| # |
| # AppArmor tlsdate profile for Ubuntu 11.04 and later |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of version 2 of the GNU General Public |
| # License published by the Free Software Foundation. |
| # |
| |
| #include <tunables/global> |
| /usr/bin/tlsdate { |
| #include <abstractions/consoles> |
| #include <abstractions/ssl_certs> |
| |
| capability sys_time, |
| capability setgid, |
| capability setuid, |
| capability sys_chroot, |
| |
| # IPv4 TCP |
| network inet stream, |
| # IPv4 UDP for DNS resolution |
| network inet dgram, |
| # IPv6 TCP |
| network inet6 stream, |
| # IPv6 UDP |
| network inet6 dgram, |
| |
| # Required for gethostbyname |
| /etc/resolv.conf r, |
| /etc/nsswitch.conf r, |
| /etc/localtime r, |
| /etc/nsswitch.conf r, |
| /etc/hosts r, |
| /etc/host.conf r, |
| |
| # Allow reading public certs but not private keys |
| /etc/ssl/certs/* r, |
| /usr/share/ca-certificates/*/** r, |
| |
| # Allow reading of /etc/tlsdate/ |
| /etc/tlsdate/*/** r, |
| |
| # Required for getpwnam |
| /etc/passwd r, |
| /etc/group r, |
| /proc/sys/kernel/ngroups_max r, |
| |
| # Allow reading of libs and /tmp |
| /etc/ld.so.cache r, |
| |
| # Random number generation requires these two |
| /dev/random r, |
| /dev/urandom r, |
| |
| # Allow mapping of shared libraries |
| /lib/* rm, |
| /lib32/* rm, |
| /lib64/* rm, |
| /usr/lib/* rm, |
| /lib/x86_64-linux-gnu/* rm, |
| |
| # We'll allow tlsdate to write a new root to chroot into |
| /tmp/ r, |
| owner /tmp/tlsdate_*/ rw, |
| |
| # We'll allow tlsdate to exec tlsdate-helper |
| /usr/bin/tlsdate-helper ixm, |
| /usr/bin/tlsdate ixm, |
| } |
| |
| /usr/bin/tlsdate-helper { |
| #include <abstractions/consoles> |
| #include <abstractions/ssl_certs> |
| |
| capability sys_time, |
| capability setgid, |
| capability setuid, |
| capability sys_chroot, |
| |
| # IPv4 TCP |
| network inet stream, |
| # IPv4 UDP for DNS resolution |
| network inet dgram, |
| # IPv6 TCP |
| network inet6 stream, |
| # IPv6 UDP |
| network inet6 dgram, |
| |
| # Required for gethostbyname |
| /etc/resolv.conf r, |
| /etc/nsswitch.conf r, |
| /etc/localtime r, |
| /etc/nsswitch.conf r, |
| /etc/hosts r, |
| /etc/host.conf r, |
| |
| # Allow reading public certs but not private keys |
| /etc/ssl/certs/* r, |
| /usr/share/ca-certificates/*/** r, |
| |
| # Allow reading of /etc/tlsdate/ |
| /etc/tlsdate/*/** r, |
| |
| # Required for getpwnam |
| /etc/passwd r, |
| /etc/group r, |
| /proc/sys/kernel/ngroups_max r, |
| |
| # Allow reading of libs and /tmp |
| /etc/ld.so.cache r, |
| |
| # Random number generation requires these two |
| /dev/random r, |
| /dev/urandom r, |
| |
| # Allow mapping of shared libraries |
| /lib/* rm, |
| /lib32/* rm, |
| /lib64/* rm, |
| /usr/lib/* rm, |
| /usr/local/lib/* rm, |
| /lib/x86_64-linux-gnu/* rm, |
| |
| # We'll allow tlsdate to write a new root to chroot into |
| /tmp/ r, |
| owner /tmp/tlsdate_*/ rw, |
| } |
| |
| /usr/bin/tlsdated { |
| #include <abstractions/consoles> |
| #include <abstractions/ssl_certs> |
| |
| capability sys_time, |
| capability setgid, |
| capability setuid, |
| capability sys_chroot, |
| |
| # IPv4 TCP |
| network inet stream, |
| # IPv4 UDP for DNS resolution |
| network inet dgram, |
| # IPv6 TCP |
| network inet6 stream, |
| # IPv6 UDP |
| network inet6 dgram, |
| |
| # Required for gethostbyname |
| /etc/resolv.conf r, |
| /etc/nsswitch.conf r, |
| /etc/localtime r, |
| /etc/nsswitch.conf r, |
| /etc/hosts r, |
| /etc/host.conf r, |
| |
| # Allow reading public certs but not private keys |
| /etc/ssl/certs/* r, |
| /usr/share/ca-certificates/*/** r, |
| |
| # Allow reading of /etc/tlsdate/ |
| /etc/tlsdate/*/** r, |
| /etc/tlsdate/tlsdated.conf r, |
| |
| # Required for getpwnam |
| /etc/passwd r, |
| /etc/group r, |
| /proc/sys/kernel/ngroups_max r, |
| |
| # tlsdated looks into proc for answers |
| /proc/meminfo r, |
| |
| # Allow reading of libs and /tmp |
| /etc/ld.so.cache r, |
| |
| # Random number generation requires these two |
| /dev/random r, |
| /dev/urandom r, |
| |
| # RTC |
| /dev/rtc0 rw, |
| |
| # Allow mapping of shared libraries |
| /lib/* rm, |
| /lib32/* rm, |
| /lib64/* rm, |
| /usr/lib/* rm, |
| /usr/local/lib/* rm, |
| /lib/x86_64-linux-gnu/* rm, |
| |
| # We'll allow tlsdate to write a new root to chroot into |
| /tmp/ r, |
| owner /tmp/tlsdate_*/ rw, |
| |
| # We'll allow tlsdated to cache the time here |
| owner /var/cache/tlsdated/* rw, |
| |
| # We'll allow tlsdated to exec tlsdate-helper |
| /usr/bin/tlsdate-dbus-announce ixm, |
| /usr/bin/tlsdate-routeup ixm, |
| /usr/bin/tlsdate-helper ixm, |
| /usr/bin/tlsdate ixm, |
| } |
| |
| /usr/bin/tlsdate-routeup { |
| #include <abstractions/consoles> |
| |
| # Allow reading of /etc/tlsdate/ |
| /etc/tlsdate/*/** r, |
| |
| # Allow reading of libs and /tmp |
| /etc/ld.so.cache r, |
| |
| # Random number generation requires these two |
| /dev/random r, |
| /dev/urandom r, |
| |
| # Allow mapping of shared libraries |
| /lib/* rm, |
| /lib32/* rm, |
| /lib64/* rm, |
| /usr/lib/* rm, |
| /lib/x86_64-linux-gnu/* rm, |
| } |
| |
| /usr/bin/tlsdate-dbus-announce { |
| #include <abstractions/consoles> |
| |
| # Allow reading of /etc/tlsdate/ |
| /etc/tlsdate/*/** r, |
| |
| # Allow reading of libs and /tmp |
| /etc/ld.so.cache r, |
| |
| # Allow mapping of shared libraries |
| /lib/* rm, |
| /lib32/* rm, |
| /lib64/* rm, |
| /usr/lib/* rm, |
| /lib/x86_64-linux-gnu/* rm, |
| } |