200 lines
4.2 KiB
Text
200 lines
4.2 KiB
Text
#
|
|
# AppArmor tlsdate profile for Debian GNU/Linux
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
|
|
#include <tunables/global>
|
|
#include <tunables/multiarch.d>
|
|
/usr/bin/tlsdate {
|
|
#include <abstractions/consoles>
|
|
#include <abstractions/ssl_certs>
|
|
|
|
capability sys_time,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
|
|
# IPv4 TCP
|
|
network inet stream,
|
|
# IPv4 UDP for DNS resolution
|
|
network inet dgram,
|
|
# IPv6 TCP
|
|
network inet6 stream,
|
|
# IPv6 UDP
|
|
network inet6 dgram,
|
|
|
|
# Required for gethostbyname
|
|
/etc/resolv.conf r,
|
|
/run/resolvconf/resolv.conf r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/localtime r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/hosts r,
|
|
/etc/host.conf r,
|
|
|
|
# Allow reading public certs but not private keys
|
|
/etc/ssl/certs/* r,
|
|
/usr/share/ca-certificates/*/** r,
|
|
|
|
# Allow reading of /etc/tlsdate/
|
|
/etc/tlsdate/*/** r,
|
|
|
|
# Required for getpwnam
|
|
/etc/passwd r,
|
|
/etc/group r,
|
|
/proc/sys/kernel/ngroups_max r,
|
|
|
|
# Allow reading of libs and /tmp
|
|
/etc/ld.so.cache r,
|
|
|
|
# Random number generation requires these two
|
|
/dev/random r,
|
|
/dev/urandom r,
|
|
|
|
# Allow mapping of shared libraries
|
|
/lib{,32,64}/* rm,
|
|
/usr/lib/* rm,
|
|
/lib/@{multiarch}/* rm,
|
|
/usr/lib/@{multiarch}/* rm,
|
|
|
|
# We'll allow tlsdate to write a new root to chroot into
|
|
/tmp/ r,
|
|
owner /tmp/tlsdate_*/ rw,
|
|
|
|
# We'll allow tlsdate to exec tlsdate-helper
|
|
/usr/bin/tlsdate-helper ixm,
|
|
/usr/bin/tlsdate ixm,
|
|
}
|
|
|
|
/usr/bin/tlsdate-helper {
|
|
#include <abstractions/consoles>
|
|
#include <abstractions/ssl_certs>
|
|
|
|
capability sys_time,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
|
|
# IPv4 TCP
|
|
network inet stream,
|
|
# IPv4 UDP for DNS resolution
|
|
network inet dgram,
|
|
# IPv6 TCP
|
|
network inet6 stream,
|
|
# IPv6 UDP
|
|
network inet6 dgram,
|
|
|
|
# Required for gethostbyname
|
|
/etc/resolv.conf r,
|
|
/run/resolvconf/resolv.conf r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/localtime r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/hosts r,
|
|
/etc/host.conf r,
|
|
|
|
# Allow reading public certs but not private keys
|
|
/etc/ssl/certs/* r,
|
|
/usr/share/ca-certificates/*/** r,
|
|
|
|
# Allow reading of /etc/tlsdate/
|
|
/etc/tlsdate/*/** r,
|
|
|
|
# Required for getpwnam
|
|
/etc/passwd r,
|
|
/etc/group r,
|
|
/proc/sys/kernel/ngroups_max r,
|
|
|
|
# Allow reading of libs and /tmp
|
|
/etc/ld.so.cache r,
|
|
|
|
# Random number generation requires these two
|
|
/dev/random r,
|
|
/dev/urandom r,
|
|
|
|
# Allow mapping of shared libraries
|
|
/lib{,32,64}/* rm,
|
|
/usr/lib/* rm,
|
|
/lib/@{multiarch}/* rm,
|
|
/usr/lib/@{multiarch}/* rm,
|
|
|
|
# We'll allow tlsdate to write a new root to chroot into
|
|
/tmp/ r,
|
|
owner /tmp/tlsdate_*/ rw,
|
|
}
|
|
|
|
/usr/sbin/tlsdated {
|
|
#include <abstractions/consoles>
|
|
#include <abstractions/ssl_certs>
|
|
|
|
capability sys_time,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
|
|
# IPv4 TCP
|
|
network inet stream,
|
|
# IPv4 UDP for DNS resolution
|
|
network inet dgram,
|
|
# IPv6 TCP
|
|
network inet6 stream,
|
|
# IPv6 UDP
|
|
network inet6 dgram,
|
|
|
|
# Required for gethostbyname
|
|
/etc/resolv.conf r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/localtime r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/hosts r,
|
|
/etc/host.conf r,
|
|
|
|
# Allow reading public certs but not private keys
|
|
/etc/ssl/certs/* r,
|
|
/usr/share/ca-certificates/*/** r,
|
|
|
|
# Allow reading of /etc/tlsdate/
|
|
/etc/tlsdate/*/** r,
|
|
/etc/tlsdate/tlsdated.conf r,
|
|
|
|
# Required for getpwnam
|
|
/etc/passwd r,
|
|
/etc/group r,
|
|
/proc/sys/kernel/ngroups_max r,
|
|
|
|
# tlsdated looks into proc for answers
|
|
/proc/meminfo r,
|
|
|
|
# Allow reading of libs and /tmp
|
|
/etc/ld.so.cache r,
|
|
|
|
# Random number generation requires these two
|
|
/dev/random r,
|
|
/dev/urandom r,
|
|
|
|
# RTC
|
|
/dev/rtc0 rw,
|
|
/dev/rtc1 rw,
|
|
|
|
# Allow mapping of shared libraries
|
|
/lib{,32,64}/* rm,
|
|
/usr/lib/* rm,
|
|
/lib/@{multiarch}/* rm,
|
|
/usr/lib/@{multiarch}/* rm,
|
|
|
|
# We'll allow tlsdate to write a new root to chroot into
|
|
/tmp/ r,
|
|
owner /tmp/tlsdate_*/ rw,
|
|
|
|
# We'll allow tlsdated to cache the time here
|
|
owner /var/cache/tlsdated/* rw,
|
|
# We'll allow the unprivileged helper to read the time
|
|
/var/cache/tlsdated/* r,
|
|
|
|
# We'll allow tlsdated to exec tlsdate-helper
|
|
/usr/bin/tlsdate-helper ixm,
|
|
/usr/bin/tlsdate ixm,
|
|
}
|