Hardening (systemd apparmor) for anonsurf

Parrot’s anonsurf is systemd unit now so we should use it apparmor settings to create our own profiles

We can sandbox the units with the systemd built in sandbox feauture.9m working on an anonsurf sandbox,but it needs some more work as the CapabilityBoundingSet,mostly,breaks iptables.

I would like to have read + write only for some specific path and prevent anonsurf + tor from reading files and folders in /home/, /root

That can be achived with ReadWritePath directive. More here https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
My anonsurfd init has this as for hardening

PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
ProtectKernelLogs=true
ProtectKernelModules=true
PrivateMounts=true
PrivateTmp=yes
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallArchitectures=native
CapabilityBoundingSet=~CAP_SYS_ADMIN

Latest directive(CapabilityBoundingSet=) cannot be set to disable all capabilities as some dont allow iptables to start.
Above settings need testing and they are not finished.
Most of them can of course be set for all services.

As @adrelanos said on Telegram
that entirely depends on implementation details
what files are parsed, which inputs it reads from, with which privileges it runs
if it is a bash script that sets iptables rules that is run by a systemd unit then i see little need for systemd sandboxing
That was in response in whether systemd sandboxing a bash script such as anonsurf would matter. This is logical and we should take it under consideration.

The anonsurf needs accessing iptables and calling tor service.

Still I don’t see why capabilities directives will be needed for example.