From a6add70310280a6a4eebd1f5d0a9b1777ff67ae1 Mon Sep 17 00:00:00 2001 From: Philippe Pittoli Date: Sun, 22 Dec 2024 20:19:30 +0100 Subject: [PATCH] Add `AppArmor` profile for `authd`. --- apparmor.d/boilerplate | 15 +++++++++++++++ apparmor.d/dnsmanager | 27 +++++++++++++++++++++++++++ apparmor.d/usr.local.bin.authd | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 apparmor.d/boilerplate create mode 100644 apparmor.d/dnsmanager create mode 100644 apparmor.d/usr.local.bin.authd diff --git a/apparmor.d/boilerplate b/apparmor.d/boilerplate new file mode 100644 index 0000000..c929f0c --- /dev/null +++ b/apparmor.d/boilerplate @@ -0,0 +1,15 @@ +# This file is related to the `Baguette` project (authd, dnsmanagerd…). +# It is a way to avoid the long and complex default configuration files provided +# by the system. Allowed operations can be known in a matter of seconds. + +# Accept basically all available libraries. +@{BASE_LIBS}=/{,usr/,usr/local/}lib{,32,64}/*.so* /usr/lib/x86_64*/*.so* /etc/ld* + +# Enable reading files from different places required by the libraries I use, +# which may be the Crystal standard library itself. +@{BASE_RO}=/dev/{,u}random /dev/pts/* /proc/** /etc/localtime /usr/share/zoneinfo/** +@{BASE_RW}=/dev/{null,zero,full} + +# Found in other profiles: +# Recent glibc uses /dev/full in preference to /dev/null for programs +# that don't have open fds at exec(). diff --git a/apparmor.d/dnsmanager b/apparmor.d/dnsmanager new file mode 100644 index 0000000..bb217af --- /dev/null +++ b/apparmor.d/dnsmanager @@ -0,0 +1,27 @@ +# Main configuration directory. +@{MAIN_CONF_DIR}=@{HOME}/.config/baguette + +# Main configuration files. +@{AUTHD_CONFIG}=@{MAIN_CONF_DIR}/auth.yml +@{DNSMANAGERD_CONFIG}=@{MAIN_CONF_DIR}/dnsmanager.yml + +# Databases. +@{AUTHD_DB_PATH}=@{HOME}/tmp/db-authd +@{DNSMANAGERD_DB_PATH}=@{HOME}/tmp/db-dnsmanagerd + +# Key to encrypt passwords. +@{AUTHD_DB_KEY}=@{MAIN_CONF_DIR}/authd-db-key + +# DNS templates (read-only entries). +@{DNSMANAGERD_TEMPLATES}=@{MAIN_CONF_DIR}/templates/*.json + +# Logs. +@{LOGS_DIR}=@{HOME}/tmp/logs +@{AUTHD_LOGS}=@{LOGS_DIR}/auth +@{DNSMANAGERD_LOGS}=@{LOGS_DIR}/dnsmanager + +# Mailer for authd. +@{MAILER}=/{usr,usr/local}/bin/mailer + +# IPC-related directory (see libipc(7)). +@{LIBIPC_DIR}=/tmp/.libipc-run/ diff --git a/apparmor.d/usr.local.bin.authd b/apparmor.d/usr.local.bin.authd new file mode 100644 index 0000000..ece7ab4 --- /dev/null +++ b/apparmor.d/usr.local.bin.authd @@ -0,0 +1,33 @@ +abi , + +include +include +include + +/usr/local/bin/authd flags=(enforce) { + # See the file `boilerplate`. + @{BASE_LIBS} mr, + @{BASE_RO} r, + @{BASE_RW} rw, + + # Allow IPC-related unix sockets. + owner @{LIBIPC_DIR}/* rwk, + + # Enable all unix socket operations. TODO: restrict this even further? + unix, + + # Deny networking (udp and tcp). + deny network tcp, + deny network udp, + + # Enable to read the configuration (and the database key). + owner @{AUTHD_CONFIG} r, + owner @{AUTHD_DB_KEY} r, + + # Database and logs. + owner @{AUTHD_DB_PATH}/** rwkl, + owner @{AUTHD_LOGS} w, + + # Enable authd to send mails. + @{MAILER} ux, +}