Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 1 | # |
Jacob Appelbaum | e503ac8 | 2014-10-10 02:55:14 +0000 | [diff] [blame] | 2 | # AppArmor tlsdate profile for Debian GNU/Linux |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 3 | # |
| 4 | # This program is free software; you can redistribute it and/or |
| 5 | # modify it under the terms of version 2 of the GNU General Public |
| 6 | # License published by the Free Software Foundation. |
| 7 | # |
| 8 | |
| 9 | #include <tunables/global> |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 10 | #include <tunables/multiarch.d> |
Jacob Appelbaum | b15f3d0 | 2012-07-15 14:16:57 +0200 | [diff] [blame] | 11 | /usr/bin/tlsdate { |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 12 | #include <abstractions/consoles> |
| 13 | #include <abstractions/ssl_certs> |
| 14 | |
| 15 | capability sys_time, |
| 16 | capability setgid, |
| 17 | capability setuid, |
| 18 | capability sys_chroot, |
| 19 | |
| 20 | # IPv4 TCP |
| 21 | network inet stream, |
| 22 | # IPv4 UDP for DNS resolution |
| 23 | network inet dgram, |
Jacob Appelbaum | c3457b5 | 2012-07-15 14:26:05 +0200 | [diff] [blame] | 24 | # IPv6 TCP |
| 25 | network inet6 stream, |
| 26 | # IPv6 UDP |
| 27 | network inet6 dgram, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 28 | |
| 29 | # Required for gethostbyname |
| 30 | /etc/resolv.conf r, |
Jacob Appelbaum | 3f69a22 | 2013-05-11 12:51:29 -0700 | [diff] [blame] | 31 | /run/resolvconf/resolv.conf r, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 32 | /etc/nsswitch.conf r, |
| 33 | /etc/localtime r, |
| 34 | /etc/nsswitch.conf r, |
| 35 | /etc/hosts r, |
| 36 | /etc/host.conf r, |
| 37 | |
| 38 | # Allow reading public certs but not private keys |
| 39 | /etc/ssl/certs/* r, |
| 40 | /usr/share/ca-certificates/*/** r, |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 41 | |
| 42 | # Allow reading of /etc/tlsdate/ |
| 43 | /etc/tlsdate/*/** r, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 44 | |
| 45 | # Required for getpwnam |
| 46 | /etc/passwd r, |
Jacob Appelbaum | b15f3d0 | 2012-07-15 14:16:57 +0200 | [diff] [blame] | 47 | /etc/group r, |
Jacob Appelbaum | 05ba51a | 2012-07-15 14:48:26 +0200 | [diff] [blame] | 48 | /proc/sys/kernel/ngroups_max r, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 49 | |
| 50 | # Allow reading of libs and /tmp |
| 51 | /etc/ld.so.cache r, |
| 52 | |
| 53 | # Random number generation requires these two |
| 54 | /dev/random r, |
| 55 | /dev/urandom r, |
| 56 | |
| 57 | # Allow mapping of shared libraries |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 58 | /lib{,32,64}/* rm, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 59 | /usr/lib/* rm, |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 60 | /lib/@{multiarch}/* rm, |
| 61 | /usr/lib/@{multiarch}/* rm, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 62 | |
| 63 | # We'll allow tlsdate to write a new root to chroot into |
| 64 | /tmp/ r, |
| 65 | owner /tmp/tlsdate_*/ rw, |
| 66 | |
Jacob Appelbaum | b15f3d0 | 2012-07-15 14:16:57 +0200 | [diff] [blame] | 67 | # We'll allow tlsdate to exec tlsdate-helper |
Jacob Appelbaum | ed55cef | 2012-07-15 15:10:44 +0200 | [diff] [blame] | 68 | /usr/bin/tlsdate-helper ixm, |
| 69 | /usr/bin/tlsdate ixm, |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 70 | } |
| 71 | |
| 72 | /usr/bin/tlsdate-helper { |
| 73 | #include <abstractions/consoles> |
| 74 | #include <abstractions/ssl_certs> |
| 75 | |
| 76 | capability sys_time, |
| 77 | capability setgid, |
| 78 | capability setuid, |
| 79 | capability sys_chroot, |
| 80 | |
| 81 | # IPv4 TCP |
| 82 | network inet stream, |
| 83 | # IPv4 UDP for DNS resolution |
| 84 | network inet dgram, |
| 85 | # IPv6 TCP |
| 86 | network inet6 stream, |
| 87 | # IPv6 UDP |
| 88 | network inet6 dgram, |
| 89 | |
| 90 | # Required for gethostbyname |
| 91 | /etc/resolv.conf r, |
Jacob Appelbaum | 3f69a22 | 2013-05-11 12:51:29 -0700 | [diff] [blame] | 92 | /run/resolvconf/resolv.conf r, |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 93 | /etc/nsswitch.conf r, |
| 94 | /etc/localtime r, |
| 95 | /etc/nsswitch.conf r, |
| 96 | /etc/hosts r, |
| 97 | /etc/host.conf r, |
| 98 | |
| 99 | # Allow reading public certs but not private keys |
| 100 | /etc/ssl/certs/* r, |
| 101 | /usr/share/ca-certificates/*/** r, |
| 102 | |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 103 | # Allow reading of /etc/tlsdate/ |
| 104 | /etc/tlsdate/*/** r, |
| 105 | |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 106 | # Required for getpwnam |
| 107 | /etc/passwd r, |
| 108 | /etc/group r, |
Jacob Appelbaum | c7ba6d6 | 2012-10-31 01:11:42 +0100 | [diff] [blame] | 109 | /proc/sys/kernel/ngroups_max r, |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 110 | |
| 111 | # Allow reading of libs and /tmp |
| 112 | /etc/ld.so.cache r, |
| 113 | |
| 114 | # Random number generation requires these two |
| 115 | /dev/random r, |
| 116 | /dev/urandom r, |
| 117 | |
| 118 | # Allow mapping of shared libraries |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 119 | /lib{,32,64}/* rm, |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 120 | /usr/lib/* rm, |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 121 | /lib/@{multiarch}/* rm, |
| 122 | /usr/lib/@{multiarch}/* rm, |
Jacob Appelbaum | 2e7fb1f | 2012-07-15 14:46:26 +0200 | [diff] [blame] | 123 | |
| 124 | # We'll allow tlsdate to write a new root to chroot into |
| 125 | /tmp/ r, |
| 126 | owner /tmp/tlsdate_*/ rw, |
Jacob Appelbaum | ed52c63 | 2012-01-29 22:49:35 -0800 | [diff] [blame] | 127 | } |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 128 | |
Jacob Appelbaum | e85d312 | 2014-10-10 13:55:49 +0000 | [diff] [blame] | 129 | /usr/sbin/tlsdated { |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 130 | #include <abstractions/consoles> |
| 131 | #include <abstractions/ssl_certs> |
| 132 | |
| 133 | capability sys_time, |
| 134 | capability setgid, |
| 135 | capability setuid, |
| 136 | capability sys_chroot, |
| 137 | |
| 138 | # IPv4 TCP |
| 139 | network inet stream, |
| 140 | # IPv4 UDP for DNS resolution |
| 141 | network inet dgram, |
| 142 | # IPv6 TCP |
| 143 | network inet6 stream, |
| 144 | # IPv6 UDP |
| 145 | network inet6 dgram, |
| 146 | |
| 147 | # Required for gethostbyname |
| 148 | /etc/resolv.conf r, |
| 149 | /etc/nsswitch.conf r, |
| 150 | /etc/localtime r, |
| 151 | /etc/nsswitch.conf r, |
| 152 | /etc/hosts r, |
| 153 | /etc/host.conf r, |
| 154 | |
| 155 | # Allow reading public certs but not private keys |
| 156 | /etc/ssl/certs/* r, |
| 157 | /usr/share/ca-certificates/*/** r, |
| 158 | |
| 159 | # Allow reading of /etc/tlsdate/ |
| 160 | /etc/tlsdate/*/** r, |
Jacob Appelbaum | c64c240 | 2013-01-22 23:52:20 +0100 | [diff] [blame] | 161 | /etc/tlsdate/tlsdated.conf r, |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 162 | |
| 163 | # Required for getpwnam |
| 164 | /etc/passwd r, |
| 165 | /etc/group r, |
Jacob Appelbaum | c7ba6d6 | 2012-10-31 01:11:42 +0100 | [diff] [blame] | 166 | /proc/sys/kernel/ngroups_max r, |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 167 | |
Jacob Appelbaum | c64c240 | 2013-01-22 23:52:20 +0100 | [diff] [blame] | 168 | # tlsdated looks into proc for answers |
| 169 | /proc/meminfo r, |
| 170 | |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 171 | # Allow reading of libs and /tmp |
| 172 | /etc/ld.so.cache r, |
| 173 | |
| 174 | # Random number generation requires these two |
| 175 | /dev/random r, |
| 176 | /dev/urandom r, |
| 177 | |
Jacob Appelbaum | 1f36468 | 2012-10-31 00:40:50 +0100 | [diff] [blame] | 178 | # RTC |
| 179 | /dev/rtc0 rw, |
Jacob Appelbaum | e85d312 | 2014-10-10 13:55:49 +0000 | [diff] [blame] | 180 | /dev/rtc1 rw, |
Jacob Appelbaum | 1f36468 | 2012-10-31 00:40:50 +0100 | [diff] [blame] | 181 | |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 182 | # Allow mapping of shared libraries |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 183 | /lib{,32,64}/* rm, |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 184 | /usr/lib/* rm, |
Jacob Appelbaum | fa751dd | 2014-09-27 13:38:50 +0000 | [diff] [blame] | 185 | /lib/@{multiarch}/* rm, |
| 186 | /usr/lib/@{multiarch}/* rm, |
Jacob Appelbaum | 4aa9899 | 2012-10-29 21:54:30 +0100 | [diff] [blame] | 187 | |
| 188 | # We'll allow tlsdate to write a new root to chroot into |
| 189 | /tmp/ r, |
| 190 | owner /tmp/tlsdate_*/ rw, |
| 191 | |
| 192 | # We'll allow tlsdated to cache the time here |
| 193 | owner /var/cache/tlsdated/* rw, |
Jacob Appelbaum | 8417507 | 2014-10-22 10:55:14 +0000 | [diff] [blame] | 194 | # We'll allow the unprivileged helper to read the time |
| 195 | /var/cache/tlsdated/* r, |
Jacob Appelbaum | 8fbb4d1 | 2012-10-29 22:54:57 +0100 | [diff] [blame] | 196 | |
Jacob Appelbaum | 16928d7 | 2013-01-22 21:45:20 +0100 | [diff] [blame] | 197 | # We'll allow tlsdated to exec tlsdate-helper |
Jacob Appelbaum | 8fbb4d1 | 2012-10-29 22:54:57 +0100 | [diff] [blame] | 198 | /usr/bin/tlsdate-helper ixm, |
| 199 | /usr/bin/tlsdate ixm, |
| 200 | } |