Ubuntu
vsftpd package

Merge lp:~jpds/ubuntu/trusty/vsftpd/apparmor-profile into lp:ubuntu/trusty/vsftpd

  1. Trusty (14.04)
  2. apparmor-profile
  3. Merge into trusty
Proposed by Jonathan Davies
Status: Needs review
Proposed branch: lp:~jpds/ubuntu/trusty/vsftpd/apparmor-profile
Merge into: lp:ubuntu/trusty/vsftpd
Diff against target: 100 lines (+69/-0)
4 files modified
debian/changelog (+6/-0)
debian/rules (+3/-0)
debian/usr.sbin.vsftpd (+59/-0)
debian/vsftpd.install (+1/-0)
To merge this branch: bzr merge lp:~jpds/ubuntu/trusty/vsftpd/apparmor-profile
Reviewer Review Type Date Requested Status
Jamie Strandboge Needs Fixing
Review via email: mp+199613@code.launchpad.net

Description of the change

AppArmor profile for vsftpd.

To post a comment you must log in.
lp:~jpds/ubuntu/trusty/vsftpd/apparmor-profile updated
45. By Jonathan Davies

Use full-path as the other definitions in .install do.

46. By Jonathan Davies

Allow vsftpd to do locks on FTP files.

47. By Jonathan Davies

Allow access to just network.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me; "network," grants an awful lot of networking privileges, but this is better than nothing and unlikely to break any user sites. Thanks!

Reply
lp:~jpds/ubuntu/trusty/vsftpd/apparmor-profile updated
48. By Jonathan Davies

Use wutmp abstractions.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for this!

I think the profile looks ok overall, but I'm quite concerned about the impact on upgrades and new installations. Shipping an enforcing profile by default will break upgrades for sure because the vsftpd/directory may be non-standard. New installations will have the same problem (indeed, there is a debconf entry for this). This is a classic problem for shipping enforcing apparmor policy in highly configuratble and site-dependent server packages. I suggest that you do like we do with rsyslog (which is actually lower risk than vsftpd):
 * disable the profile on new installs
 * disable the profile on upgrades from versions of vsftpd which did not ship an apparmor profile

By doing this, users can opt in to the enforcing apparmor profile (eg, with aa-enforce) and that decision will be preserved on upgrades. The standard way of doing this is doing something like this in preinst:
disable_profile() {
    APP_CONFFILE="/etc/apparmor.d/..."
    APP_DISABLE="/etc/apparmor.d/disable/..."
    # Create a symlink to the yet-to-be-unpacked profile
    if [ ! -e "$APP_CONFFILE" ]; then
        mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
        ln -sf $APP_CONFFILE $APP_DISABLE
    fi
}

if [ "$1" = "install" ]; then
    # Disable AppArmor profile on install
    disable_profile
elif [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt "..." ; then
    # Disable AppArmor on upgrade from earlier than when we first shipped
    # the profile if the user does not already have a profile defined
    disable_profile
fi

review: Needs Fixing
Reply
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I also suggest sending this to the apparmor mailing list. AppArmor upstream has a profile for vsftpd in profiles/apparmor/profiles/extras/usr.sbin.vsftpd, but your's seems more complete and up to date. Thanks again :)

Reply

Unmerged revisions

48. By Jonathan Davies

Use wutmp abstractions.

47. By Jonathan Davies

Allow access to just network.

46. By Jonathan Davies

Allow vsftpd to do locks on FTP files.

45. By Jonathan Davies

Use full-path as the other definitions in .install do.

44. By Jonathan Davies

debian/* changes to install AppArmor profile into packaging.

43. By Jonathan Davies

Added AppArmor profile for vsftpd.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2013-05-08 14:08:53 +0000
3+++ debian/changelog 2013-12-19 23:57:15 +0000
4@@ -1,3 +1,9 @@
5+vsftpd (3.0.2-1ubuntu3) trusty; urgency=low
6+
7+ * debian/usr.sbin.vsftpd - Added AppArmor profile.
8+
9+ -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 19 Dec 2013 05:25:56 +0000
10+
11 vsftpd (3.0.2-1ubuntu2) saucy; urgency=low
12
13 * debian/patches/13-disable-clone-newpid.patch
14
15=== modified file 'debian/rules'
16--- debian/rules 2012-12-18 19:59:37 +0000
17+++ debian/rules 2013-12-19 23:57:15 +0000
18@@ -22,6 +22,9 @@
19 mkdir -p debian/vsftpd/etc/systemd/system
20 cp debian/vsftpd.systemd debian/vsftpd/etc/systemd/system/vsftpd.service
21
22+ # AppArmor.
23+ dh_apparmor --profile-name=usr.sbin.vsftpd -p vsftpd
24+
25 override_dh_installinit:
26 dh_installinit --update-rcd-params='start 20 2 3 4 5 . stop 80 1 .'
27
28
29=== added file 'debian/usr.sbin.vsftpd'
30--- debian/usr.sbin.vsftpd 1970-01-01 00:00:00 +0000
31+++ debian/usr.sbin.vsftpd 2013-12-19 23:57:15 +0000
32@@ -0,0 +1,59 @@
33+# ------------------------------------------------------------------
34+#
35+# Copyright (C) 2002-2005 Novell/SUSE
36+# Copyright (C) 2013 Canonical Ltd.
37+#
38+# This program is free software; you can redistribute it and/or
39+# modify it under the terms of version 2 of the GNU General Public
40+# License published by the Free Software Foundation.
41+#
42+# ------------------------------------------------------------------
43+
44+#include <tunables/global>
45+
46+/usr/sbin/vsftpd {
47+ #include <abstractions/base>
48+ #include <abstractions/nameservice>
49+ #include <abstractions/authentication>
50+ #include <abstractions/ssl_certs>
51+ #include <abstractions/ssl_keys>
52+ #include <abstractions/wutmp>
53+
54+ capability audit_write,
55+ capability setgid,
56+ capability setuid,
57+ capability sys_admin,
58+ capability sys_chroot,
59+
60+ network,
61+
62+ /dev/urandom r,
63+
64+ /etc/fstab r,
65+ /etc/ftpusers r,
66+ /etc/hosts.allow r,
67+ /etc/hosts.deny r,
68+ /etc/mtab r,
69+ /etc/shells r,
70+ /etc/vsftpd.* r,
71+ /etc/vsftpd/* r,
72+
73+ /usr/sbin/vsftpd rmix,
74+
75+ /var/log/vsftpd.log wk,
76+ /var/log/xferlog w,
77+ /var/run/vsftpd/ r,
78+ /var/run/vsftpd/** r,
79+
80+ # anon chroots
81+ / r,
82+ owner @{HOME}/ r,
83+ owner @{HOME}/** rwlk,
84+
85+ # 'ftp' user default home.
86+ /srv/ftp/ r,
87+ /srv/ftp/** rwlk,
88+
89+ # Site-specific additions and overrides. See local/README for details.
90+ #include <local/usr.sbin.vsftpd>
91+}
92
93=== modified file 'debian/vsftpd.install'
94--- debian/vsftpd.install 2009-07-20 01:32:58 +0000
95+++ debian/vsftpd.install 2013-12-19 23:57:15 +0000
96@@ -1,3 +1,4 @@
97 vsftpd /usr/sbin
98 vsftpd.conf /etc
99 debian/local/ftpusers /etc
100+debian/usr.sbin.vsftpd /etc/apparmor.d/

Subscribers

People subscribed via source and target branches