Secure your Gradle builds with AppArmor
By Mikael Ståldal
If you have a Linux system with AppArmor, you can use it to secure your Gradle builds.
Here is how I installed it on Ubuntu Linux:
-
Make sure you have a Java Development Kit installed.
-
Set the
JAVA_HOMEenvironment variable to point to your JDK by creating a file/etc/profile.d/java.shwith this content:#!/bin/sh export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64 -
Make a manual installation of Gradle in
/opt/gradle. -
Make it available in PATH:
$ cd /usr/bin $ sudo ln -s ../../opt/gradle/gradle-8.14.3/bin/gradle .
Add this file to /etc/apparmor.d:
#include <tunables/global>
profile gradle /opt/gradle/gradle-*/bin/gradle {
#include <abstractions/base>
#include <abstractions/consoles>
/tmp/ r,
/tmp/** rwklix,
@{PROC}/ r,
@{PROC}/** r,
@{PROC}/@{pid}/** rwk,
/opt/gradle/** r,
/sys/** r,
/etc/** r,
/usr/share/** r,
/bin/** ix,
/usr/bin/** ix,
/usr/sbin/ldconfig rix,
/usr/sbin/ldconfig.real ix,
/usr/lib/** rix,
owner @{HOME}/src/** rwkl,
owner @{HOME}/.java/** rwk,
owner @{HOME}/.cache/JNA/** rwkm,
owner @{HOME}/.gradle/** rwklm,
owner @{HOME}/.konan/** rwkl,
owner @{HOME}/.m2/** rwkl,
owner @{HOME}/.local/share/kotlin/** r,
owner @{HOME}/.local/share/kotlin/daemon/** rwkl,
/snap/intellij-idea-ultimate/** r,
/etc/resolv.conf r,
@{PROC}/sys/net/** r,
/run/systemd/resolve/** r,
network,
signal (receive) set=(int,term,kill),
}
Then run sudo service apparmor reload to activate it (it will be loaded automatically on boot). This is tested un Ubuntu desktop 24.04.
Some Gradle plugins require additional configuration to function properly. I have not been able to make this work reliably with IntelliJ IDEA.