Skip to content

Instantly share code, notes, and snippets.

@duboisf

duboisf/README.md

Last active September 6, 2024 17:19
Show Gist options
  • Save duboisf/ddb1fbb0428c72dccc3e9cfd3d9580a6 to your computer and use it in GitHub Desktop.
Save duboisf/ddb1fbb0428c72dccc3e9cfd3d9580a6 to your computer and use it in GitHub Desktop.
Download ZIP
zscaler apparmor profiles for Pop!_OS 22.04 LTS
Raw
README.md

To install zscaler on Pop!_OS 22.04, download the connector from the admin zscaler site by clicking the Client Connector link on the sidebar, then clicking Client Connector App Store, New Releases, Linux and download 1.4.0.105.

Before installing, you must temporarily replace your /etc/os-release file:

cd /etc
sudo mv os-release os-release.old
sudo cat <<EOF >> os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
EOF

Now install it: sudo ~/Downloads/Zscaler-linux-1.4.0.105-installer.run

Then revert the changes to /etc/os-release:

sudo mv os-release.old os-release

If you are having issues with the zscaler updater, you can replace the apparmor profiles with the below ones in /etc/apparmor.d/. Don't forget to reload the profiles by doing:

cd /etc/apparmor.d
for prof in opt.zscaler.bin.*; do
  sudo apparmor_parser -r $prof
done
Raw
opt.zscaler.bin.zsaservice
# Last Modified: Thu Sep 23 11:01:30 2021
#include <tunables/global>
/opt/zscaler/bin/zsaservice {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus>
#include <abstractions/dovecot-common>
#include <abstractions/opencl-pocl>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-browsers.d/plugins-common>
capability dac_override,
capability dac_read_search,
capability fsetid,
capability kill,
capability net_admin,
capability sys_module,
capability sys_nice,
capability sys_ptrace,
network,
dbus,
signal,
ptrace,
/ZscalerRoot0.crt rw,
/bin/dash mrix,
/bin/systemctl mrix,
/dev/* mrwkcix,
/dev/shm/* mrwkcix,
/etc/* mrwkcix,
/etc/*/security/* r,
/etc/ca-certificates/* mrwkcix,
/etc/ca-certificates/** mrwkcix,
/etc/mono/* r,
/etc/pkcs11/modules/ rw,
/etc/pkcs11/modules/* rw,
/etc/pki/trust/*/ r,
/etc/ssl/certs/* mrwkcix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/opt/zscaler/.config/ rw,
/opt/zscaler/.config/** rw,
/opt/zscaler/Device_password rw,
/opt/zscaler/Device_password_salt rw,
/opt/zscaler/Uninstall_password rw,
/opt/zscaler/Uninstall_password_salt rw,
/opt/zscaler/bin/* mrPUx,
/opt/zscaler/bin/** mrPUx,
/opt/zscaler/client_cert/ rw,
/opt/zscaler/client_cert/** rw,
/opt/zscaler/lib/libpacparser.so mr,
/opt/zscaler/private_key/ rw,
/opt/zscaler/private_key/** rw,
/proc/ r,
/proc/* r,
/proc/*/cmdline r,
/proc/*/comm r,
/proc/*/coredump_filter rw,
/proc/*/environ r,
/proc/*/exe r,
/proc/*/fd/ r,
/proc/*/fd/* r,
/proc/*/kernel/* r,
/proc/*/mounts r,
/proc/*/net/route r,
/proc/*/net/route r,
/proc/*/sched r,
/proc/*/stat r,
/proc/net/route r,
/proc/partitions/* r,
/run/* rk,
/run/log/journal/ r,
/run/log/journal/*/ r,
/run/netconfig/resolv.conf r,
/run/nscd/* r,
/run/systemd/private rw,
/run/systemd/resolve/resolv.conf r,
/run/systemd/resolve/stub-resolv.conf r,
/sys/devices/** r,
/sys/firmware/dmi/tables/* r,
/sys/firmware/efi/efivars/* r,
/sys/fs/cgroup/cpu/* r,
/sys/fs/cgroup/cpuacct/* r,
/sys/fs/cgroup/memory/system.slice/* r,
/tmp/ rwkPx,
/tmp/* rwkPx,
/tmp/** rwkPx,
/tmp/.pid/* mrwPx,
/usr/bin/basename mrix,
/usr/bin/bash mrix,
/usr/bin/cat mrix,
/usr/bin/cert-sync mrix,
/usr/bin/chmod mrix,
/usr/bin/coredumpctl mrix,
/usr/bin/dash mrix,
/usr/bin/df mrix,
/usr/bin/dpkg mrix,
/usr/bin/dpkg-query mrix,
/usr/bin/echo mrix,
/usr/bin/find mrix,
/usr/bin/gawk mrix,
/usr/bin/grep mrix,
/usr/bin/head mrix,
/usr/bin/ip mrix,
/usr/bin/ln mrix,
/usr/bin/lsblk mrix,
/usr/bin/mawk mrix,
/usr/bin/mktemp mrix,
/usr/bin/mono-sgen mrix,
/usr/bin/mountpoint mrix,
/usr/bin/mv mrix,
/usr/bin/netstat mrix,
/usr/bin/nmcli mrix,
/usr/bin/openssl mrix,
/usr/bin/readlink mrix,
/usr/bin/resolvectl mrix,
/usr/bin/rm mrix,
/usr/bin/run-parts mrix,
/usr/bin/sed mrix,
/usr/bin/sort mrix,
/usr/bin/systemctl mrix,
/usr/bin/test mrix,
/usr/bin/tr mrix,
/usr/bin/trust mrix,
/usr/bin/wc mrix,
/usr/bin/xargs mrix,
/usr/lib/ca-certificates/update.d/* mrlix,
/usr/lib/jvm/java-11-openjdk-amd64/bin/java mrix,
/usr/lib64/*/* mrix,
/usr/local/share/ca-certificates/ rwkPx,
/usr/local/share/ca-certificates/* rwkPx,
/usr/share/ca-certificates-java/* r,
/usr/share/ca-certificates/* r,
/usr/share/ca-certificates/*/* r,
/usr/share/java/* r,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
/usr/share/pki/trust/ rw,
/usr/share/pki/trust/* rw,
/usr/share/pki/trust/*/ rw,
/usr/share/pki/trust/anchors/* mrwkcix,
/var/lib/ca-certificates/* rwlkPx,
/var/lib/ca-certificates/*/ rwlkPx,
/var/lib/ca-certificates/*/* rwlkPx,
/var/lib/dpkg/*/* r,
/var/lib/dpkg/diversions r,
/var/lib/nscd/passwd r,
/var/lib/sss/mc/* rwlkPx,
/var/lib/sss/pipes/* rwlkPx,
/var/lib/systemd/coredump/ r,
/var/lib/systemd/coredump/** r,
/var/log/journal/ r,
/var/log/journal/** r,
/{,usr/}sbin/* mrcix,
owner /dev/shm/* w,
owner /etc/default/cacerts r,
owner /etc/dpkg/dpkg.cfg r,
owner /etc/dpkg/dpkg.cfg.d/ r,
owner /etc/dpkg/dpkg.cfg.d/pkg-config-hook-config r,
owner /etc/mono/4.5/machine.config r,
owner /etc/mono/certstore/certs/Trust/ rw,
owner /etc/mono/certstore/certs/Trust/* rw,
owner /etc/mono/certstore/new-certs/Trust/ r,
owner /etc/mono/certstore/new-certs/Trust/* rw,
owner /etc/ssl/** rw,
owner /proc/*/comm r,
owner /proc/*/coredump_filter rw,
owner /proc/*/mountinfo r,
owner /proc/*/mountinfo r,
owner /proc/sys/kernel/random/boot_id r,
owner /run/blkid/* rw,
owner /run/mount/utab r,
owner /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r,
owner /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
owner /sys/fs/cgroup/memory/system.slice/*/memory.limit_in_bytes r,
owner /sys/fs/cgroup/memory/system.slice/*/memory.stat r,
owner /sys/fs/cgroup/memory/system.slice/*/memory.stat r,
owner /sys/fs/cgroup/memory/system.slice/*/memory.use_hierarchy r,
owner /var/lib/dpkg/arch r,
owner /var/lib/dpkg/info/format r,
owner /var/lib/dpkg/status r,
owner /var/lib/dpkg/triggers/File r,
owner /var/lib/dpkg/triggers/Unincorp r,
owner /var/lib/dpkg/updates/ r,
owner /var/log/zscaler/ rw,
owner /var/log/zscaler/.Zscaler/ rw,
owner /var/log/zscaler/.Zscaler/** rw,
owner /var/log/zscaler/.Zscaler/Logs/* rw,
owner /var/log/zscaler/.Zscaler/Logs/zsaservice* ra,
}
Raw
opt.zscaler.bin.zstunnel
# Last Modified: Thu Sep 23 10:29:17 2021
#include <tunables/global>
/opt/zscaler/bin/zstunnel {
#include <abstractions/base>
#include <abstractions/dbus>
#include <abstractions/ubuntu-konsole>
capability dac_override,
capability dac_read_search,
capability fsetid,
capability net_admin,
capability net_raw,
capability sys_module,
capability sys_nice,
network,
dbus bind name=com.zscaler.ztunnel.service,
dbus receive bus=system path=/var/opt/zscaler/ztunnel/tunnelObject interface=com.zscaler.ztunnel.Interface,
dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus,
dbus send bus=system path=/var/opt/zscaler/ztray/trayObject interface=com.zscaler.ztray.Interface,
dbus,
signal,
ptrace,
/dev/net/tun rw,
/etc/ r,
/etc/* r,
/etc/firefox rw,
/etc/firefox/* rw,
/etc/firefox/defaults/ rw,
/etc/firefox/defaults/* rw,
/etc/firefox/defaults/pref/ rw,
/etc/firefox/defaults/pref/* rw,
/etc/gai.conf r,
/etc/gai.conf r,
/etc/host.conf r,
/etc/host.conf r,
/etc/hosts r,
/etc/hosts r,
/etc/iproute2/** r,
/etc/iproute2/** r,
/etc/iproute2/** r,
/etc/nsswitch.conf r,
/etc/nsswitch.conf r,
/etc/resolv.conf rw,
/etc/resolv.conf rw,
/etc/resolv.conf rw,
/etc/resolv.conf rw,
/etc/ssl/certs r,
/etc/ssl/certs r,
/etc/ssl/certs r,
/etc/ssl/certs r,
/etc/ssl/certs/* r,
/etc/ssl/certs/* r,
/etc/ssl/certs/* r,
/etc/ssl/certs/* r,
/lib/x86_64-linux-gnu/ld-*.so mr,
/lib/x86_64-linux-gnu/ld-*.so mr,
/opt/ r,
/opt/* r,
/opt/firefox rw,
/opt/firefox/* rw,
/opt/firefox/defaults/ rw,
/opt/firefox/defaults/* rw,
/opt/firefox/defaults/pref/ rw,
/opt/firefox/defaults/pref/* rw,
/opt/zscaler/.config/* rw,
/opt/zscaler/.config/* rw,
/opt/zscaler/bin/* mrPx,
/opt/zscaler/bin/* mrPx,
/opt/zscaler/lib/libpacparser.so mrcix,
/opt/zscaler/lib/libpacparser.so mrcix,
/proc/ r,
/proc/* r,
/proc/*/attr/current r,
/proc/*/cmdline r,
/proc/*/cmdline r,
/proc/*/environ r,
/proc/*/fd/ r,
/proc/*/fd/* r,
/proc/*/net/* r,
/proc/*/net/route rw,
/proc/*/sched r,
/proc/*/stat r,
/proc/net/* r,
/proc/sys/kernel/osrelease mrPUx,
/proc/sys/kernel/modprobe mrPUx,
/proc/*/comm r,
/run/* rkcix,
/run/resolvconf/resolv.conf rw,
/run/resolvconf/resolv.conf rw,
/run/netconfig/resolv.conf rw,
/run/systemd/resolve/* rw,
/run/systemd/resolve/* rw,
/run/systemd/resolve/io.systemd.Resolve wr,
/run/systemd/resolve/stub-resolv.conf rw,
/run/udev/data/* r,
/run/udev/data/* r,
/run/utmp r,
/run/nscd/* r,
/sys/class/net/ r,
/sys/class/net/ r,
/sys/devices/** r,
/sys/devices/** r,
/sys/devices/virtual/net/*/type r,
/sys/firmware/efi/efivars/* r,
/sys/firmware/efi/efivars/* r,
/tmp/** rwkPx,
/tmp/** rwkPx,
/tmp/.pid mrwPx,
/tmp/.pid mrwPx,
/tmp/.pid/* mrwPx,
/tmp/.pid/* mrwPx,
/usr/ rw,
/usr/ rw,
/usr/lib/ rw,
/usr/lib/ rw,
/usr/lib64/ rw,
/usr/lib64/* rw,
/usr/lib64/*/* rw,
/usr/lib64/firefox/defaults/pref/* mrwPx,
/usr/lib/firefox/ rw,
/usr/lib/firefox/ rw,
/usr/lib/firefox/* rw,
/usr/lib/firefox/* rw,
/usr/lib/firefox/defaults/pref/ rw,
/usr/lib/firefox/defaults/pref/ rw,
/usr/lib/firefox/defaults/pref/* rw,
/usr/lib/firefox/defaults/pref/* rw,
/var/lib/nscd/passwd rw,
/var/lib/sss/mc/passwd rw,
/var/lib/sss/pipes/nss wr,
/usr/local/lib/* mrkcix,
/{,usr/}bin/* mrkcix,
/{,usr/}lib/* mrkcix,
/{,usr/}sbin/* mrkcix,
owner /dev/ r,
owner /run/* rwk,
owner /var/log/zscaler/ rw,
owner /var/log/zscaler/.Zscaler/ rw,
owner /var/log/zscaler/.Zscaler/** rw,
}
Raw
opt.zscaler.bin.zsupdater
# Last Modified: Thu Sep 23 08:50:24 2021
#include <tunables/global>
/opt/zscaler/bin/zsupdater {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/dbus-strict>
#include <abstractions/evince>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/python>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
capability dac_override,
capability fsetid,
capability net_admin,
capability sys_module,
capability sys_nice,
network,
dbus,
signal,
/bin/dash mrix,
/opt/zscaler/bin/zsupdater mrwkPUx,
/opt/zscaler/lib/lib*so* mr,
/opt/zscaler/scripts/install.sh mrix,
/opt/zscaler/scripts/installbuilder_sig_util mrix,
/tmp/Zscaler-*.run mrwPUx,
/usr/bin/bash ix,
/usr/bin/dash mrix,
/usr/bin/id mrix,
/usr/bin/lsb_release mrix,
/usr/bin/mawk mrix,
/usr/bin/mkdir mrix,
/usr/bin/python3.8 ix,
/usr/bin/sed mrix,
/usr/bin/stat mrix,
/usr/bin/which mrix,
owner /etc/lsb-release r,
owner /opt/zscaler/.config.ini rw,
owner /opt/zscaler/.rollbackBackupDirectory/ w,
owner /opt/zscaler/.rollbackBackupDirectory/opt/ w,
owner /opt/zscaler/.rollbackBackupDirectory/opt/zscaler/ w,
owner /opt/zscaler/bin/ZSTray w,
owner /opt/zscaler/bin/ZSTray.Deb rw,
owner /opt/zscaler/bin/zsaservice w,
owner /opt/zscaler/bin/zstunnel w,
owner /opt/zscaler/bin/zsupdater mrwk,
owner /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
owner /tmp/** m,
owner /usr/bin/ r,
owner /var/log/zscaler/.Zscaler/Logs/* rw,
owner /var/log/zscaler/zscaler-installation.log w,
}
@jonath92
Copy link

jonath92 commented Sep 6, 2024

For Distros based on Ubuntu 24 the workaround is:
change content of /etc/os.release (after creating a backup) to

NAME="Ubuntu"
VERSION="24.04 (LTS)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 24.04 LTS"
VERSION_ID="24.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=jammy
UBUNTU_CODENAME=jammy

And in /etc/lsb-release temporary change or add a line with DISTRIB_RELEASE=24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment