On 9/2/20 2:30 PM, Hal Murray wrote: >> I do ship an AppArmor profile. > > Thanks. That's the word I was fishing for. > > I've never worked with it. Is there a good introductory writeup?
There is various documentation, but I don't have anything off the top of my head to direct you to. > Are their similar facilities available on other OSes/distros? AppArmor is a cross-distro thing. The "other option" would be SELinux. Ubuntu uses AppArmor by default. I can't remember if Debian has it enabled by default now or not; it's been a while since I checked / did a fresh install. SUSE uses AppArmor too, from what I understand; they started the ntpd profile (which Canonical modified for Ubuntu). RedHat (RHEL and by extension CentOS, not sure about Fedora) uses SELinux. I've attached the profile that I ship in the Debian package. apparmor-profile => /etc/apparmor.d/usr.sbin.ntpd apparmor-profile.tunable => /etc/apparmor.d/tunables/ntpd (empty file) => /etc/apparmor.d/local/usr.sbin.ntpd -- Richard
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <ja...@canonical.com>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability ipc_lock,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,
/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/local/{,s}bin/ r,
/usr/sbin/ntpd rmix,
/etc/ntpsec/ntp.conf r,
/etc/ntpsec/ntp.d/ r,
/etc/ntpsec/ntp.d/*.conf r,
/run/ntpsec/ntp.conf.dhcp r,
/etc/ntp.keys r,
/var/lib/ntpsec/ntp.drift rw,
/var/lib/ntpsec/ntp.drift-tmp rw,
/usr/share/zoneinfo/leap-seconds.list rw,
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpsec/clockstats* rwl,
/var/log/ntpsec/loopstats* rwl,
/var/log/ntpsec/peerstats* rwl,
/var/log/ntpsec/protostats* rwl,
/var/log/ntpsec/rawstats* rwl,
/var/log/ntpsec/sysstats* rwl,
/{,var/}run/ntpd.pid w,
# to be able to check for running ntpdate
/run/lock/ntpsec-ntpdate wk,
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
# samba4 winbindd pipe
/run/samba/winbindd/pipe rw,
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2011 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#Add your ntpd devices here eg. if you have a DCF clock
# @{NTPD_DEVICE}="/dev/ttyS1"
@{NTPD_DEVICE}="/dev/null"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
