[Pkg-swan-devel] [strongswan] 05/14: Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd.

Yves-Alexis Perez corsac at moszumanska.debian.org
Sun Sep 3 13:23:48 UTC 2017 

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit b8ac1d49802dbadecb1805baf4d6ca0ac7735ef0
Author: Gerald Turner <gturner at unzane.com>
Date:   Thu May 11 17:15:09 2017 -0700

    Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd.
    
    The AppArmor profile for charon-systemd was copied from the existing
    profile for /usr/lib/ipsec/charon without much scrutiny other than
    testing basic IPsec tunnels (no fancy plugin options were tested). It
    appears that the team at Canonical that had written the
    /usr/lib/ipsec/charon policy had done extensive testing with several
    plugins, and it seems likely that applying the same profile to
    charon-systemd will allow those plugins to continue to work.
    
    The AppArmor profile for swanctl was written from scratch and well
    tested. It turns out that swanctl unnecessarily loads plugins by
    default, so a bit of frivolous access has been granted.
---
 debian/changelog                  |  4 ++-
 debian/charon-systemd.install     |  1 +
 debian/rules                      |  2 ++
 debian/strongswan-swanctl.install |  1 +
 debian/usr.sbin.charon-systemd    | 76 +++++++++++++++++++++++++++++++++++++++
 debian/usr.sbin.swanctl           | 32 +++++++++++++++++
 6 files changed, 115 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 885fa76..0161c00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,7 +14,9 @@ strongswan (5.5.3-3) UNRELEASED; urgency=medium
     upstream to install configuration to output logging information to the
     journal.
   * debian/charon-systemd.install:
-    - install charon-systemd.conf files, thanks Gerald Tuner.   closes: #866325
+    - install charon-systemd.conf files, thanks Gerald Turner.  closes: #866325
+  * Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
+                                                                closes: #866327
 
  -- Yves-Alexis Perez <corsac at debian.org>  Wed, 28 Jun 2017 22:57:48 +0200
 
diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install
index 6ab3af8..a1424ab 100644
--- a/debian/charon-systemd.install
+++ b/debian/charon-systemd.install
@@ -2,3 +2,4 @@ etc/strongswan.d/charon-systemd.conf
 lib/systemd/system/strongswan-swanctl.service
 usr/sbin/charon-systemd
 usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf
+debian/usr.sbin.charon-systemd /etc/apparmor.d/
diff --git a/debian/rules b/debian/rules
index 0e848e6..9913de6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -183,6 +183,8 @@ endif
 	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon
 	dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins
 	dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter
+	dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl
+	dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd
 
 	# add additional files not covered by upstream makefile...
 	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
diff --git a/debian/strongswan-swanctl.install b/debian/strongswan-swanctl.install
index c1a3488..184ae88 100644
--- a/debian/strongswan-swanctl.install
+++ b/debian/strongswan-swanctl.install
@@ -8,3 +8,4 @@ usr/share/man/man8/swanctl.8
 usr/sbin/swanctl
 usr/lib/ipsec/libvici.so*
 usr/lib/ipsec/plugins/libstrongswan-vici.so
+debian/usr.sbin.swanctl /etc/apparmor.d/
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
new file mode 100644
index 0000000..e1769f2
--- /dev/null
+++ b/debian/usr.sbin.charon-systemd
@@ -0,0 +1,76 @@
+# ------------------------------------------------------------------
+#
+#   Copyright (C) 2016 Canonical Ltd.
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   Author: Jonathan Davies <jonathan.davies at canonical.com>
+#           Ryan Harper <ryan.harper at canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/charon-systemd flags=(complain,attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/authentication>
+  #include <abstractions/openssl>
+  #include <abstractions/p11-kit>
+
+  capability ipc_lock,
+  capability net_admin,
+  capability net_raw,
+
+  # allow priv dropping (LP: #1333655)
+  capability chown,
+  capability setgid,
+  capability setuid,
+
+  # libcharon-extra-plugins: xauth-pam
+  capability audit_write,
+
+  # libstrongswan-standard-plugins: agent
+  capability dac_override,
+
+  capability net_admin,
+  capability net_raw,
+
+  network,
+  network raw,
+
+  /bin/dash                 rmPUx,
+
+  # libchron-extra-plugins: kernel-libipsec
+  /dev/net/tun              rw,
+
+  /etc/ipsec.conf           r,
+  /etc/ipsec.secrets        r,
+  /etc/ipsec.*.secrets      r,
+  /etc/ipsec.d/             r,
+  /etc/ipsec.d/**           r,
+  /etc/ipsec.d/crls/*       rw,
+  /etc/opensc/opensc.conf   r,
+  /etc/strongswan.conf      r,
+  /etc/strongswan.d/        r,
+  /etc/strongswan.d/**      r,
+  /etc/tnc_config           r,
+
+  /proc/sys/net/core/xfrm_acq_expires   w,
+
+  /run/charon.*             rw,
+  /run/pcscd/pcscd.comm     rw,
+
+  /usr/lib/ipsec/charon     rmix,
+  /usr/lib/ipsec/imcvs/     r,
+  /usr/lib/ipsec/imcvs/**   rm,
+
+  /usr/lib/*/opensc-pkcs11.so rm,
+
+  /var/lib/strongswan/*     r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.charon-systemd>
+}
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
new file mode 100644
index 0000000..627f5c0
--- /dev/null
+++ b/debian/usr.sbin.swanctl
@@ -0,0 +1,32 @@
+#include <tunables/global>
+
+/usr/sbin/swanctl {
+  #include <abstractions/base>
+
+  # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates
+  #include <abstractions/ssl_certs>
+
+  # CAP_DAC_OVERRIDE is needed for optional charon.user/charon.group
+  # configuration
+  capability dac_override,
+
+  # Allow reading strongswan.conf configuration files
+  /etc/strongswan.conf          r,
+  /etc/strongswan.d/            r,
+  /etc/strongswan.d/**          r,
+
+  # All reading configuration, certificate, and key files beneath /etc/swanctl/
+  /etc/swanctl/**               r,
+
+  # Allow communication with VICI plugin UNIX domain socket
+  /run/charon.vici              rw,
+
+  # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
+  # plugins are actually used by swanctl.  The following can be removed if
+  # plugin loading is disabled.
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.swanctl>
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

More information about the Pkg-swan-devel mailing list