Nicholai
6fada7889a
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities for network telemetry sent by The Foundry's Nuke compositor on Linux. Key features: - Network monitoring scripts with automated alerts - Multi-tier blocking methods (hosts, firewall, namespace, AppArmor) - Detailed packet capture analysis and documentation - EULA legal analysis and privacy assessment - Sanitized example captures and comprehensive guides All sensitive data (personal IPs, usernames, packet captures) removed. Ready for public sharing on Gitea.
245 lines
6.5 KiB
Plaintext
245 lines
6.5 KiB
Plaintext
# AppArmor profile for The Foundry Nuke 15.2v6
|
|
# Blocks external network access while allowing localhost frameserver communication
|
|
#
|
|
# Installation:
|
|
# sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
|
|
# sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
|
|
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# Testing (complain mode - logs violations without blocking):
|
|
# sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# Check status:
|
|
# sudo aa-status | grep Nuke
|
|
#
|
|
# View denials:
|
|
# sudo journalctl -xe | grep apparmor | grep Nuke
|
|
#
|
|
# Disable:
|
|
# sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
|
|
#include <tunables/global>
|
|
|
|
/home/nicholai/Nuke15.2v6/Nuke15.2 flags=(complain) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/fonts>
|
|
#include <abstractions/X>
|
|
#include <abstractions/freedesktop.org>
|
|
#include <abstractions/mesa>
|
|
#include <abstractions/dri-common>
|
|
#include <abstractions/opengl>
|
|
|
|
# Nuke installation directory
|
|
/home/nicholai/Nuke15.2v6/** r,
|
|
/home/nicholai/Nuke15.2v6/Nuke15.2 rix,
|
|
/home/nicholai/Nuke15.2v6/Nuke rix,
|
|
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
|
|
|
|
# User Nuke directories
|
|
owner @{HOME}/.nuke/** rw,
|
|
owner @{HOME}/Documents/nuke/** rw,
|
|
owner @{HOME}/.config/Nuke/** rw,
|
|
owner @{HOME}/.local/share/Nuke/** rw,
|
|
|
|
# Temporary files
|
|
owner /tmp/** rw,
|
|
owner /var/tmp/** rw,
|
|
/tmp/** rw,
|
|
/var/tmp/** rw,
|
|
|
|
# Shared memory for frameserver
|
|
owner /dev/shm/** rw,
|
|
/dev/shm/** rw,
|
|
|
|
# Process communication (frameserver)
|
|
unix (send, receive) type=stream,
|
|
unix (send, receive) type=dgram,
|
|
|
|
# Allow reading project files and footage
|
|
# Add specific paths as needed for your workflow
|
|
owner @{HOME}/** r,
|
|
/media/** r,
|
|
/mnt/** r,
|
|
|
|
# System libraries and dependencies
|
|
/usr/lib/** rm,
|
|
/usr/share/** r,
|
|
/etc/** r,
|
|
/proc/** r,
|
|
/sys/** r,
|
|
/dev/null rw,
|
|
/dev/zero r,
|
|
/dev/urandom r,
|
|
/dev/dri/** rw,
|
|
|
|
# GPU access (required for rendering)
|
|
/dev/nvidia* rw,
|
|
/dev/dri/card* rw,
|
|
/dev/dri/renderD* rw,
|
|
|
|
# Allow creating child processes (frameserver, etc.)
|
|
/home/nicholai/Nuke15.2v6/Nuke15.2 px,
|
|
/home/nicholai/Nuke15.2v6/Nuke px,
|
|
|
|
# Network rules - CRITICAL SECTION FOR BLOCKING TELEMETRY
|
|
|
|
# Allow TCP and UDP (needed for frameserver)
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network unix stream,
|
|
network unix dgram,
|
|
|
|
# BLOCK: Deny all external connections (only allow localhost)
|
|
deny network inet to !127.0.0.0/8,
|
|
deny network inet6 to !::1,
|
|
|
|
# BLOCK: Explicitly deny known telemetry endpoints
|
|
deny network inet to 52.50.232.31, # learn.foundry.com
|
|
deny network inet to 52.205.16.9, # api.honeycomb.io
|
|
|
|
# Signal permissions (needed for process management)
|
|
signal (send) set=(term, kill),
|
|
signal (receive) set=(term, kill, hup),
|
|
|
|
# Capabilities
|
|
capability sys_nice,
|
|
capability ipc_lock,
|
|
}
|
|
|
|
# Alternative profile name (if using /Nuke instead of /Nuke15.2)
|
|
/home/nicholai/Nuke15.2v6/Nuke flags=(complain) {
|
|
#include <tunables/global>
|
|
#include <abstractions/base>
|
|
#include <abstractions/fonts>
|
|
#include <abstractions/X>
|
|
#include <abstractions/freedesktop.org>
|
|
#include <abstractions/mesa>
|
|
#include <abstractions/opengl>
|
|
|
|
# Same rules as above
|
|
/home/nicholai/Nuke15.2v6/** r,
|
|
/home/nicholai/Nuke15.2v6/Nuke rix,
|
|
/home/nicholai/Nuke15.2v6/Nuke15.2 rix,
|
|
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
|
|
|
|
owner @{HOME}/.nuke/** rw,
|
|
owner @{HOME}/Documents/nuke/** rw,
|
|
owner @{HOME}/.config/Nuke/** rw,
|
|
owner @{HOME}/.local/share/Nuke/** rw,
|
|
|
|
owner /tmp/** rw,
|
|
owner /var/tmp/** rw,
|
|
owner /dev/shm/** rw,
|
|
|
|
unix (send, receive) type=stream,
|
|
unix (send, receive) type=dgram,
|
|
|
|
owner @{HOME}/** r,
|
|
/media/** r,
|
|
/mnt/** r,
|
|
|
|
/usr/lib/** rm,
|
|
/usr/share/** r,
|
|
/etc/** r,
|
|
/proc/** r,
|
|
/sys/** r,
|
|
/dev/null rw,
|
|
/dev/zero r,
|
|
/dev/urandom r,
|
|
/dev/dri/** rw,
|
|
/dev/nvidia* rw,
|
|
|
|
# Network blocking
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network unix stream,
|
|
network unix dgram,
|
|
|
|
deny network inet to !127.0.0.0/8,
|
|
deny network inet6 to !::1,
|
|
deny network inet to 52.50.232.31,
|
|
deny network inet to 52.205.16.9,
|
|
|
|
signal (send) set=(term, kill),
|
|
signal (receive) set=(term, kill, hup),
|
|
|
|
capability sys_nice,
|
|
capability ipc_lock,
|
|
}
|
|
|
|
# Profile for crashpad_handler (crash reporting subprocess)
|
|
# This should be blocked from network entirely
|
|
/home/nicholai/Nuke15.2v6/crashpad_handler {
|
|
#include <abstractions/base>
|
|
|
|
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
|
|
|
|
# Allow writing crash dumps locally
|
|
owner @{HOME}/.nuke/** rw,
|
|
owner @{HOME}/Documents/nuke/** rw,
|
|
owner /tmp/** rw,
|
|
|
|
/proc/** r,
|
|
/sys/** r,
|
|
|
|
# BLOCK ALL NETWORK (no crash reporting to sentry.foundry.com)
|
|
deny network inet,
|
|
deny network inet6,
|
|
}
|
|
|
|
# Installation Instructions:
|
|
#
|
|
# 1. Install AppArmor (if not already installed):
|
|
# Arch: sudo pacman -S apparmor
|
|
# Ubuntu: sudo apt install apparmor apparmor-utils
|
|
#
|
|
# 2. Enable AppArmor:
|
|
# sudo systemctl enable --now apparmor.service
|
|
#
|
|
# 3. Copy this profile:
|
|
# sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
|
|
#
|
|
# 4. Load the profile in COMPLAIN mode first (for testing):
|
|
# sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
|
|
# sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# 5. Run Nuke and test functionality:
|
|
# - Check rendering works
|
|
# - Verify frameserver works
|
|
# - Test file loading/saving
|
|
#
|
|
# 6. Check for violations:
|
|
# sudo journalctl -xe | grep apparmor | grep Nuke
|
|
# sudo aa-logprof # Interactive tool to adjust profile
|
|
#
|
|
# 7. If everything works, switch to ENFORCE mode:
|
|
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# 8. Verify enforcement:
|
|
# sudo aa-status | grep Nuke
|
|
#
|
|
# Troubleshooting:
|
|
#
|
|
# - If Nuke won't start:
|
|
# Check violations: sudo journalctl -xe | grep apparmor | grep Nuke
|
|
# Switch to complain mode: sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# - If rendering fails:
|
|
# May need to add specific file paths for footage/projects
|
|
# Update profile with your project directories
|
|
#
|
|
# - To disable temporarily:
|
|
# sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# - To re-enable:
|
|
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
|
|
#
|
|
# Notes:
|
|
#
|
|
# - This profile starts in complain mode (flags=(complain)) for safety
|
|
# - Network blocking rules allow localhost (127.0.0.0/8) for frameserver
|
|
# - All external IPs are denied, including known Foundry endpoints
|
|
# - Crashpad handler is completely blocked from network access
|
|
# - Profile may need adjustment for specific workflows (NFS, render farms, etc.)
|