diff options
| author | Gerald Turner <gturner@unzane.com> | 2017-05-11 17:15:09 -0700 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-06-30 13:52:01 +0200 |
| commit | b8ac1d49802dbadecb1805baf4d6ca0ac7735ef0 (patch) | |
| tree | 27e0c6b8e2deedf49416a40a933a7f22b8174cec /debian/usr.sbin.charon-systemd | |
| parent | 784751a50713ae63faeb9aac3b0d77581324e70e (diff) | |
| download | vyos-strongswan-b8ac1d49802dbadecb1805baf4d6ca0ac7735ef0.tar.gz vyos-strongswan-b8ac1d49802dbadecb1805baf4d6ca0ac7735ef0.zip | |
Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd.
The AppArmor profile for charon-systemd was copied from the existing
profile for /usr/lib/ipsec/charon without much scrutiny other than
testing basic IPsec tunnels (no fancy plugin options were tested). It
appears that the team at Canonical that had written the
/usr/lib/ipsec/charon policy had done extensive testing with several
plugins, and it seems likely that applying the same profile to
charon-systemd will allow those plugins to continue to work.
The AppArmor profile for swanctl was written from scratch and well
tested. It turns out that swanctl unnecessarily loads plugins by
default, so a bit of frivolous access has been granted.
Diffstat (limited to 'debian/usr.sbin.charon-systemd')
| -rw-r--r-- | debian/usr.sbin.charon-systemd | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd new file mode 100644 index 000000000..e1769f29f --- /dev/null +++ b/debian/usr.sbin.charon-systemd @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.davies@canonical.com> +# Ryan Harper <ryan.harper@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/sbin/charon-systemd flags=(complain,attach_disconnected) { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/authentication> + #include <abstractions/openssl> + #include <abstractions/p11-kit> + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.charon-systemd> +} |