Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd.

The AppArmor profile for charon-systemd was copied from the existing
profile for /usr/lib/ipsec/charon without much scrutiny other than
testing basic IPsec tunnels (no fancy plugin options were tested). It
appears that the team at Canonical that had written the
/usr/lib/ipsec/charon policy had done extensive testing with several
plugins, and it seems likely that applying the same profile to
charon-systemd will allow those plugins to continue to work.

The AppArmor profile for swanctl was written from scratch and well
tested. It turns out that swanctl unnecessarily loads plugins by
default, so a bit of frivolous access has been granted.

1 files changed, 32 insertions, 0 deletions

diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
new file mode 100644
index 000000000..627f5c0b3
--- /dev/null
+++ b/debian/usr.sbin.swanctl
@@ -0,0 +1,32 @@
+#include <tunables/global>
+
+/usr/sbin/swanctl {
+  #include <abstractions/base>
+
+  # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates
+  #include <abstractions/ssl_certs>
+
+  # CAP_DAC_OVERRIDE is needed for optional charon.user/charon.group
+  # configuration
+  capability dac_override,
+
+  # Allow reading strongswan.conf configuration files
+  /etc/strongswan.conf          r,
+  /etc/strongswan.d/            r,
+  /etc/strongswan.d/**          r,
+
+  # All reading configuration, certificate, and key files beneath /etc/swanctl/
+  /etc/swanctl/**               r,
+
+  # Allow communication with VICI plugin UNIX domain socket
+  /run/charon.vici              rw,
+
+  # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
+  # plugins are actually used by swanctl.  The following can be removed if
+  # plugin loading is disabled.
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.swanctl>
+}