diff options
| author | Christian Ehrhardt <christian.ehrhardt@canonical.com> | 2016-12-19 16:21:01 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2016-12-21 11:31:23 +0100 |
| commit | 9e71a10822db1d8ce399ac85c1d6c13863987be0 (patch) | |
| tree | d824f1bf39eaaf164880d854a29cdb95daed19fe | |
| parent | 821cb0af7404c56c04d511b02a98be96fa446104 (diff) | |
| download | vyos-strongswan-9e71a10822db1d8ce399ac85c1d6c13863987be0.tar.gz vyos-strongswan-9e71a10822db1d8ce399ac85c1d6c13863987be0.zip | |
* add and install apparmor profiles
- d/rules install AppArmor profiles
- d/control add dh-apparmor build-dep
- d/usr.lib.ipsec.{charon, lookip, stroke} add latest AppArmor profiles
for charon, lookip and stroke
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
| -rw-r--r-- | debian/control | 1 | ||||
| -rw-r--r-- | debian/libcharon-extra-plugins.install | 1 | ||||
| -rwxr-xr-x | debian/rules | 5 | ||||
| -rw-r--r-- | debian/strongswan-charon.install | 1 | ||||
| -rw-r--r-- | debian/strongswan-starter.install | 1 | ||||
| -rw-r--r-- | debian/usr.lib.ipsec.charon | 76 | ||||
| -rw-r--r-- | debian/usr.lib.ipsec.lookip | 22 | ||||
| -rw-r--r-- | debian/usr.lib.ipsec.stroke | 28 |
8 files changed, 135 insertions, 0 deletions
diff --git a/debian/control b/debian/control index 3ce3ed87a..b169badde 100644 --- a/debian/control +++ b/debian/control @@ -11,6 +11,7 @@ Vcs-Git: git://anonscm.debian.org/pkg-swan/strongswan.git Build-Depends: bison, bzip2, debhelper (>= 9.20151219), + dh-apparmor, dh-autoreconf, dh-systemd (>= 1.5), dpkg-dev (>= 1.16.2), diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install index a429c4e3d..7b0bd2be6 100644 --- a/debian/libcharon-extra-plugins.install +++ b/debian/libcharon-extra-plugins.install @@ -38,6 +38,7 @@ etc/strongswan.d/charon/lookip.conf etc/strongswan.d/charon/tnc-tnccs.conf etc/strongswan.d/charon/unity.conf etc/strongswan.d/charon/xauth-*.conf +debian/usr.lib.ipsec.lookip /etc/apparmor.d/ # support libs #usr/lib/ipsec/libfast.so* usr/lib/ipsec/libpttls.so* diff --git a/debian/rules b/debian/rules index 3eeadf7fb..00aed577c 100755 --- a/debian/rules +++ b/debian/rules @@ -176,6 +176,11 @@ endif -Xlibstrongswan-af-alg.so -X af-alg.conf \ -Xstrongswan.service + # AppArmor. + dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon + dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins + dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter + # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets # also "patch" ipsec.conf to include the debconf-managed file diff --git a/debian/strongswan-charon.install b/debian/strongswan-charon.install index c1bdaf346..cd4ca6cac 100644 --- a/debian/strongswan-charon.install +++ b/debian/strongswan-charon.install @@ -3,3 +3,4 @@ usr/share/strongswan/templates/config/strongswan.d/charon.conf usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf etc/strongswan.d/charon-logging.conf etc/strongswan.d/charon.conf +debian/usr.lib.ipsec.charon /etc/apparmor.d/ diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install index dad52d648..7b02b0a8e 100644 --- a/debian/strongswan-starter.install +++ b/debian/strongswan-starter.install @@ -20,3 +20,4 @@ usr/lib/ipsec/stroke usr/lib/ipsec/plugins/libstrongswan-stroke.so usr/share/strongswan/templates/config/plugins/stroke.conf etc/strongswan.d/charon/stroke.conf +debian/usr.lib.ipsec.stroke /etc/apparmor.d/ diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon new file mode 100644 index 000000000..9e24c744d --- /dev/null +++ b/debian/usr.lib.ipsec.charon @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.davies@canonical.com> +# Ryan Harper <ryan.harper@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/lib/ipsec/charon flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/authentication> + #include <abstractions/openssl> + #include <abstractions/p11-kit> + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.ipsec.charon> +} diff --git a/debian/usr.lib.ipsec.lookip b/debian/usr.lib.ipsec.lookip new file mode 100644 index 000000000..de104331c --- /dev/null +++ b/debian/usr.lib.ipsec.lookip @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.davies@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/lib/ipsec/lookip { + #include <abstractions/base> + + /run/charon.lkp rw, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.ipsec.lookip> +} diff --git a/debian/usr.lib.ipsec.stroke b/debian/usr.lib.ipsec.stroke new file mode 100644 index 000000000..9d20ee7c9 --- /dev/null +++ b/debian/usr.lib.ipsec.stroke @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.davies@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/lib/ipsec/stroke flags=(attach_disconnected) { + #include <abstractions/base> + + capability dac_override, + + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + + /run/charon.ctl rw, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.ipsec.stroke> +} |