Package: fwknop-apparmor-profile
Version: 2.6.10-2
Severity: wishlist
Dear Maintainer,
One of the interesting modes of operation of fwknop-server is the use of
CMD_CYCLE_OPEN / CMD_CYCLE_CLOSE to call ipset to add entries to a set.
Pedantic sytem administrators may find that automatic insertion of
chains to be irksome and prefer to create/use an ipset in their firewall
configurations.
Since the documented[1][2] mode of operation provides an example that
uses ipset, please consider adding ipset to the apparmor profile.
Thanks,
Luca
[1]: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset
[2]:
https://www.cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fwknop-apparmor-profile depends on:
ii fwknop-server 2.6.10-2
fwknop-apparmor-profile recommends no packages.
fwknop-apparmor-profile suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.fwknopd changed:
/usr/sbin/fwknopd {
#include
capability ipc_lock,
capability net_admin,
capability net_raw,
network inet raw,
network inet dgram,
network inet6 dgram,
network packet raw,
network packet dgram,
/bin/dash rix,
/bin/bash rix,
/etc/fwknop/access.conf r,
/etc/fwknop/fwknopd.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/protocols r,
@{PROC}/@{pid}/net/ip_tables_names r,
/root/.gnupg/* rwkl,
/run/fwknop/ rw,
/run/fwknop/* rwk,
/run/xtables.lock rwk,
/sbin/ipset rix,
/sbin/xtables-multi rix,
/usr/bin/gpg rix,
/usr/sbin/fwknopd mr,
/usr/sbin/ipset rix,
/usr/sbin/xtables-nft-multi rix,
/var/cache/nscd/passwd r,
}
-- no debconf information