Package: fwknop-apparmor-profile Version: 2.6.10-2 Severity: wishlist Dear Maintainer,
One of the interesting modes of operation of fwknop-server is the use of CMD_CYCLE_OPEN / CMD_CYCLE_CLOSE to call ipset to add entries to a set. Pedantic sytem administrators may find that automatic insertion of chains to be irksome and prefer to create/use an ipset in their firewall configurations. Since the documented[1][2] mode of operation provides an example that uses ipset, please consider adding ipset to the apparmor profile. Thanks, Luca [1]: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset [2]: https://www.cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fwknop-apparmor-profile depends on: ii fwknop-server 2.6.10-2 fwknop-apparmor-profile recommends no packages. fwknop-apparmor-profile suggests no packages. -- Configuration Files: /etc/apparmor.d/usr.sbin.fwknopd changed: /usr/sbin/fwknopd { #include <abstractions/base> capability ipc_lock, capability net_admin, capability net_raw, network inet raw, network inet dgram, network inet6 dgram, network packet raw, network packet dgram, /bin/dash rix, /bin/bash rix, /etc/fwknop/access.conf r, /etc/fwknop/fwknopd.conf r, /etc/nsswitch.conf r, /etc/passwd r, /etc/protocols r, @{PROC}/@{pid}/net/ip_tables_names r, /root/.gnupg/* rwkl, /run/fwknop/ rw, /run/fwknop/* rwk, /run/xtables.lock rwk, /sbin/ipset rix, /sbin/xtables-multi rix, /usr/bin/gpg rix, /usr/sbin/fwknopd mr, /usr/sbin/ipset rix, /usr/sbin/xtables-nft-multi rix, /var/cache/nscd/passwd r, } -- no debconf information