Gitiles
Code Review Sign In
android-review.linaro.org / platform / external / tlsdate / refs/tags/android-cts-7.0_r8 / . / apparmor-profile
blob: 20451ed37058c5d58bd9e77951ab874c8b28c8d1 [file] [log] [blame]
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]1#
Jacob Appelbaume503ac82014-10-10 02:55:14 +0000[diff] [blame]2# AppArmor tlsdate profile for Debian GNU/Linux
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of version 2 of the GNU General Public
6# License published by the Free Software Foundation.
7#
8
9#include <tunables/global>
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]10#include <tunables/multiarch.d>
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]11/usr/bin/tlsdate {
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]12 #include <abstractions/consoles>
13 #include <abstractions/ssl_certs>
14
15 capability sys_time,
16 capability setgid,
17 capability setuid,
18 capability sys_chroot,
19
20 # IPv4 TCP
21 network inet stream,
22 # IPv4 UDP for DNS resolution
23 network inet dgram,
Jacob Appelbaumc3457b52012-07-15 14:26:05 +0200[diff] [blame]24 # IPv6 TCP
25 network inet6 stream,
26 # IPv6 UDP
27 network inet6 dgram,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]28
29 # Required for gethostbyname
30 /etc/resolv.conf r,
Jacob Appelbaum3f69a222013-05-11 12:51:29 -0700[diff] [blame]31 /run/resolvconf/resolv.conf r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]32 /etc/nsswitch.conf r,
33 /etc/localtime r,
34 /etc/nsswitch.conf r,
35 /etc/hosts r,
36 /etc/host.conf r,
37
38 # Allow reading public certs but not private keys
39 /etc/ssl/certs/* r,
40 /usr/share/ca-certificates/*/** r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]41
42 # Allow reading of /etc/tlsdate/
43 /etc/tlsdate/*/** r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]44
45 # Required for getpwnam
46 /etc/passwd r,
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]47 /etc/group r,
Jacob Appelbaum05ba51a2012-07-15 14:48:26 +0200[diff] [blame]48 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]49
50 # Allow reading of libs and /tmp
51 /etc/ld.so.cache r,
52
53 # Random number generation requires these two
54 /dev/random r,
55 /dev/urandom r,
56
57 # Allow mapping of shared libraries
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]58 /lib{,32,64}/* rm,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]59 /usr/lib/* rm,
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]60 /lib/@{multiarch}/* rm,
61 /usr/lib/@{multiarch}/* rm,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]62
63 # We'll allow tlsdate to write a new root to chroot into
64 /tmp/ r,
65 owner /tmp/tlsdate_*/ rw,
66
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]67 # We'll allow tlsdate to exec tlsdate-helper
Jacob Appelbaumed55cef2012-07-15 15:10:44 +0200[diff] [blame]68 /usr/bin/tlsdate-helper ixm,
69 /usr/bin/tlsdate ixm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]70}
71
72/usr/bin/tlsdate-helper {
73 #include <abstractions/consoles>
74 #include <abstractions/ssl_certs>
75
76 capability sys_time,
77 capability setgid,
78 capability setuid,
79 capability sys_chroot,
80
81 # IPv4 TCP
82 network inet stream,
83 # IPv4 UDP for DNS resolution
84 network inet dgram,
85 # IPv6 TCP
86 network inet6 stream,
87 # IPv6 UDP
88 network inet6 dgram,
89
90 # Required for gethostbyname
91 /etc/resolv.conf r,
Jacob Appelbaum3f69a222013-05-11 12:51:29 -0700[diff] [blame]92 /run/resolvconf/resolv.conf r,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]93 /etc/nsswitch.conf r,
94 /etc/localtime r,
95 /etc/nsswitch.conf r,
96 /etc/hosts r,
97 /etc/host.conf r,
98
99 # Allow reading public certs but not private keys
100 /etc/ssl/certs/* r,
101 /usr/share/ca-certificates/*/** r,
102
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]103 # Allow reading of /etc/tlsdate/
104 /etc/tlsdate/*/** r,
105
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]106 # Required for getpwnam
107 /etc/passwd r,
108 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]109 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]110
111 # Allow reading of libs and /tmp
112 /etc/ld.so.cache r,
113
114 # Random number generation requires these two
115 /dev/random r,
116 /dev/urandom r,
117
118 # Allow mapping of shared libraries
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]119 /lib{,32,64}/* rm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]120 /usr/lib/* rm,
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]121 /lib/@{multiarch}/* rm,
122 /usr/lib/@{multiarch}/* rm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]123
124 # We'll allow tlsdate to write a new root to chroot into
125 /tmp/ r,
126 owner /tmp/tlsdate_*/ rw,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]127}
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]128
Jacob Appelbaume85d3122014-10-10 13:55:49 +0000[diff] [blame]129/usr/sbin/tlsdated {
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]130 #include <abstractions/consoles>
131 #include <abstractions/ssl_certs>
132
133 capability sys_time,
134 capability setgid,
135 capability setuid,
136 capability sys_chroot,
137
138 # IPv4 TCP
139 network inet stream,
140 # IPv4 UDP for DNS resolution
141 network inet dgram,
142 # IPv6 TCP
143 network inet6 stream,
144 # IPv6 UDP
145 network inet6 dgram,
146
147 # Required for gethostbyname
148 /etc/resolv.conf r,
149 /etc/nsswitch.conf r,
150 /etc/localtime r,
151 /etc/nsswitch.conf r,
152 /etc/hosts r,
153 /etc/host.conf r,
154
155 # Allow reading public certs but not private keys
156 /etc/ssl/certs/* r,
157 /usr/share/ca-certificates/*/** r,
158
159 # Allow reading of /etc/tlsdate/
160 /etc/tlsdate/*/** r,
Jacob Appelbaumc64c2402013-01-22 23:52:20 +0100[diff] [blame]161 /etc/tlsdate/tlsdated.conf r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]162
163 # Required for getpwnam
164 /etc/passwd r,
165 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]166 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]167
Jacob Appelbaumc64c2402013-01-22 23:52:20 +0100[diff] [blame]168 # tlsdated looks into proc for answers
169 /proc/meminfo r,
170
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]171 # Allow reading of libs and /tmp
172 /etc/ld.so.cache r,
173
174 # Random number generation requires these two
175 /dev/random r,
176 /dev/urandom r,
177
Jacob Appelbaum1f364682012-10-31 00:40:50 +0100[diff] [blame]178 # RTC
179 /dev/rtc0 rw,
Jacob Appelbaume85d3122014-10-10 13:55:49 +0000[diff] [blame]180 /dev/rtc1 rw,
Jacob Appelbaum1f364682012-10-31 00:40:50 +0100[diff] [blame]181
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]182 # Allow mapping of shared libraries
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]183 /lib{,32,64}/* rm,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]184 /usr/lib/* rm,
Jacob Appelbaumfa751dd2014-09-27 13:38:50 +0000[diff] [blame]185 /lib/@{multiarch}/* rm,
186 /usr/lib/@{multiarch}/* rm,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]187
188 # We'll allow tlsdate to write a new root to chroot into
189 /tmp/ r,
190 owner /tmp/tlsdate_*/ rw,
191
192 # We'll allow tlsdated to cache the time here
193 owner /var/cache/tlsdated/* rw,
Jacob Appelbaum84175072014-10-22 10:55:14 +0000[diff] [blame]194 # We'll allow the unprivileged helper to read the time
195 /var/cache/tlsdated/* r,
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]196
Jacob Appelbaum16928d72013-01-22 21:45:20 +0100[diff] [blame]197 # We'll allow tlsdated to exec tlsdate-helper
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]198 /usr/bin/tlsdate-helper ixm,
199 /usr/bin/tlsdate ixm,
200}