[Pkg-swan-devel] [strongswan] 03/11: * add and install apparmor profiles

Yves-Alexis Perez corsac at moszumanska.debian.org
Mon Jan 16 13:55:43 UTC 2017


This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 9e71a10822db1d8ce399ac85c1d6c13863987be0
Author: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Date:   Mon Dec 19 16:21:01 2016 +0100

    * add and install apparmor profiles
    
      - d/rules install AppArmor profiles
      - d/control add dh-apparmor build-dep
      - d/usr.lib.ipsec.{charon, lookip, stroke} add latest AppArmor profiles
        for charon, lookip and stroke
    
    Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
 debian/control                         |  1 +
 debian/libcharon-extra-plugins.install |  1 +
 debian/rules                           |  5 +++
 debian/strongswan-charon.install       |  1 +
 debian/strongswan-starter.install      |  1 +
 debian/usr.lib.ipsec.charon            | 76 ++++++++++++++++++++++++++++++++++
 debian/usr.lib.ipsec.lookip            | 22 ++++++++++
 debian/usr.lib.ipsec.stroke            | 28 +++++++++++++
 8 files changed, 135 insertions(+)

diff --git a/debian/control b/debian/control
index 3ce3ed8..b169bad 100644
--- a/debian/control
+++ b/debian/control
@@ -11,6 +11,7 @@ Vcs-Git: git://anonscm.debian.org/pkg-swan/strongswan.git
 Build-Depends: bison,
                bzip2,
                debhelper (>= 9.20151219),
+               dh-apparmor,
                dh-autoreconf,
                dh-systemd (>= 1.5),
                dpkg-dev (>= 1.16.2),
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
index a429c4e..7b0bd2b 100644
--- a/debian/libcharon-extra-plugins.install
+++ b/debian/libcharon-extra-plugins.install
@@ -38,6 +38,7 @@ etc/strongswan.d/charon/lookip.conf
 etc/strongswan.d/charon/tnc-tnccs.conf
 etc/strongswan.d/charon/unity.conf
 etc/strongswan.d/charon/xauth-*.conf
+debian/usr.lib.ipsec.lookip /etc/apparmor.d/
 # support libs
 #usr/lib/ipsec/libfast.so*
 usr/lib/ipsec/libpttls.so*
diff --git a/debian/rules b/debian/rules
index 3eeadf7..00aed57 100755
--- a/debian/rules
+++ b/debian/rules
@@ -176,6 +176,11 @@ endif
 		-Xlibstrongswan-af-alg.so -X af-alg.conf \
 		-Xstrongswan.service
 
+	# AppArmor.
+	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon
+	dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins
+	dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter
+
 	# add additional files not covered by upstream makefile...
 	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
 	# also "patch" ipsec.conf to include the debconf-managed file
diff --git a/debian/strongswan-charon.install b/debian/strongswan-charon.install
index c1bdaf3..cd4ca6c 100644
--- a/debian/strongswan-charon.install
+++ b/debian/strongswan-charon.install
@@ -3,3 +3,4 @@ usr/share/strongswan/templates/config/strongswan.d/charon.conf
 usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf
 etc/strongswan.d/charon-logging.conf
 etc/strongswan.d/charon.conf
+debian/usr.lib.ipsec.charon /etc/apparmor.d/
diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
index dad52d6..7b02b0a 100644
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -20,3 +20,4 @@ usr/lib/ipsec/stroke
 usr/lib/ipsec/plugins/libstrongswan-stroke.so
 usr/share/strongswan/templates/config/plugins/stroke.conf
 etc/strongswan.d/charon/stroke.conf
+debian/usr.lib.ipsec.stroke /etc/apparmor.d/
diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
new file mode 100644
index 0000000..9e24c74
--- /dev/null
+++ b/debian/usr.lib.ipsec.charon
@@ -0,0 +1,76 @@
+# ------------------------------------------------------------------
+#
+#   Copyright (C) 2016 Canonical Ltd.
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   Author: Jonathan Davies <jonathan.davies at canonical.com>
+#           Ryan Harper <ryan.harper at canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/ipsec/charon flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/authentication>
+  #include <abstractions/openssl>
+  #include <abstractions/p11-kit>
+
+  capability ipc_lock,
+  capability net_admin,
+  capability net_raw,
+
+  # allow priv dropping (LP: #1333655)
+  capability chown,
+  capability setgid,
+  capability setuid,
+
+  # libcharon-extra-plugins: xauth-pam
+  capability audit_write,
+
+  # libstrongswan-standard-plugins: agent
+  capability dac_override,
+
+  capability net_admin,
+  capability net_raw,
+
+  network,
+  network raw,
+
+  /bin/dash                 rmPUx,
+
+  # libchron-extra-plugins: kernel-libipsec
+  /dev/net/tun              rw,
+
+  /etc/ipsec.conf           r,
+  /etc/ipsec.secrets        r,
+  /etc/ipsec.*.secrets      r,
+  /etc/ipsec.d/             r,
+  /etc/ipsec.d/**           r,
+  /etc/ipsec.d/crls/*       rw,
+  /etc/opensc/opensc.conf   r,
+  /etc/strongswan.conf      r,
+  /etc/strongswan.d/        r,
+  /etc/strongswan.d/**      r,
+  /etc/tnc_config           r,
+
+  /proc/sys/net/core/xfrm_acq_expires   w,
+
+  /run/charon.*             rw,
+  /run/pcscd/pcscd.comm     rw,
+
+  /usr/lib/ipsec/charon     rmix,
+  /usr/lib/ipsec/imcvs/     r,
+  /usr/lib/ipsec/imcvs/**   rm,
+
+  /usr/lib/*/opensc-pkcs11.so rm,
+
+  /var/lib/strongswan/*     r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.ipsec.charon>
+}
diff --git a/debian/usr.lib.ipsec.lookip b/debian/usr.lib.ipsec.lookip
new file mode 100644
index 0000000..de10433
--- /dev/null
+++ b/debian/usr.lib.ipsec.lookip
@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#   Copyright (C) 2014 Canonical Ltd.
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   Author: Jonathan Davies <jonathan.davies at canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/ipsec/lookip {
+  #include <abstractions/base>
+
+  /run/charon.lkp           rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.ipsec.lookip>
+}
diff --git a/debian/usr.lib.ipsec.stroke b/debian/usr.lib.ipsec.stroke
new file mode 100644
index 0000000..9d20ee7
--- /dev/null
+++ b/debian/usr.lib.ipsec.stroke
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+#   Copyright (C) 2014 Canonical Ltd.
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   Author: Jonathan Davies <jonathan.davies at canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/ipsec/stroke flags=(attach_disconnected) {
+  #include <abstractions/base>
+
+  capability dac_override,
+
+  /etc/strongswan.conf          r,
+  /etc/strongswan.d/            r,
+  /etc/strongswan.d/**          r,
+
+  /run/charon.ctl               rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.ipsec.stroke>
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git



More information about the Pkg-swan-devel mailing list