Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / third_party / tlsdate / 16928d7e10c97b5d6f293dc1e96614f94e553c38 / . / apparmor-profile
blob: 0e5be3bbd14bf958081866a165d2bb0a2755c553 [file] [log] [blame]
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]1#
2# AppArmor tlsdate profile for Ubuntu 11.04 and later
3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of version 2 of the GNU General Public
6# License published by the Free Software Foundation.
7#
8
9#include <tunables/global>
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]10/usr/bin/tlsdate {
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]11 #include <abstractions/consoles>
12 #include <abstractions/ssl_certs>
13
14 capability sys_time,
15 capability setgid,
16 capability setuid,
17 capability sys_chroot,
18
19 # IPv4 TCP
20 network inet stream,
21 # IPv4 UDP for DNS resolution
22 network inet dgram,
Jacob Appelbaumc3457b52012-07-15 14:26:05 +0200[diff] [blame]23 # IPv6 TCP
24 network inet6 stream,
25 # IPv6 UDP
26 network inet6 dgram,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]27
28 # Required for gethostbyname
29 /etc/resolv.conf r,
30 /etc/nsswitch.conf r,
31 /etc/localtime r,
32 /etc/nsswitch.conf r,
33 /etc/hosts r,
34 /etc/host.conf r,
35
36 # Allow reading public certs but not private keys
37 /etc/ssl/certs/* r,
38 /usr/share/ca-certificates/*/** r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]39
40 # Allow reading of /etc/tlsdate/
41 /etc/tlsdate/*/** r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]42
43 # Required for getpwnam
44 /etc/passwd r,
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]45 /etc/group r,
Jacob Appelbaum05ba51a2012-07-15 14:48:26 +0200[diff] [blame]46 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]47
48 # Allow reading of libs and /tmp
49 /etc/ld.so.cache r,
50
51 # Random number generation requires these two
52 /dev/random r,
53 /dev/urandom r,
54
55 # Allow mapping of shared libraries
56 /lib/* rm,
57 /lib32/* rm,
58 /lib64/* rm,
59 /usr/lib/* rm,
60 /lib/x86_64-linux-gnu/* rm,
61
62 # We'll allow tlsdate to write a new root to chroot into
63 /tmp/ r,
64 owner /tmp/tlsdate_*/ rw,
65
Jacob Appelbaumb15f3d02012-07-15 14:16:57 +0200[diff] [blame]66 # We'll allow tlsdate to exec tlsdate-helper
Jacob Appelbaumed55cef2012-07-15 15:10:44 +0200[diff] [blame]67 /usr/bin/tlsdate-helper ixm,
68 /usr/bin/tlsdate ixm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]69}
70
71/usr/bin/tlsdate-helper {
72 #include <abstractions/consoles>
73 #include <abstractions/ssl_certs>
74
75 capability sys_time,
76 capability setgid,
77 capability setuid,
78 capability sys_chroot,
79
80 # IPv4 TCP
81 network inet stream,
82 # IPv4 UDP for DNS resolution
83 network inet dgram,
84 # IPv6 TCP
85 network inet6 stream,
86 # IPv6 UDP
87 network inet6 dgram,
88
89 # Required for gethostbyname
90 /etc/resolv.conf r,
91 /etc/nsswitch.conf r,
92 /etc/localtime r,
93 /etc/nsswitch.conf r,
94 /etc/hosts r,
95 /etc/host.conf r,
96
97 # Allow reading public certs but not private keys
98 /etc/ssl/certs/* r,
99 /usr/share/ca-certificates/*/** r,
100
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]101 # Allow reading of /etc/tlsdate/
102 /etc/tlsdate/*/** r,
103
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]104 # Required for getpwnam
105 /etc/passwd r,
106 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]107 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]108
109 # Allow reading of libs and /tmp
110 /etc/ld.so.cache r,
111
112 # Random number generation requires these two
113 /dev/random r,
114 /dev/urandom r,
115
116 # Allow mapping of shared libraries
117 /lib/* rm,
118 /lib32/* rm,
119 /lib64/* rm,
120 /usr/lib/* rm,
Jacob Appelbaumba605772012-08-01 23:05:04 -0700[diff] [blame]121 /usr/local/lib/* rm,
Jacob Appelbaum2e7fb1f2012-07-15 14:46:26 +0200[diff] [blame]122 /lib/x86_64-linux-gnu/* rm,
123
124 # We'll allow tlsdate to write a new root to chroot into
125 /tmp/ r,
126 owner /tmp/tlsdate_*/ rw,
Jacob Appelbaumed52c632012-01-29 22:49:35 -0800[diff] [blame]127}
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]128
129/usr/bin/tlsdated {
130 #include <abstractions/consoles>
131 #include <abstractions/ssl_certs>
132
133 capability sys_time,
134 capability setgid,
135 capability setuid,
136 capability sys_chroot,
137
138 # IPv4 TCP
139 network inet stream,
140 # IPv4 UDP for DNS resolution
141 network inet dgram,
142 # IPv6 TCP
143 network inet6 stream,
144 # IPv6 UDP
145 network inet6 dgram,
146
147 # Required for gethostbyname
148 /etc/resolv.conf r,
149 /etc/nsswitch.conf r,
150 /etc/localtime r,
151 /etc/nsswitch.conf r,
152 /etc/hosts r,
153 /etc/host.conf r,
154
155 # Allow reading public certs but not private keys
156 /etc/ssl/certs/* r,
157 /usr/share/ca-certificates/*/** r,
158
159 # Allow reading of /etc/tlsdate/
160 /etc/tlsdate/*/** r,
161
162 # Required for getpwnam
163 /etc/passwd r,
164 /etc/group r,
Jacob Appelbaumc7ba6d62012-10-31 01:11:42 +0100[diff] [blame]165 /proc/sys/kernel/ngroups_max r,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]166
167 # Allow reading of libs and /tmp
168 /etc/ld.so.cache r,
169
170 # Random number generation requires these two
171 /dev/random r,
172 /dev/urandom r,
173
Jacob Appelbaum1f364682012-10-31 00:40:50 +0100[diff] [blame]174 # RTC
175 /dev/rtc0 rw,
176
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]177 # Allow mapping of shared libraries
178 /lib/* rm,
179 /lib32/* rm,
180 /lib64/* rm,
181 /usr/lib/* rm,
182 /usr/local/lib/* rm,
183 /lib/x86_64-linux-gnu/* rm,
184
185 # We'll allow tlsdate to write a new root to chroot into
186 /tmp/ r,
187 owner /tmp/tlsdate_*/ rw,
188
189 # We'll allow tlsdated to cache the time here
190 owner /var/cache/tlsdated/* rw,
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]191
Jacob Appelbaum16928d72013-01-22 21:45:20 +0100[diff] [blame^]192 # We'll allow tlsdated to exec tlsdate-helper
193 /usr/bin/tlsdate-dbus-announce ixm,
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]194 /usr/bin/tlsdate-routeup ixm,
195 /usr/bin/tlsdate-helper ixm,
196 /usr/bin/tlsdate ixm,
197}
198
Jacob Appelbaum8fbb4d12012-10-29 22:54:57 +0100[diff] [blame]199/usr/bin/tlsdate-routeup {
200 #include <abstractions/consoles>
201
202 # Allow reading of /etc/tlsdate/
203 /etc/tlsdate/*/** r,
204
205 # Allow reading of libs and /tmp
206 /etc/ld.so.cache r,
207
208 # Random number generation requires these two
209 /dev/random r,
210 /dev/urandom r,
211
212 # Allow mapping of shared libraries
213 /lib/* rm,
214 /lib32/* rm,
215 /lib64/* rm,
216 /usr/lib/* rm,
217 /lib/x86_64-linux-gnu/* rm,
Jacob Appelbaum4aa98992012-10-29 21:54:30 +0100[diff] [blame]218}
Jacob Appelbaum16928d72013-01-22 21:45:20 +0100[diff] [blame^]219
220/usr/bin/tlsdate-dbus-announce {
221 #include <abstractions/consoles>
222
223 # Allow reading of /etc/tlsdate/
224 /etc/tlsdate/*/** r,
225
226 # Allow reading of libs and /tmp
227 /etc/ld.so.cache r,
228
229 # Allow mapping of shared libraries
230 /lib/* rm,
231 /lib32/* rm,
232 /lib64/* rm,
233 /usr/lib/* rm,
234 /lib/x86_64-linux-gnu/* rm,
235}