Add AppArmor profile for authd.
This commit is contained in:
parent
ecdc3bdc68
commit
a6add70310
15
apparmor.d/boilerplate
Normal file
15
apparmor.d/boilerplate
Normal file
@ -0,0 +1,15 @@
|
||||
# This file is related to the `Baguette` project (authd, dnsmanagerd…).
|
||||
# It is a way to avoid the long and complex default configuration files provided
|
||||
# by the system. Allowed operations can be known in a matter of seconds.
|
||||
|
||||
# Accept basically all available libraries.
|
||||
@{BASE_LIBS}=/{,usr/,usr/local/}lib{,32,64}/*.so* /usr/lib/x86_64*/*.so* /etc/ld*
|
||||
|
||||
# Enable reading files from different places required by the libraries I use,
|
||||
# which may be the Crystal standard library itself.
|
||||
@{BASE_RO}=/dev/{,u}random /dev/pts/* /proc/** /etc/localtime /usr/share/zoneinfo/**
|
||||
@{BASE_RW}=/dev/{null,zero,full}
|
||||
|
||||
# Found in other profiles:
|
||||
# Recent glibc uses /dev/full in preference to /dev/null for programs
|
||||
# that don't have open fds at exec().
|
||||
27
apparmor.d/dnsmanager
Normal file
27
apparmor.d/dnsmanager
Normal file
@ -0,0 +1,27 @@
|
||||
# Main configuration directory.
|
||||
@{MAIN_CONF_DIR}=@{HOME}/.config/baguette
|
||||
|
||||
# Main configuration files.
|
||||
@{AUTHD_CONFIG}=@{MAIN_CONF_DIR}/auth.yml
|
||||
@{DNSMANAGERD_CONFIG}=@{MAIN_CONF_DIR}/dnsmanager.yml
|
||||
|
||||
# Databases.
|
||||
@{AUTHD_DB_PATH}=@{HOME}/tmp/db-authd
|
||||
@{DNSMANAGERD_DB_PATH}=@{HOME}/tmp/db-dnsmanagerd
|
||||
|
||||
# Key to encrypt passwords.
|
||||
@{AUTHD_DB_KEY}=@{MAIN_CONF_DIR}/authd-db-key
|
||||
|
||||
# DNS templates (read-only entries).
|
||||
@{DNSMANAGERD_TEMPLATES}=@{MAIN_CONF_DIR}/templates/*.json
|
||||
|
||||
# Logs.
|
||||
@{LOGS_DIR}=@{HOME}/tmp/logs
|
||||
@{AUTHD_LOGS}=@{LOGS_DIR}/auth
|
||||
@{DNSMANAGERD_LOGS}=@{LOGS_DIR}/dnsmanager
|
||||
|
||||
# Mailer for authd.
|
||||
@{MAILER}=/{usr,usr/local}/bin/mailer
|
||||
|
||||
# IPC-related directory (see libipc(7)).
|
||||
@{LIBIPC_DIR}=/tmp/.libipc-run/
|
||||
33
apparmor.d/usr.local.bin.authd
Normal file
33
apparmor.d/usr.local.bin.authd
Normal file
@ -0,0 +1,33 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
include <dnsmanager>
|
||||
include <boilerplate>
|
||||
|
||||
/usr/local/bin/authd flags=(enforce) {
|
||||
# See the file `boilerplate`.
|
||||
@{BASE_LIBS} mr,
|
||||
@{BASE_RO} r,
|
||||
@{BASE_RW} rw,
|
||||
|
||||
# Allow IPC-related unix sockets.
|
||||
owner @{LIBIPC_DIR}/* rwk,
|
||||
|
||||
# Enable all unix socket operations. TODO: restrict this even further?
|
||||
unix,
|
||||
|
||||
# Deny networking (udp and tcp).
|
||||
deny network tcp,
|
||||
deny network udp,
|
||||
|
||||
# Enable to read the configuration (and the database key).
|
||||
owner @{AUTHD_CONFIG} r,
|
||||
owner @{AUTHD_DB_KEY} r,
|
||||
|
||||
# Database and logs.
|
||||
owner @{AUTHD_DB_PATH}/** rwkl,
|
||||
owner @{AUTHD_LOGS} w,
|
||||
|
||||
# Enable authd to send mails.
|
||||
@{MAILER} ux,
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user