Home | History | Annotate | Download | only in tlsdate 
      1 #
      2 #    AppArmor tlsdate profile for Debian GNU/Linux
      3 #
      4 #    This program is free software; you can redistribute it and/or
      5 #    modify it under the terms of version 2 of the GNU General Public
      6 #    License published by the Free Software Foundation.
      7 #
      8 
      9 #include <tunables/global>
     10 #include <tunables/multiarch.d>
     11 /usr/bin/tlsdate {
     12   #include <abstractions/consoles>
     13   #include <abstractions/ssl_certs>
     14 
     15   capability sys_time,
     16   capability setgid,
     17   capability setuid,
     18   capability sys_chroot,
     19 
     20   # IPv4 TCP
     21   network inet stream,
     22   # IPv4 UDP for DNS resolution
     23   network inet dgram,
     24   # IPv6 TCP
     25   network inet6 stream,
     26   # IPv6 UDP
     27   network inet6 dgram,
     28 
     29   # Required for gethostbyname
     30   /etc/resolv.conf r,
     31   /run/resolvconf/resolv.conf r,
     32   /etc/nsswitch.conf r,
     33   /etc/localtime r,
     34   /etc/nsswitch.conf r,
     35   /etc/hosts r,
     36   /etc/host.conf r,
     37 
     38   # Allow reading public certs but not private keys
     39   /etc/ssl/certs/* r,
     40   /usr/share/ca-certificates/*/** r,
     41   
     42   # Allow reading of /etc/tlsdate/
     43   /etc/tlsdate/*/** r,
     44 
     45   # Required for getpwnam
     46   /etc/passwd r,
     47   /etc/group r,
     48   /proc/sys/kernel/ngroups_max r,
     49 
     50   # Allow reading of libs and /tmp
     51   /etc/ld.so.cache r,
     52 
     53   # Random number generation requires these two
     54   /dev/random r,
     55   /dev/urandom r,
     56 
     57   # Allow mapping of shared libraries
     58   /lib{,32,64}/* rm,
     59   /usr/lib/* rm,
     60   /lib/@{multiarch}/* rm,
     61   /usr/lib/@{multiarch}/* rm,
     62 
     63   # We'll allow tlsdate to write a new root to chroot into
     64   /tmp/ r,
     65   owner /tmp/tlsdate_*/ rw,
     66 
     67   # We'll allow tlsdate to exec tlsdate-helper
     68   /usr/bin/tlsdate-helper ixm,
     69   /usr/bin/tlsdate ixm,
     70 }
     71 
     72 /usr/bin/tlsdate-helper {
     73   #include <abstractions/consoles>
     74   #include <abstractions/ssl_certs>
     75 
     76   capability sys_time,
     77   capability setgid,
     78   capability setuid,
     79   capability sys_chroot,
     80 
     81   # IPv4 TCP
     82   network inet stream,
     83   # IPv4 UDP for DNS resolution
     84   network inet dgram,
     85   # IPv6 TCP
     86   network inet6 stream,
     87   # IPv6 UDP
     88   network inet6 dgram,
     89 
     90   # Required for gethostbyname
     91   /etc/resolv.conf r,
     92   /run/resolvconf/resolv.conf r,
     93   /etc/nsswitch.conf r,
     94   /etc/localtime r,
     95   /etc/nsswitch.conf r,
     96   /etc/hosts r,
     97   /etc/host.conf r,
     98 
     99   # Allow reading public certs but not private keys
    100   /etc/ssl/certs/* r,
    101   /usr/share/ca-certificates/*/** r,
    102 
    103   # Allow reading of /etc/tlsdate/
    104   /etc/tlsdate/*/** r,
    105 
    106   # Required for getpwnam
    107   /etc/passwd r,
    108   /etc/group r,
    109   /proc/sys/kernel/ngroups_max r,
    110 
    111   # Allow reading of libs and /tmp
    112   /etc/ld.so.cache r,
    113 
    114   # Random number generation requires these two
    115   /dev/random r,
    116   /dev/urandom r,
    117 
    118   # Allow mapping of shared libraries
    119   /lib{,32,64}/* rm,
    120   /usr/lib/* rm,
    121   /lib/@{multiarch}/* rm,
    122   /usr/lib/@{multiarch}/* rm,
    123 
    124   # We'll allow tlsdate to write a new root to chroot into
    125   /tmp/ r,
    126   owner /tmp/tlsdate_*/ rw,
    127 }
    128 
    129 /usr/sbin/tlsdated {
    130   #include <abstractions/consoles>
    131   #include <abstractions/ssl_certs>
    132 
    133   capability sys_time,
    134   capability setgid,
    135   capability setuid,
    136   capability sys_chroot,
    137 
    138   # IPv4 TCP
    139   network inet stream,
    140   # IPv4 UDP for DNS resolution
    141   network inet dgram,
    142   # IPv6 TCP
    143   network inet6 stream,
    144   # IPv6 UDP
    145   network inet6 dgram,
    146 
    147   # Required for gethostbyname
    148   /etc/resolv.conf r,
    149   /etc/nsswitch.conf r,
    150   /etc/localtime r,
    151   /etc/nsswitch.conf r,
    152   /etc/hosts r,
    153   /etc/host.conf r,
    154 
    155   # Allow reading public certs but not private keys
    156   /etc/ssl/certs/* r,
    157   /usr/share/ca-certificates/*/** r,
    158 
    159   # Allow reading of /etc/tlsdate/
    160   /etc/tlsdate/*/** r,
    161   /etc/tlsdate/tlsdated.conf r,
    162 
    163   # Required for getpwnam
    164   /etc/passwd r,
    165   /etc/group r,
    166   /proc/sys/kernel/ngroups_max r,
    167 
    168   # tlsdated looks into proc for answers
    169   /proc/meminfo r,
    170 
    171   # Allow reading of libs and /tmp
    172   /etc/ld.so.cache r,
    173 
    174   # Random number generation requires these two
    175   /dev/random r,
    176   /dev/urandom r,
    177 
    178   # RTC
    179   /dev/rtc0 rw,
    180   /dev/rtc1 rw,
    181 
    182   # Allow mapping of shared libraries
    183   /lib{,32,64}/* rm,
    184   /usr/lib/* rm,
    185   /lib/@{multiarch}/* rm,
    186   /usr/lib/@{multiarch}/* rm,
    187 
    188   # We'll allow tlsdate to write a new root to chroot into
    189   /tmp/ r,
    190   owner /tmp/tlsdate_*/ rw,
    191 
    192   # We'll allow tlsdated to cache the time here
    193   owner /var/cache/tlsdated/* rw,
    194   # We'll allow the unprivileged helper to read the time
    195   /var/cache/tlsdated/* r,
    196 
    197   # We'll allow tlsdated to exec tlsdate-helper
    198   /usr/bin/tlsdate-helper ixm,
    199   /usr/bin/tlsdate ixm,
    200 }
    201