From fe327207656467ff8ddac1b9ea2fac7f5cee9f77 Mon Sep 17 00:00:00 2001 From: Nishit Majithia Date: Fri, 30 Aug 2024 22:26:04 +0530 Subject: [PATCH] socat: add apparmor profile (#454) * socat: add apparmor profile Signed-off-by: Nishit Majithia * socat: update profile - Follow profile guideline - Change copyright texts - Update to use abi 3.0 - Use `ssl_certs` and `console` abstractions instead of explicit rules Signed-off-by: Nishit Majithia * socat: minor fix in the profile - Use @{bin} - Allow executable mapping and read for the binary Signed-off-by: Nishit Majithia --------- Signed-off-by: Nishit Majithia --- apparmor.d/groups/network/socat | 49 +++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 apparmor.d/groups/network/socat diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat new file mode 100644 index 00000000..df5e874d --- /dev/null +++ b/apparmor.d/groups/network/socat @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Nishit Majithia (nishitm) +# SPDX-License-Identifier: GPL-2.0-only +# vim: ft=apparmor + +abi , + +include + +@{exec_path} = @{bin}/socat +profile socat @{exec_path} { + include + include + include + include + + capability dac_read_search, + capability dac_override, + capability net_raw, + capability net_admin, + capability sys_module, + capability sys_admin, + capability fsetid, + capability chown, + capability net_bind_service, + capability sys_resource, + + # Allow creation of network sockets and `socat` uses dccp for some + # fuctionalities that is why it is necessary to allow whole `network` + network, + + @{exec_path} mr, + + # Enale /dev/ptmx access for testsuite + # /dev/ptmx rw, + + # TUN/TAP device + /dev/net/tun rw, + + # Process-specific access + @{PROC}/@{pid}/fdinfo/@{int} rw, + @{PROC}/@{pid}/stat r, + + # For bi-directional communication between vms and host/hypervisor + /dev/vsock r, + + # Site-specific additions and overrides. See local/README for details. + include if exists +}