mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

openvpn: network manager support & more classic file strucure.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-08 22:41:55 +01:00
parent a789d518b2
commit bba7a8e09c
Failed to generate hash of commit
1 changed files with 26 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
apparmor.d/groups/network/openvpn
View file

@ -1,16 +1,22 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# #
# The following profile assumes that: # The following profile assumes that:
# openvpn is started as root with dropping privileges # openvpn is started as root with dropping privileges
# iptables is used # iptables is used
# config files are stored in: /etc/openvpn/*.{conf,ovpn} # config files can be stored in:
# certs/keys are stored in: /etc/openvpn/certs/*.{key,crt} # - /etc/openvpn/*.{conf,ovpn}
# - /etc/openvpn/{client,server}/*.{conf,ovpn}
# certs/keys can be are stored in:
# - /etc/openvpn/certs/*.{key,crt}
# - $HOME/.cert/**/*.pem
# auth credentials are stored in: /etc/openvpn/auth/*.auth # auth credentials are stored in: /etc/openvpn/auth/*.auth
# logs are redirected to: /var/log/openvpn/*.log # logs are redirected to: /var/log/openvpn/*.log
# DNS/resolver script is stored in: /etc/openvpn/update-resolv-conf{,.sh} # DNS/resolver script is stored in: /etc/openvpn/update-resolv-conf{,.sh}
# If a user wants to type user/pass interactively, systemd-ask-password is invoked for that. # If a user wants to type user/pass interactively, systemd-ask-password is
# invoked for that.
abi <abi/3.0>, abi <abi/3.0>,
@ -31,25 +37,38 @@ profile openvpn @{exec_path} {
capability setuid, capability setuid,
capability setgid, capability setgid,
capability dac_read_search,
capability dac_override,
network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) set=(term) peer=nm-openvpn-service,
@{exec_path} mr, @{exec_path} mr,
# OpenVPN config # OpenVPN config
/etc/openvpn/*.{conf,ovpn} r, /etc/openvpn/*.{conf,ovpn} r,
/etc/openvpn/client/*.{conf,ovpn} r,
/etc/openvpn/client/*_userpass.txt r,
/etc/openvpn/server/*.{conf,ovpn} r,
/etc/openvpn/auth/*.auth r, /etc/openvpn/auth/*.auth r,
/etc/openvpn/certs/*.{key,crt} r, /etc/openvpn/certs/*.{key,crt} r,
@{HOME}/.cert/{,**} r,
/var/log/openvpn/*.log w, /var/log/openvpn/*.log w,
@{run}/openvpn/*.{pid,status} rw, @{run}/openvpn/*.{pid,status} rw,
@{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
/{usr/,}bin/ip rix, /{usr/,}bin/ip rix,
/{usr/,}bin/systemd-ask-password rCx -> systemd-ask-password, /{usr/,}bin/systemd-ask-password rCx -> systemd-ask-password,
/etc/openvpn/update-resolv-conf{,.sh} rCx -> update-resolv, /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
/etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn,
/etc/openvpn/update-resolv-conf{,.sh} rCx -> update-resolv,
/dev/net/tun rw, /dev/net/tun rw,