly
/run/resolvconf/resolv.conf r,
/etc/hosts r,
/etc/host.conf r,
/etc/nsswitch.conf r,
/etc/ssl/certs/** r,
# Allow full access to config directory.
owner @{HOME}/.config/syncthing/ rw,
owner @{HOME}/.config/syncthing/** rwk,
# Allow read/write to these user locations.
# These should probably be covered by abstractions instead (?)
owner @{HOME}/Documents/ rw,
owner @{HOME}/Documents/** rw,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rw,
owner @{HOME}/Pictures/ rw,
owner @{HOME}/Pictures/** rw,
owner @{HOME}/Public/ rw,
owner @{HOME}/Public/** rw,
owner @{HOME}/Videos/ rw,
owner @{HOME}/Videos/** rw,
}
I’m running Ubuntu 14.04. In my case, the Syncthing binary is run by my own user, and is located at /opt/syncthing/sean/. I use an Upstart script to launch it at boot. The profile gives write access to /opt/syncthing so that auto-updates work as intended. It also gives access to some of the folders in my home directory, but limits access to just about everything else. No execute permissions are given. Of course, in the event of an exploit being used, Syncthing will have access to my documents - because I use it to sync them. But at least it won’t have access to my SSH and GPG keys, or Firefox data etc, thus (slightly) reducing the damage that could be caused.
This is one of my first profiles for AppArmor, but I’ve tested all the functionality I can think how to test (sync, add folders, update) and it works.
Save it into /etc/apparmor.d/opt.syncthing.syncthing and set it to enforce mode, then restart AppArmor, and finally restart Syncthing. More information about AppArmor can be found on its wiki: http://wiki.apparmor.net/index.php/Documentation
(P.S: When Syncthing is renamed to Pulse, this script will need to be changed)