[Pkg-matrix-maintainers] Bug#927214: Add AppArmor profile
Jörg Sommer
joerg at jo-so.de
Tue Apr 16 11:59:09 BST 2019
Package: matrix-synapse
Version: 0.99.2-3
Severity: normal
I've created an AppArmor profile for Synapse and it works fine for me.
Maybe, you could add this to the package to restrict the impact of a
possible misbehaviour of Synapse.
Because Synapse is a python process, AppArmor's auto-detection of profiles
does not work. Hence, the Systemd service file must set the profile for
the process. Add the line `AppArmorProfile=matrix-synapse` to the service
file.
I think the best would be to include a NEWS message and tell the users
about the new setting and tell them they could disable it by overriding
the Systemd setting (run `systemctl edit matrix-synapse` and insert
`[Service] AppArmorProfile=`). They can also switch to non-enforcement
mode by changing the file */etc/apparmor.d/matrix-synapse* to `profile
matrix-synapse flags=(complain) {`.
This profile should be saved in */etc/apparmor.d/matrix-synapse*.
BTW: The same profile works for the Synapse workers.
```
include <tunables/global>
# add `flags=(complain)` before `{` to switch to non-enforcement mode
profile matrix-synapse {
include <abstractions/base>
include <abstractions/python>
include <abstractions/ssl_certs>
network inet stream,
network inet6 stream,
/etc/gai.conf r,
/etc/host.conf r,
/etc/hosts r,
/etc/mime.types r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/resolv.conf r,
/etc/ssl/openssl.cnf r,
owner @{PROC}/@{pid}/{fd/,limits,mounts,stat} r,
/etc/matrix-synapse/** r,
owner /var/lib/matrix-synapse/ r,
owner /var/{lib,log}/matrix-synapse/** rw,
# /usr/lib/python3.7/ctypes/util.py:287 calls `/sbin/ldconfig -p`
/usr/sbin/ldconfig PUx,
# /usr/lib/python3.7/platform.py:1057 calls `/bin/sh -c 'uname -p 2> /dev/null'`
/usr/bin/dash Cx -> dash,
profile dash {
include <abstractions/base>
/usr/bin/dash r,
/usr/bin/uname PUx,
}
}
```
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages matrix-synapse depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii libjs-jquery 3.3.1~dfsg-1
ii libpython3-stdlib 3.7.3-1
ii lsb-base 10.2019031300
ii python3 3.7.3-1
pn python3-attr <none>
pn python3-bcrypt <none>
pn python3-canonicaljson <none>
pn python3-daemonize <none>
ii python3-distutils 3.7.3-1
pn python3-frozendict <none>
pn python3-jsonschema <none>
pn python3-msgpack <none>
pn python3-nacl <none>
pn python3-netaddr <none>
ii python3-openssl 19.0.0-1
pn python3-phonenumbers <none>
ii python3-pil 5.4.1-2
pn python3-prometheus-client <none>
pn python3-psutil <none>
ii python3-pyasn1 0.4.2-3
ii python3-pyasn1-modules 0.2.1-0.2
pn python3-pymacaroons <none>
pn python3-service-identity <none>
pn python3-signedjson <none>
ii python3-six 1.12.0-1
pn python3-sortedcontainers <none>
pn python3-systemd <none>
pn python3-treq <none>
pn python3-twisted <none>
pn python3-unpaddedbase64 <none>
pn python3-yaml <none>
Versions of packages matrix-synapse recommends:
pn python3-bleach <none>
ii python3-jinja2 2.10-2
ii python3-lxml 4.3.3-1
pn python3-psycopg2 <none>
Versions of packages matrix-synapse suggests:
pn python3-txacme <none>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 269 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-matrix-maintainers/attachments/20190416/139b7430/attachment.sig>
More information about the Pkg-matrix-maintainers
mailing list