1# 2# AppArmor tlsdate profile for Debian GNU/Linux 3# 4# This program is free software; you can redistribute it and/or 5# modify it under the terms of version 2 of the GNU General Public 6# License published by the Free Software Foundation. 7# 8 9#include <tunables/global> 10#include <tunables/multiarch.d> 11/usr/bin/tlsdate { 12 #include <abstractions/consoles> 13 #include <abstractions/ssl_certs> 14 15 capability sys_time, 16 capability setgid, 17 capability setuid, 18 capability sys_chroot, 19 20 # IPv4 TCP 21 network inet stream, 22 # IPv4 UDP for DNS resolution 23 network inet dgram, 24 # IPv6 TCP 25 network inet6 stream, 26 # IPv6 UDP 27 network inet6 dgram, 28 29 # Required for gethostbyname 30 /etc/resolv.conf r, 31 /run/resolvconf/resolv.conf r, 32 /etc/nsswitch.conf r, 33 /etc/localtime r, 34 /etc/nsswitch.conf r, 35 /etc/hosts r, 36 /etc/host.conf r, 37 38 # Allow reading public certs but not private keys 39 /etc/ssl/certs/* r, 40 /usr/share/ca-certificates/*/** r, 41 42 # Allow reading of /etc/tlsdate/ 43 /etc/tlsdate/*/** r, 44 45 # Required for getpwnam 46 /etc/passwd r, 47 /etc/group r, 48 /proc/sys/kernel/ngroups_max r, 49 50 # Allow reading of libs and /tmp 51 /etc/ld.so.cache r, 52 53 # Random number generation requires these two 54 /dev/random r, 55 /dev/urandom r, 56 57 # Allow mapping of shared libraries 58 /lib{,32,64}/* rm, 59 /usr/lib/* rm, 60 /lib/@{multiarch}/* rm, 61 /usr/lib/@{multiarch}/* rm, 62 63 # We'll allow tlsdate to write a new root to chroot into 64 /tmp/ r, 65 owner /tmp/tlsdate_*/ rw, 66 67 # We'll allow tlsdate to exec tlsdate-helper 68 /usr/bin/tlsdate-helper ixm, 69 /usr/bin/tlsdate ixm, 70} 71 72/usr/bin/tlsdate-helper { 73 #include <abstractions/consoles> 74 #include <abstractions/ssl_certs> 75 76 capability sys_time, 77 capability setgid, 78 capability setuid, 79 capability sys_chroot, 80 81 # IPv4 TCP 82 network inet stream, 83 # IPv4 UDP for DNS resolution 84 network inet dgram, 85 # IPv6 TCP 86 network inet6 stream, 87 # IPv6 UDP 88 network inet6 dgram, 89 90 # Required for gethostbyname 91 /etc/resolv.conf r, 92 /run/resolvconf/resolv.conf r, 93 /etc/nsswitch.conf r, 94 /etc/localtime r, 95 /etc/nsswitch.conf r, 96 /etc/hosts r, 97 /etc/host.conf r, 98 99 # Allow reading public certs but not private keys 100 /etc/ssl/certs/* r, 101 /usr/share/ca-certificates/*/** r, 102 103 # Allow reading of /etc/tlsdate/ 104 /etc/tlsdate/*/** r, 105 106 # Required for getpwnam 107 /etc/passwd r, 108 /etc/group r, 109 /proc/sys/kernel/ngroups_max r, 110 111 # Allow reading of libs and /tmp 112 /etc/ld.so.cache r, 113 114 # Random number generation requires these two 115 /dev/random r, 116 /dev/urandom r, 117 118 # Allow mapping of shared libraries 119 /lib{,32,64}/* rm, 120 /usr/lib/* rm, 121 /lib/@{multiarch}/* rm, 122 /usr/lib/@{multiarch}/* rm, 123 124 # We'll allow tlsdate to write a new root to chroot into 125 /tmp/ r, 126 owner /tmp/tlsdate_*/ rw, 127} 128 129/usr/sbin/tlsdated { 130 #include <abstractions/consoles> 131 #include <abstractions/ssl_certs> 132 133 capability sys_time, 134 capability setgid, 135 capability setuid, 136 capability sys_chroot, 137 138 # IPv4 TCP 139 network inet stream, 140 # IPv4 UDP for DNS resolution 141 network inet dgram, 142 # IPv6 TCP 143 network inet6 stream, 144 # IPv6 UDP 145 network inet6 dgram, 146 147 # Required for gethostbyname 148 /etc/resolv.conf r, 149 /etc/nsswitch.conf r, 150 /etc/localtime r, 151 /etc/nsswitch.conf r, 152 /etc/hosts r, 153 /etc/host.conf r, 154 155 # Allow reading public certs but not private keys 156 /etc/ssl/certs/* r, 157 /usr/share/ca-certificates/*/** r, 158 159 # Allow reading of /etc/tlsdate/ 160 /etc/tlsdate/*/** r, 161 /etc/tlsdate/tlsdated.conf r, 162 163 # Required for getpwnam 164 /etc/passwd r, 165 /etc/group r, 166 /proc/sys/kernel/ngroups_max r, 167 168 # tlsdated looks into proc for answers 169 /proc/meminfo r, 170 171 # Allow reading of libs and /tmp 172 /etc/ld.so.cache r, 173 174 # Random number generation requires these two 175 /dev/random r, 176 /dev/urandom r, 177 178 # RTC 179 /dev/rtc0 rw, 180 /dev/rtc1 rw, 181 182 # Allow mapping of shared libraries 183 /lib{,32,64}/* rm, 184 /usr/lib/* rm, 185 /lib/@{multiarch}/* rm, 186 /usr/lib/@{multiarch}/* rm, 187 188 # We'll allow tlsdate to write a new root to chroot into 189 /tmp/ r, 190 owner /tmp/tlsdate_*/ rw, 191 192 # We'll allow tlsdated to cache the time here 193 owner /var/cache/tlsdated/* rw, 194 # We'll allow the unprivileged helper to read the time 195 /var/cache/tlsdated/* r, 196 197 # We'll allow tlsdated to exec tlsdate-helper 198 /usr/bin/tlsdate-helper ixm, 199 /usr/bin/tlsdate ixm, 200} 201