diff options
| author | Jacob Appelbaum <jacob@appelbaum.net> | 2012-10-29 22:54:57 +0100 |
|---|---|---|
| committer | Jacob Appelbaum <jacob@appelbaum.net> | 2012-10-29 22:54:57 +0100 |
| commit | 8fbb4d1c5dd9e179675c967a11f18a8e3971d640 (patch) | |
| tree | a165789e180817d375c89d92c359f1c3d424e719 /apparmor-profile | |
| parent | 52d10f3f0f27bb969a05bf02ed4598e6e88cb61e (diff) | |
| download | tlsdate-8fbb4d1c5dd9e179675c967a11f18a8e3971d640.tar.gz | |
Add tlsdate-routeup apparmor policy, update other policies
Diffstat (limited to 'apparmor-profile')
| -rw-r--r-- | apparmor-profile | 88 |
1 files changed, 85 insertions, 3 deletions
diff --git a/apparmor-profile b/apparmor-profile index ed73eb0..9565247 100644 --- a/apparmor-profile +++ b/apparmor-profile @@ -40,9 +40,6 @@ # Allow reading of /etc/tlsdate/ /etc/tlsdate/*/** r, - # Allow reading tlsdate configs and CA cert list - /etc/tlsdate/* r, - # Required for getpwnam /etc/passwd r, /etc/group r, @@ -189,4 +186,89 @@ # We'll allow tlsdated to cache the time here owner /var/cache/tlsdated/* rw, + + # We'll allow tlsdate to exec tlsdate-helper + /usr/bin/tlsdate-routeup ixm, + /usr/bin/tlsdate-helper ixm, + /usr/bin/tlsdate ixm, +} + +/usr/bin/tlsdate-helper { + #include <abstractions/consoles> + #include <abstractions/ssl_certs> + + capability sys_time, + capability setgid, + capability setuid, + capability sys_chroot, + + # IPv4 TCP + network inet stream, + # IPv4 UDP for DNS resolution + network inet dgram, + # IPv6 TCP + network inet6 stream, + # IPv6 UDP + network inet6 dgram, + + # Required for gethostbyname + /etc/resolv.conf r, + /etc/nsswitch.conf r, + /etc/localtime r, + /etc/nsswitch.conf r, + /etc/hosts r, + /etc/host.conf r, + + # Allow reading public certs but not private keys + /etc/ssl/certs/* r, + /usr/share/ca-certificates/*/** r, + + # Allow reading of /etc/tlsdate/ + /etc/tlsdate/*/** r, + + # Required for getpwnam + /etc/passwd r, + /etc/group r, + + + # Allow reading of libs and /tmp + /etc/ld.so.cache r, + + # Random number generation requires these two + /dev/random r, + /dev/urandom r, + + # Allow mapping of shared libraries + /lib/* rm, + /lib32/* rm, + /lib64/* rm, + /usr/lib/* rm, + /usr/local/lib/* rm, + /lib/x86_64-linux-gnu/* rm, + + # We'll allow tlsdate to write a new root to chroot into + /tmp/ r, + owner /tmp/tlsdate_*/ rw, +} + + +/usr/bin/tlsdate-routeup { + #include <abstractions/consoles> + + # Allow reading of /etc/tlsdate/ + /etc/tlsdate/*/** r, + + # Allow reading of libs and /tmp + /etc/ld.so.cache r, + + # Random number generation requires these two + /dev/random r, + /dev/urandom r, + + # Allow mapping of shared libraries + /lib/* rm, + /lib32/* rm, + /lib64/* rm, + /usr/lib/* rm, + /lib/x86_64-linux-gnu/* rm, } |