Control: tags -1 + patch Attached is a patch adapts the work Canonical had done for /usr/lib/ipsec/charon policy for /usr/sbin/charon-systemd.
I've tested the swanctl (client) profile thoroughly, however the charon-systemd (daemon) profile had only been tested with relatively few plugins. -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
commit b1ca98314847ef5db77983122ab855be5b6ff8b7 Author: Gerald Turner <gtur...@unzane.com> Date: Thu May 11 17:15:09 2017 -0700 Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd. The AppArmor profile for charon-systemd was copied from the existing profile for /usr/lib/ipsec/charon without much scrutiny other than testing basic IPsec tunnels (no fancy plugin options were tested). It appears that the team at Canonical that had written the /usr/lib/ipsec/charon policy had done extensive testing with several plugins, and it seems likely that applying the same profile to charon-systemd will allow those plugins to continue to work. The AppArmor profile for swanctl was written from scratch and well tested. It turns out that swanctl unnecessarily loads plugins by default, so a bit of frivolous access has been granted. diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install index 6ab3af8f..a1424ab8 100644 --- a/debian/charon-systemd.install +++ b/debian/charon-systemd.install @@ -2,3 +2,4 @@ etc/strongswan.d/charon-systemd.conf lib/systemd/system/strongswan-swanctl.service usr/sbin/charon-systemd usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf +debian/usr.sbin.charon-systemd /etc/apparmor.d/ diff --git a/debian/rules b/debian/rules index dacdb645..184abc7c 100755 --- a/debian/rules +++ b/debian/rules @@ -195,6 +195,8 @@ endif dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter + dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl + dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets diff --git a/debian/strongswan-swanctl.install b/debian/strongswan-swanctl.install index 483b0385..561b9d5b 100644 --- a/debian/strongswan-swanctl.install +++ b/debian/strongswan-swanctl.install @@ -8,3 +8,4 @@ usr/share/man/man8/swanctl.8 usr/sbin/swanctl usr/lib/ipsec/libvici.so* usr/lib/ipsec/plugins/libstrongswan-vici.so +debian/usr.sbin.swanctl /etc/apparmor.d/ diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd new file mode 100644 index 00000000..e1769f29 --- /dev/null +++ b/debian/usr.sbin.charon-systemd @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.dav...@canonical.com> +# Ryan Harper <ryan.har...@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/sbin/charon-systemd flags=(complain,attach_disconnected) { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/authentication> + #include <abstractions/openssl> + #include <abstractions/p11-kit> + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.charon-systemd> +} diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl new file mode 100644 index 00000000..627f5c0b --- /dev/null +++ b/debian/usr.sbin.swanctl @@ -0,0 +1,32 @@ +#include <tunables/global> + +/usr/sbin/swanctl { + #include <abstractions/base> + + # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates + #include <abstractions/ssl_certs> + + # CAP_DAC_OVERRIDE is needed for optional charon.user/charon.group + # configuration + capability dac_override, + + # Allow reading strongswan.conf configuration files + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + + # All reading configuration, certificate, and key files beneath /etc/swanctl/ + /etc/swanctl/** r, + + # Allow communication with VICI plugin UNIX domain socket + /run/charon.vici rw, + + # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no + # plugins are actually used by swanctl. The following can be removed if + # plugin loading is disabled. + #include <abstractions/nameservice> + #include <abstractions/openssl> + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.swanctl> +}
signature.asc
Description: PGP signature