Bug#949332: fwknop-apparmor-profile: consider adding ipset to apparmor profile

Sun, 19 Jan 2020 14:27:17 -0800 

Package: fwknop-apparmor-profile
Version: 2.6.10-2
Severity: wishlist

Dear Maintainer,

One of the interesting modes of operation of fwknop-server is the use of
CMD_CYCLE_OPEN / CMD_CYCLE_CLOSE to call ipset to add entries to a set.

Pedantic sytem administrators may find that automatic insertion of
chains to be irksome and prefer to create/use an ipset in their firewall
configurations.

Since the documented[1][2] mode of operation provides an example that
uses ipset, please consider adding ipset to the apparmor profile.

Thanks,

Luca

[1]: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset
[2]: 
https://www.cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable'), (90, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fwknop-apparmor-profile depends on:
ii  fwknop-server  2.6.10-2

fwknop-apparmor-profile recommends no packages.

fwknop-apparmor-profile suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.fwknopd changed:
/usr/sbin/fwknopd {
  #include <abstractions/base>
  capability ipc_lock,
  capability net_admin,
  capability net_raw,
  network inet raw,
  network inet dgram,
  network inet6 dgram,
  network packet raw,
  network packet dgram,
  /bin/dash rix,
  /bin/bash rix,
  /etc/fwknop/access.conf r,
  /etc/fwknop/fwknopd.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/protocols r,
  @{PROC}/@{pid}/net/ip_tables_names r,
  /root/.gnupg/* rwkl,
  /run/fwknop/ rw,
  /run/fwknop/* rwk,
  /run/xtables.lock rwk,
  /sbin/ipset rix,
  /sbin/xtables-multi rix,
  /usr/bin/gpg rix,
  /usr/sbin/fwknopd mr,
  /usr/sbin/ipset rix,
  /usr/sbin/xtables-nft-multi rix,
  /var/cache/nscd/passwd r,
}


-- no debconf information

Reply via email to