diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/charon-systemd.install | 1 | ||||
| -rwxr-xr-x | debian/rules | 2 | ||||
| -rw-r--r-- | debian/strongswan-swanctl.install | 1 | ||||
| -rw-r--r-- | debian/usr.sbin.charon-systemd | 76 | ||||
| -rw-r--r-- | debian/usr.sbin.swanctl | 32 |
6 files changed, 115 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 885fa760a..0161c00ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,7 +14,9 @@ strongswan (5.5.3-3) UNRELEASED; urgency=medium upstream to install configuration to output logging information to the journal. * debian/charon-systemd.install: - - install charon-systemd.conf files, thanks Gerald Tuner. closes: #866325 + - install charon-systemd.conf files, thanks Gerald Turner. closes: #866325 + * Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner. + closes: #866327 -- Yves-Alexis Perez <corsac@debian.org> Wed, 28 Jun 2017 22:57:48 +0200 diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install index 6ab3af8f1..a1424ab88 100644 --- a/debian/charon-systemd.install +++ b/debian/charon-systemd.install @@ -2,3 +2,4 @@ etc/strongswan.d/charon-systemd.conf lib/systemd/system/strongswan-swanctl.service usr/sbin/charon-systemd usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf +debian/usr.sbin.charon-systemd /etc/apparmor.d/ diff --git a/debian/rules b/debian/rules index 0e848e6f8..9913de61d 100755 --- a/debian/rules +++ b/debian/rules @@ -183,6 +183,8 @@ endif dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter + dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl + dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets diff --git a/debian/strongswan-swanctl.install b/debian/strongswan-swanctl.install index c1a348826..184ae88da 100644 --- a/debian/strongswan-swanctl.install +++ b/debian/strongswan-swanctl.install @@ -8,3 +8,4 @@ usr/share/man/man8/swanctl.8 usr/sbin/swanctl usr/lib/ipsec/libvici.so* usr/lib/ipsec/plugins/libstrongswan-vici.so +debian/usr.sbin.swanctl /etc/apparmor.d/ diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd new file mode 100644 index 000000000..e1769f29f --- /dev/null +++ b/debian/usr.sbin.charon-systemd @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.davies@canonical.com> +# Ryan Harper <ryan.harper@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/sbin/charon-systemd flags=(complain,attach_disconnected) { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/authentication> + #include <abstractions/openssl> + #include <abstractions/p11-kit> + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.charon-systemd> +} diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl new file mode 100644 index 000000000..627f5c0b3 --- /dev/null +++ b/debian/usr.sbin.swanctl @@ -0,0 +1,32 @@ +#include <tunables/global> + +/usr/sbin/swanctl { + #include <abstractions/base> + + # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates + #include <abstractions/ssl_certs> + + # CAP_DAC_OVERRIDE is needed for optional charon.user/charon.group + # configuration + capability dac_override, + + # Allow reading strongswan.conf configuration files + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + + # All reading configuration, certificate, and key files beneath /etc/swanctl/ + /etc/swanctl/** r, + + # Allow communication with VICI plugin UNIX domain socket + /run/charon.vici rw, + + # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no + # plugins are actually used by swanctl. The following can be removed if + # plugin loading is disabled. + #include <abstractions/nameservice> + #include <abstractions/openssl> + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.swanctl> +} |