flashbots · alexhulbert · Aug 26, 2025 · Sep 2, 2025 · Sep 26, 2025 · Sep 27, 2025
diff --git a/bob/bob.conf b/bob/bob.conf
@@ -28,6 +28,7 @@ Packages=podman
          openssh-sftp-server
          udev
          libsnappy1v5
+         apparmor
 
 BuildPackages=build-essential
               git

diff --git a/bob/kernel.config b/bob/kernel.config
@@ -34,3 +34,6 @@ CONFIG_IP_NF_TARGET_REDIRECT=y
 CONFIG_IP_NF_MANGLE=y
 CONFIG_IP_NF_RAW=y
 CONFIG_NET_SCHED=y
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
diff --git a/bob/mkosi.extra/etc/apparmor.d/searcher-container b/bob/mkosi.extra/etc/apparmor.d/searcher-container
@@ -0,0 +1,46 @@
+#include <tunables/global>
+
+profile searcher-container flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  network,
+  capability,
+  file,
+  umount,
+
+  # Allow signals from privileged profiles and from within the same profile
+  signal (receive) peer=unconfined,
+  signal (send,receive) peer=searcher-container,
+  # Allow signals from podman/runc/crun
+  signal (receive) peer={/usr/bin/,/usr/sbin/,}{podman,runc,crun*},
+
+  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+  # deny write to files not in /proc/<number>/** or /proc/sys/**
+  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9/]*}/** w,
+  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
+  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+  # suppress ptrace denials when using 'ps' inside a container
+  ptrace (trace,read,tracedby,readby) peer=searcher-container,
+
+  # Additional rules for searcher-specific paths
+  /persistent/** rw,
+  /etc/searcher/** r,
+  /var/log/searcher/** w,
+  /var/log/lighthouse/** r,
+  /secrets/** r,
+  /tmp/jwt.hex r,
+}
diff --git a/bob/mkosi.extra/etc/systemd/system/searcher-container.service b/bob/mkosi.extra/etc/systemd/system/searcher-container.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Searcher SSH Container
-After=dropbear.service searcher-firewall.service persistent-mount.service
-Requires=dropbear.service searcher-firewall.service persistent-mount.service
+After=dropbear.service searcher-firewall.service persistent-mount.service apparmor.service
+Requires=dropbear.service searcher-firewall.service persistent-mount.service apparmor.service
 
 [Service]
 Type=oneshot

diff --git a/bob/mkosi.extra/usr/bin/init-container.sh b/bob/mkosi.extra/usr/bin/init-container.sh
@@ -9,9 +9,13 @@ ENGINE_API_PORT=8551
 EL_P2P_PORT=30303
 SEARCHER_INPUT_CHANNEL=27017
 
+# Enabling apparmor profile
+/usr/sbin/apparmor_parser -r /etc/apparmor.d/searcher-container
+
 echo "Starting $NAME..."
 su -s /bin/sh searcher -c "cd ~ && podman run -d \
     --name $NAME --replace \
+    --security-opt apparmor=searcher-container \
     -p ${SEARCHER_SSH_PORT}:22 \
     -p ${ENGINE_API_PORT}:${ENGINE_API_PORT} \
     -p ${EL_P2P_PORT}:${EL_P2P_PORT} \

diff --git a/bob/mkosi.postinst b/bob/mkosi.postinst
@@ -34,6 +34,7 @@ for service in \
     searcher-log-writer.service \
     wait-for-key.service \
     searcher-firewall.service \
+    apparmor.service \
     dropbear.service \
     lighthouse.service \
     searcher-container.service \