# # AppArmor tlsdate profile for Ubuntu 11.04 and later # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # #include /usr/bin/tlsdate { #include #include capability sys_time, capability setgid, capability setuid, capability sys_chroot, # IPv4 TCP network inet stream, # IPv4 UDP for DNS resolution network inet dgram, # IPv6 TCP network inet6 stream, # IPv6 UDP network inet6 dgram, # Required for gethostbyname /etc/resolv.conf r, /etc/nsswitch.conf r, /etc/localtime r, /etc/nsswitch.conf r, /etc/hosts r, /etc/host.conf r, # Allow reading public certs but not private keys /etc/ssl/certs/* r, /usr/share/ca-certificates/*/** r, # Allow reading of /etc/tlsdate/ /etc/tlsdate/*/** r, # Required for getpwnam /etc/passwd r, /etc/group r, /proc/sys/kernel/ngroups_max r, # Allow reading of libs and /tmp /etc/ld.so.cache r, # Random number generation requires these two /dev/random r, /dev/urandom r, # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /lib/x86_64-linux-gnu/* rm, # We'll allow tlsdate to write a new root to chroot into /tmp/ r, owner /tmp/tlsdate_*/ rw, # We'll allow tlsdate to exec tlsdate-helper /usr/bin/tlsdate-helper ixm, /usr/bin/tlsdate ixm, } /usr/bin/tlsdate-helper { #include #include capability sys_time, capability setgid, capability setuid, capability sys_chroot, # IPv4 TCP network inet stream, # IPv4 UDP for DNS resolution network inet dgram, # IPv6 TCP network inet6 stream, # IPv6 UDP network inet6 dgram, # Required for gethostbyname /etc/resolv.conf r, /etc/nsswitch.conf r, /etc/localtime r, /etc/nsswitch.conf r, /etc/hosts r, /etc/host.conf r, # Allow reading public certs but not private keys /etc/ssl/certs/* r, /usr/share/ca-certificates/*/** r, # Allow reading of /etc/tlsdate/ /etc/tlsdate/*/** r, # Required for getpwnam /etc/passwd r, /etc/group r, # Allow reading of libs and /tmp /etc/ld.so.cache r, # Random number generation requires these two /dev/random r, /dev/urandom r, # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /usr/local/lib/* rm, /lib/x86_64-linux-gnu/* rm, # We'll allow tlsdate to write a new root to chroot into /tmp/ r, owner /tmp/tlsdate_*/ rw, } /usr/bin/tlsdated { #include #include capability sys_time, capability setgid, capability setuid, capability sys_chroot, # IPv4 TCP network inet stream, # IPv4 UDP for DNS resolution network inet dgram, # IPv6 TCP network inet6 stream, # IPv6 UDP network inet6 dgram, # Required for gethostbyname /etc/resolv.conf r, /etc/nsswitch.conf r, /etc/localtime r, /etc/nsswitch.conf r, /etc/hosts r, /etc/host.conf r, # Allow reading public certs but not private keys /etc/ssl/certs/* r, /usr/share/ca-certificates/*/** r, # Allow reading of /etc/tlsdate/ /etc/tlsdate/*/** r, # Required for getpwnam /etc/passwd r, /etc/group r, # Allow reading of libs and /tmp /etc/ld.so.cache r, # Random number generation requires these two /dev/random r, /dev/urandom r, # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /usr/local/lib/* rm, /lib/x86_64-linux-gnu/* rm, # We'll allow tlsdate to write a new root to chroot into /tmp/ r, owner /tmp/tlsdate_*/ rw, # We'll allow tlsdated to cache the time here owner /var/cache/tlsdated/* rw, # We'll allow tlsdate to exec tlsdate-helper /usr/bin/tlsdate-routeup ixm, /usr/bin/tlsdate-helper ixm, /usr/bin/tlsdate ixm, } /usr/bin/tlsdate-routeup { #include # Allow reading of /etc/tlsdate/ /etc/tlsdate/*/** r, # Allow reading of libs and /tmp /etc/ld.so.cache r, # Random number generation requires these two /dev/random r, /dev/urandom r, # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /lib/x86_64-linux-gnu/* rm, }