AppArmor Profiles

Merge lp:~elmo/apparmor-profiles/bprobe into lp:apparmor-profiles

  1. bprobe
  2. Merge into master
Proposed by James Troup
Status: Needs review
Proposed branch: lp:~elmo/apparmor-profiles/bprobe
Merge into: lp:apparmor-profiles
Diff against target: 141 lines (+127/-0)
3 files modified
ubuntu/10.04/usr.local.bin.bprobe (+43/-0)
ubuntu/12.04/usr.local.bin.bprobe (+42/-0)
ubuntu/8.04/usr.local.bin.bprobe (+42/-0)
To merge this branch: bzr merge lp:~elmo/apparmor-profiles/bprobe
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+127090@code.launchpad.net

Description of the change

An apparmor profile for bprobe, the client side agent of Boundary (http://boundary.com/). bprobe uses libpcap, so the profile looks superficially similar to tcpdump but is more restrictive. I've included versions for 8.04, 10.04 and 12.04, i.e. all current LTSes. All have been tested and are in use in production.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Excellent comments, good descriptions, but I'm concerned/surprised about a /usr/local/bin/ profile -- seems to somewhat violate the idea that /usr/local is for admins.

Thanks!

Reply
Revision history for this message
James Troup (elmo) wrote :

> Excellent comments, good descriptions, but I'm concerned/surprised
> about a /usr/local/bin/ profile -- seems to somewhat violate the
> idea that /usr/local is for admins.

Ah, sorry, I did mean to mention that. The Debian/Ubuntu packages
that Boundary provide unfortunately install bprobe into
/usr/local/bin. I've suggested to them that they either use /usr/sbin
or /opt, but I don't think fixing it (and/or FHS and Debian/Ubuntu
policy) is high on their list of concerns right now.

If the consensus is that the profile should have a sane name
regardless of the current state of the packages, I'm happy to fix up
my branch.

Reply

Unmerged revisions

104. By James Troup

Add profiles for bprobe (the Boundary client-side agent).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/10.04/usr.local.bin.bprobe'
2--- ubuntu/10.04/usr.local.bin.bprobe 1970-01-01 00:00:00 +0000
3+++ ubuntu/10.04/usr.local.bin.bprobe 2012-09-29 03:20:23 +0000
4@@ -0,0 +1,43 @@
5+# vim:syntax=apparmor
6+# Author: James Troup <james.troup@canonical.com>
7+
8+#include <tunables/global>
9+
10+/usr/local/bin/bprobe {
11+ #include <abstractions/base>
12+ #include <abstractions/nameservice>
13+
14+ capability net_admin,
15+ capability net_raw,
16+ capability setgid,
17+ capability setuid,
18+ capability sys_module,
19+
20+ network packet dgram,
21+ network packet raw,
22+
23+ /usr/local/bin/bprobe mr,
24+ /usr/local/lib/lib*so* mr,
25+
26+ /etc/bprobe/* r,
27+ /var/run/bprobe.pid w,
28+
29+ # These files are used to determine basic system information
30+ # that's sent up to Boundary and used in e.g. dynamic groups
31+ /etc/issue r,
32+ /sys/devices/system/cpu/ r,
33+ /sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq r,
34+
35+ # for finding an interface
36+ @{PROC}/[0-9]*/net/dev r,
37+ /sys/class/net/ r,
38+
39+ # for tracing USB bus, which libpcap supports
40+ /dev/usbmon* r,
41+ /dev/bus/usb/ r,
42+ /dev/bus/usb/** r,
43+ /sys/bus/usb/devices/ r,
44+
45+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
46+ /dev/bus/usb/**/[0-9]* w,
47+}
48
49=== added file 'ubuntu/12.04/usr.local.bin.bprobe'
50--- ubuntu/12.04/usr.local.bin.bprobe 1970-01-01 00:00:00 +0000
51+++ ubuntu/12.04/usr.local.bin.bprobe 2012-09-29 03:20:23 +0000
52@@ -0,0 +1,42 @@
53+# vim:syntax=apparmor
54+# Author: James Troup <james.troup@canonical.com>
55+
56+#include <tunables/global>
57+
58+/usr/local/bin/bprobe {
59+ #include <abstractions/base>
60+ #include <abstractions/nameservice>
61+
62+ capability net_admin,
63+ capability net_raw,
64+ capability setgid,
65+ capability setuid,
66+ capability sys_module,
67+
68+ network packet dgram,
69+ network packet raw,
70+
71+ /usr/local/bin/bprobe mr,
72+ /usr/local/lib/lib*so* mr,
73+
74+ /etc/bprobe/* r,
75+ /run/bprobe.pid w,
76+
77+ # These two files are used to determine basic system information
78+ # that's sent up to Boundary and used in e.g. dynamic groups
79+ /etc/issue r,
80+ /sys/devices/system/cpu/ r,
81+
82+ # for finding an interface
83+ @{PROC}/[0-9]*/net/dev r,
84+ /sys/class/net/ r,
85+
86+ # for tracing USB bus, which libpcap supports
87+ /dev/usbmon* r,
88+ /dev/bus/usb/ r,
89+ /dev/bus/usb/** r,
90+ /sys/bus/usb/devices/ r,
91+
92+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
93+ /dev/bus/usb/**/[0-9]* w,
94+}
95
96=== added file 'ubuntu/8.04/usr.local.bin.bprobe'
97--- ubuntu/8.04/usr.local.bin.bprobe 1970-01-01 00:00:00 +0000
98+++ ubuntu/8.04/usr.local.bin.bprobe 2012-09-29 03:20:23 +0000
99@@ -0,0 +1,42 @@
100+# vim:syntax=apparmor
101+# Author: James Troup <james.troup@canonical.com>
102+
103+#include <tunables/global>
104+
105+/usr/local/bin/bprobe {
106+ #include <abstractions/base>
107+ #include <abstractions/nameservice>
108+
109+ capability net_admin,
110+ capability net_raw,
111+ capability setgid,
112+ capability setuid,
113+ capability sys_module,
114+
115+ network packet dgram,
116+ network packet raw,
117+
118+ /usr/local/bin/bprobe mr,
119+ /usr/local/lib/lib*so* mr,
120+
121+ /etc/bprobe/* r,
122+ /var/run/bprobe.pid w,
123+
124+ # These two files are used to determine basic system information
125+ # that's sent up to Boundary and used in e.g. dynamic groups
126+ /etc/issue r,
127+ /sys/devices/system/cpu/ r,
128+
129+ # for finding an interface
130+ @{PROC}/net/dev r,
131+ /sys/class/net/ r,
132+
133+ # for tracing USB bus, which libpcap supports
134+ /dev/usbmon* r,
135+ /dev/bus/usb/ r,
136+ /dev/bus/usb/** r,
137+ /sys/bus/usb/devices/ r,
138+
139+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
140+ /dev/bus/usb/**/[0-9]* w,
141+}

Subscribers

People subscribed via source and target branches

to status/vote changes: