Tarmac

Merge lp:~dobey/tarmac/add-apparmor into lp:tarmac

  1. add-apparmor
  2. Merge into main
Proposed by dobey
Status: Merged
Approved by: dobey
Approved revision: 410
Merged at revision: 412
Proposed branch: lp:~dobey/tarmac/add-apparmor
Merge into: lp:tarmac
Diff against target: 71 lines (+54/-1)
2 files modified
data/tarmac.apparmor (+50/-0)
setup.py (+4/-1)
To merge this branch: bzr merge lp:~dobey/tarmac/add-apparmor
Reviewer Review Type Date Requested Status
Manuel de la Peña (community) Approve
Seth Arnold (community) Approve
Review via email: mp+193323@code.launchpad.net

Commit message

Add an apparmor profile for tarmac.

Description of the change

This adds an apparmor profile for tarmac, and it's children (as executed by the command.py plug-in). There is probably a lot more the profile could do here, but I don't know apparmor well enough to really lock things down and keep allowing the ability to run arbitrary things (like python/cmake/qmake/etc…).

I think this is a reasonable start though.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is a great start; tarmac's children are confined to the tarmac_child profile, and the broad /** rmix, rule will keep everything confined to that child. The #include <abstractions/private-files-strict> provides some assurance that tarmac's children won't be able to easily impersonate a developer who might run tarmac.

I am a little worried about the attachment specification "/**/tarmac" -- if tarmac is being packaged probably the full path should be known and used instead. (aa-logprof does not handle these paths well, if I recall correctly, but apparmor_parser and the kernel will handle it fine.) Consider changing this in the future.

Looks great. Thanks!

review: Approve
Revision history for this message
Manuel de la Peña (mandel) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory 'data'
2=== added file 'data/tarmac.apparmor'
3--- data/tarmac.apparmor 1970-01-01 00:00:00 +0000
4+++ data/tarmac.apparmor 2013-10-30 19:45:01 +0000
5@@ -0,0 +1,50 @@
6+#include <tunables/global>
7+
8+/**/tarmac {
9+ #include <abstractions/base>
10+ #include <abstractions/python>
11+ #include <abstractions/private-files-strict>
12+
13+ @{HOME}/.cache/tarmac/ w,
14+ @{HOME}/.cache/tarmac/** rwl,
15+
16+ @{HOME}/.config/tarmac/ w,
17+ @{HOME}/.config/tarmac/** rwl,
18+
19+ owner /tmp/tarmac/ w,
20+ owner /tmp/tarmac/** rwl,
21+
22+ owner /var/cache/tarmac/ w,
23+ owner /var/cache/tarmac/** rwl,
24+
25+ /** Cx -> tarmac_child,
26+
27+ profile tarmac_child {
28+ #include <abstractions/base>
29+ #include <abstractions/bash>
30+ #include <abstractions/dbus-session>
31+ #include <abstractions/gnome>
32+ #include <abstractions/kde>
33+ #include <abstractions/perl>
34+ #include <abstractions/python>
35+ #include <abstractions/private-files-strict>
36+
37+ # Need to be able exec most anything, which unfortunately
38+ # requires a lot of read permissions
39+ /**/ r,
40+ /** rmix,
41+
42+ # Don't allow access to bzr
43+ audit deny @{HOME}/.bazaar/** mrukl,
44+ audit deny @{HOME}/.bzr* mrukl,
45+ audit deny /**/.bzr/** mrukl,
46+
47+ # Don't allow subprocesses to access the tarmac config, or cache
48+ audit deny @{HOME}/.cache/tarmac/** mrukl,
49+ audit deny @{HOME}/.config/tarmac/** mrukl,
50+ audit deny /tmp/tarmac/merge.** mrukl,
51+ audit deny /var/cache/tarmac/** mrukl,
52+
53+ owner /tmp/tarmac/branch.** rwl,
54+ }
55+}
56
57=== modified file 'setup.py'
58--- setup.py 2013-10-30 14:14:25 +0000
59+++ setup.py 2013-10-30 19:45:01 +0000
60@@ -36,7 +36,10 @@
61 #data_files=[('share/tarmac/', ['tarmac-web']),
62 # ('share/tarmac/templates/', ['templates/index.html']),
63 # ],
64- data_files=[('share/man/man1', ['docs/tarmac.1'])],
65+ data_files=[
66+ ('share/man/man1', ['docs/tarmac.1']),
67+ ('/etc/apparmor.d', ['data/tarmac.apparmor']),
68+ ],
69 long_description='''
70 Tarmac is a series of scripts to facilitate the landing of Bazaar
71 branches in Launchpad (https://launchpad.net).''',

Subscribers

People subscribed via source and target branches