Gitiles
Code Review Sign In
android-review.linaro.org / platform / external / tlsdate / 0fa60007a6d49e0c40b44f3c95d7eb6741cb7a38 / . / apparmor-profile
blob: df278afdb39ecf8dec4636fc23c18acd257afb7e [file] [log] [blame]
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]1#
2# AppArmor tlsdate profile for Ubuntu 11.04 and later
3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of version 2 of the GNU General Public
6# License published by the Free Software Foundation.
7#
8
9#include <tunables/global>
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]10/usr/bin/tlsdate {
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]11 #include <abstractions/consoles>
12 #include <abstractions/ssl_certs>
13
14 capability sys_time,
15 capability setgid,
16 capability setuid,
17 capability sys_chroot,
18
19 # IPv4 TCP
20 network inet stream,
21 # IPv4 UDP for DNS resolution
22 network inet dgram,
Jacob Appelbaumc3457b52012-07-15 14:26:05 +0200[diff] [blame]23 # IPv6 TCP
24 network inet6 stream,
25 # IPv6 UDP
26 network inet6 dgram,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]27
28 # Required for gethostbyname
29 /etc/resolv.conf r,
30 /etc/nsswitch.conf r,
31 /etc/localtime r,
32 /etc/nsswitch.conf r,
33 /etc/hosts r,
34 /etc/host.conf r,
35
36 # Allow reading public certs but not private keys
37 /etc/ssl/certs/* r,
38 /usr/share/ca-certificates/*/** r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]39
40 # Allow reading of /etc/tlsdate/
41 /etc/tlsdate/*/** r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]42
43 # Required for getpwnam
44 /etc/passwd r,
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]45 /etc/group r,
Jacob Appelbaum05ba51a2012-07-15 14:48:26 +0200[diff] [blame]46 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]47
48 # Allow reading of libs and /tmp
49 /etc/ld.so.cache r,
50
51 # Random number generation requires these two
52 /dev/random r,
53 /dev/urandom r,
54
55 # Allow mapping of shared libraries
56 /lib/* rm,
57 /lib32/* rm,
58 /lib64/* rm,
59 /usr/lib/* rm,
60 /lib/x86_64-linux-gnu/* rm,
61
62 # We'll allow tlsdate to write a new root to chroot into
63 /tmp/ r,
64 owner /tmp/tlsdate_*/ rw,
65
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]66 # We'll allow tlsdate to exec tlsdate-helper
Jacob Appelbaumed55cef2012-07-15 15:10:44 +0200[diff] [blame]67 /usr/bin/tlsdate-helper ixm,
68 /usr/bin/tlsdate ixm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]69}
70
71/usr/bin/tlsdate-helper {
72 #include <abstractions/consoles>
73 #include <abstractions/ssl_certs>
74
75 capability sys_time,
76 capability setgid,
77 capability setuid,
78 capability sys_chroot,
79
80 # IPv4 TCP
81 network inet stream,
82 # IPv4 UDP for DNS resolution
83 network inet dgram,
84 # IPv6 TCP
85 network inet6 stream,
86 # IPv6 UDP
87 network inet6 dgram,
88
89 # Required for gethostbyname
90 /etc/resolv.conf r,
91 /etc/nsswitch.conf r,
92 /etc/localtime r,
93 /etc/nsswitch.conf r,
94 /etc/hosts r,
95 /etc/host.conf r,
96
97 # Allow reading public certs but not private keys
98 /etc/ssl/certs/* r,
99 /usr/share/ca-certificates/*/** r,
100
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]101 # Allow reading of /etc/tlsdate/
102 /etc/tlsdate/*/** r,
103
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]104 # Required for getpwnam
105 /etc/passwd r,
106 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]107 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]108
109 # Allow reading of libs and /tmp
110 /etc/ld.so.cache r,
111
112 # Random number generation requires these two
113 /dev/random r,
114 /dev/urandom r,
115
116 # Allow mapping of shared libraries
117 /lib/* rm,
118 /lib32/* rm,
119 /lib64/* rm,
120 /usr/lib/* rm,
Jacob Appelbaumba605772012-08-01 23:05:04 -0700[diff] [blame]121 /usr/local/lib/* rm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]122 /lib/x86_64-linux-gnu/* rm,
123
124 # We'll allow tlsdate to write a new root to chroot into
125 /tmp/ r,
126 owner /tmp/tlsdate_*/ rw,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]127}
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]128
129/usr/bin/tlsdated {
130 #include <abstractions/consoles>
131 #include <abstractions/ssl_certs>
132
133 capability sys_time,
134 capability setgid,
135 capability setuid,
136 capability sys_chroot,
137
138 # IPv4 TCP
139 network inet stream,
140 # IPv4 UDP for DNS resolution
141 network inet dgram,
142 # IPv6 TCP
143 network inet6 stream,
144 # IPv6 UDP
145 network inet6 dgram,
146
147 # Required for gethostbyname
148 /etc/resolv.conf r,
149 /etc/nsswitch.conf r,
150 /etc/localtime r,
151 /etc/nsswitch.conf r,
152 /etc/hosts r,
153 /etc/host.conf r,
154
155 # Allow reading public certs but not private keys
156 /etc/ssl/certs/* r,
157 /usr/share/ca-certificates/*/** r,
158
159 # Allow reading of /etc/tlsdate/
160 /etc/tlsdate/*/** r,
Jacob Appelbaumc64c2402013-01-22 23:52:20 +0100[diff] [blame]161 /etc/tlsdate/tlsdated.conf r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]162
163 # Required for getpwnam
164 /etc/passwd r,
165 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]166 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]167
Jacob Appelbaumc64c2402013-01-22 23:52:20 +0100[diff] [blame]168 # tlsdated looks into proc for answers
169 /proc/meminfo r,
170
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]171 # Allow reading of libs and /tmp
172 /etc/ld.so.cache r,
173
174 # Random number generation requires these two
175 /dev/random r,
176 /dev/urandom r,
177
Jacob Appelbaum1f364682012-10-31 00:40:50 +0100[diff] [blame]178 # RTC
179 /dev/rtc0 rw,
180
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]181 # Allow mapping of shared libraries
182 /lib/* rm,
183 /lib32/* rm,
184 /lib64/* rm,
185 /usr/lib/* rm,
186 /usr/local/lib/* rm,
187 /lib/x86_64-linux-gnu/* rm,
188
189 # We'll allow tlsdate to write a new root to chroot into
190 /tmp/ r,
191 owner /tmp/tlsdate_*/ rw,
192
193 # We'll allow tlsdated to cache the time here
194 owner /var/cache/tlsdated/* rw,
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]195
Jacob Appelbaum16928d72013-01-22 21:45:20 +0100[diff] [blame]196 # We'll allow tlsdated to exec tlsdate-helper
197 /usr/bin/tlsdate-dbus-announce ixm,
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]198 /usr/bin/tlsdate-routeup ixm,
199 /usr/bin/tlsdate-helper ixm,
200 /usr/bin/tlsdate ixm,
201}
202
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]203/usr/bin/tlsdate-routeup {
204 #include <abstractions/consoles>
205
206 # Allow reading of /etc/tlsdate/
207 /etc/tlsdate/*/** r,
208
209 # Allow reading of libs and /tmp
210 /etc/ld.so.cache r,
211
212 # Random number generation requires these two
213 /dev/random r,
214 /dev/urandom r,
215
216 # Allow mapping of shared libraries
217 /lib/* rm,
218 /lib32/* rm,
219 /lib64/* rm,
220 /usr/lib/* rm,
221 /lib/x86_64-linux-gnu/* rm,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]222}
Jacob Appelbaum16928d72013-01-22 21:45:20 +0100[diff] [blame]223
224/usr/bin/tlsdate-dbus-announce {
225 #include <abstractions/consoles>
226
227 # Allow reading of /etc/tlsdate/
228 /etc/tlsdate/*/** r,
229
230 # Allow reading of libs and /tmp
231 /etc/ld.so.cache r,
232
233 # Allow mapping of shared libraries
234 /lib/* rm,
235 /lib32/* rm,
236 /lib64/* rm,
237 /usr/lib/* rm,
238 /lib/x86_64-linux-gnu/* rm,
239}