Added AppArmor policy
authorMichael Rash <mbr@cipherdyne.org>
Mon, 19 Aug 2013 02:58:10 +0000 (22:58 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Mon, 19 Aug 2013 02:58:10 +0000 (22:58 -0400)
This commit adds an AppArmor policy that is known to work in Debian and Ubuntu
systems.  The original version of this policy was contributed by Radostan Riedel
to the fwknop mailing list.

extras/apparmor/usr.sbin.fwknopd [new file with mode: 0644]

diff --git a/extras/apparmor/usr.sbin.fwknopd b/extras/apparmor/usr.sbin.fwknopd
new file mode 100644 (file)
index 0000000..e00a0ea
--- /dev/null
@@ -0,0 +1,31 @@
+# Last Modified: Sun Aug 18 22:54:57 2013
+# Assumes fwknopd was built with:
+#    './configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var'
+#include <tunables/global>
+
+/usr/sbin/fwknopd {
+  #include <abstractions/base>
+
+  capability ipc_lock,
+  capability net_admin,
+  capability net_raw,
+
+  network inet raw,
+  network packet raw,
+
+  /bin/dash rix,
+  /bin/bash rix,
+  /etc/fwknop/access.conf r,
+  /etc/fwknop/fwknopd.conf r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/protocols r,
+  /root/.gnupg/* rw,
+  /run/fwknop/ rw,
+  /run/fwknop/* rwk,
+  /sbin/xtables-multi rix,
+  /usr/bin/gpg rix,
+  /usr/sbin/fwknopd mr,
+  /var/cache/nscd/passwd r,
+
+}