Add AppArmor
profile for authd
.
This commit is contained in:
parent
ecdc3bdc68
commit
a6add70310
15
apparmor.d/boilerplate
Normal file
15
apparmor.d/boilerplate
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# This file is related to the `Baguette` project (authd, dnsmanagerd…).
|
||||||
|
# It is a way to avoid the long and complex default configuration files provided
|
||||||
|
# by the system. Allowed operations can be known in a matter of seconds.
|
||||||
|
|
||||||
|
# Accept basically all available libraries.
|
||||||
|
@{BASE_LIBS}=/{,usr/,usr/local/}lib{,32,64}/*.so* /usr/lib/x86_64*/*.so* /etc/ld*
|
||||||
|
|
||||||
|
# Enable reading files from different places required by the libraries I use,
|
||||||
|
# which may be the Crystal standard library itself.
|
||||||
|
@{BASE_RO}=/dev/{,u}random /dev/pts/* /proc/** /etc/localtime /usr/share/zoneinfo/**
|
||||||
|
@{BASE_RW}=/dev/{null,zero,full}
|
||||||
|
|
||||||
|
# Found in other profiles:
|
||||||
|
# Recent glibc uses /dev/full in preference to /dev/null for programs
|
||||||
|
# that don't have open fds at exec().
|
27
apparmor.d/dnsmanager
Normal file
27
apparmor.d/dnsmanager
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# Main configuration directory.
|
||||||
|
@{MAIN_CONF_DIR}=@{HOME}/.config/baguette
|
||||||
|
|
||||||
|
# Main configuration files.
|
||||||
|
@{AUTHD_CONFIG}=@{MAIN_CONF_DIR}/auth.yml
|
||||||
|
@{DNSMANAGERD_CONFIG}=@{MAIN_CONF_DIR}/dnsmanager.yml
|
||||||
|
|
||||||
|
# Databases.
|
||||||
|
@{AUTHD_DB_PATH}=@{HOME}/tmp/db-authd
|
||||||
|
@{DNSMANAGERD_DB_PATH}=@{HOME}/tmp/db-dnsmanagerd
|
||||||
|
|
||||||
|
# Key to encrypt passwords.
|
||||||
|
@{AUTHD_DB_KEY}=@{MAIN_CONF_DIR}/authd-db-key
|
||||||
|
|
||||||
|
# DNS templates (read-only entries).
|
||||||
|
@{DNSMANAGERD_TEMPLATES}=@{MAIN_CONF_DIR}/templates/*.json
|
||||||
|
|
||||||
|
# Logs.
|
||||||
|
@{LOGS_DIR}=@{HOME}/tmp/logs
|
||||||
|
@{AUTHD_LOGS}=@{LOGS_DIR}/auth
|
||||||
|
@{DNSMANAGERD_LOGS}=@{LOGS_DIR}/dnsmanager
|
||||||
|
|
||||||
|
# Mailer for authd.
|
||||||
|
@{MAILER}=/{usr,usr/local}/bin/mailer
|
||||||
|
|
||||||
|
# IPC-related directory (see libipc(7)).
|
||||||
|
@{LIBIPC_DIR}=/tmp/.libipc-run/
|
33
apparmor.d/usr.local.bin.authd
Normal file
33
apparmor.d/usr.local.bin.authd
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
include <dnsmanager>
|
||||||
|
include <boilerplate>
|
||||||
|
|
||||||
|
/usr/local/bin/authd flags=(enforce) {
|
||||||
|
# See the file `boilerplate`.
|
||||||
|
@{BASE_LIBS} mr,
|
||||||
|
@{BASE_RO} r,
|
||||||
|
@{BASE_RW} rw,
|
||||||
|
|
||||||
|
# Allow IPC-related unix sockets.
|
||||||
|
owner @{LIBIPC_DIR}/* rwk,
|
||||||
|
|
||||||
|
# Enable all unix socket operations. TODO: restrict this even further?
|
||||||
|
unix,
|
||||||
|
|
||||||
|
# Deny networking (udp and tcp).
|
||||||
|
deny network tcp,
|
||||||
|
deny network udp,
|
||||||
|
|
||||||
|
# Enable to read the configuration (and the database key).
|
||||||
|
owner @{AUTHD_CONFIG} r,
|
||||||
|
owner @{AUTHD_DB_KEY} r,
|
||||||
|
|
||||||
|
# Database and logs.
|
||||||
|
owner @{AUTHD_DB_PATH}/** rwkl,
|
||||||
|
owner @{AUTHD_LOGS} w,
|
||||||
|
|
||||||
|
# Enable authd to send mails.
|
||||||
|
@{MAILER} ux,
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user