apparmor.d: add tnftp profile

2025-03-04 08:24:42 +01:00 · 2024-10-04 16:23:48 +02:00 · 2024-10-04 16:23:48 +02:00 · 42cd79e3db
commit 42cd79e3db
parent b52c9bb860
1 changed files with 85 additions and 0 deletions
--- a/profiles/apparmor.d/tnftp
+++ b/profiles/apparmor.d/tnftp
@ -0,0 +1,85 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Giampaolo Fresi Roglia (gianz)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{tnftp_rx}=/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ /usr/games/ /usr/local/games/ /snap/bin/ @{HOME}/bin/ @{HOME}/.local/bin/
+
+profile tnftp /usr/bin/tnftp {
+  include <abstractions/authentication>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/user-download>
+  include <abstractions/private-files>
+  include <abstractions/private-files-strict>
+
+  network inet stream,
+  network inet6 stream,
+
+  # readline wants to know terminal capabilities
+  file r /usr/share/terminfo/**,
+
+  # required for the pager (less, more) to work
+  file Cx /usr/bin/dash,
+
+  # Sub-profile for the pager to work
+  profile dash /usr/bin/dash {
+    include <abstractions/base>
+    network (send, receive) inet stream,
+    network (send, receive) inet6 stream,
+
+    file Px /usr/bin/more -> tnftp//dash//more,
+    file mr /usr/bin/dash,
+  }
+
+  # Ideally this would be a subprofile of "dash".
+  # Defined as sub profile of tnftp for backwards compatibility.
+  profile dash//more {
+    include <abstractions/base>
+    network (send, receive) inet stream,
+    network (send, receive) inet6 stream,
+
+    # readline wants to know terminal capabilities
+    file r /usr/share/terminfo/**,
+    file mr /usr/bin/more,
+  }
+
+  # required for the ! command to work.
+  # here we are restricting execution to files in a limited set of
+  # directories, for which we also deny write access.
+  file Cx @{tnftp_rx}/* -> cmds,
+  deny file w @{tnftp_rx},
+  
+  profile cmds {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/user-tmp>
+    include <abstractions/user-download>
+    include <abstractions/private-files>
+    include <abstractions/private-files-strict>
+
+    # prevent network access
+    deny network,
+
+    file ixmr @{tnftp_rx}/*,
+    deny file w @{tnftp_rx},
+
+    # allow read on anything on @{HOME} not explicitly denied
+    owner file r @{HOME},
+    owner file r @{HOME}/**,
+  }
+
+  include if exists <local/tnftp>
+}