From f6a733de6ab5da8086b254f3a67a1897c55748d7 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 9 Jan 2025 14:49:40 +1030 Subject: [PATCH 01/10] profiles/apparmor.d: add profile for tinyproxy This was tested using the test-tinyproxy.py script from qa-regression-testing as well as by running the upstream test suite with a brief hack to ensure it invokes tinyproxy with aa-exec -p tinyproxy first. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 profiles/apparmor.d/tinyproxy diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy new file mode 100644 index 000000000..93e236afa --- /dev/null +++ b/profiles/apparmor.d/tinyproxy @@ -0,0 +1,34 @@ +# -*- mode: apparmor; -*- +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +abi , + +include + +profile tinyproxy /usr/bin/tinyproxy { + include + include + + file rw /run/tinyproxy/tinyproxy.pid, + file mr /usr/bin/tinyproxy, + + file r @{etc_ro}/tinyproxy/tinyproxy.conf, + file rw /var/log/tinyproxy/tinyproxy.log, + + file r /usr/share/tinyproxy/*, + + network inet stream, + network inet6 stream, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} From 6f961edaf9010e0c6549bbd45de5ac9dddfae5e4 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 22 Jan 2025 15:00:27 +1030 Subject: [PATCH 02/10] profiles/apparmor.d/tinyproxy: allow flexibility in deployment Add rules to allow tinyproxy to bind to privileged ports and access files even when run as unprivileged/privileged users when using non-standard configurations. As suggested by @rlee287. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 93e236afa..530b709d7 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -19,6 +19,13 @@ profile tinyproxy /usr/bin/tinyproxy { include file rw /run/tinyproxy/tinyproxy.pid, + # to provide flexibility, when run as a root tinyproxy may need to run files + # owned by other users and similarly when run as an unprivileged user allow + # tinyproxy to bind to privileged ports + capability dac_override, + capability dac_read_search, + capability net_bind_service, + file mr /usr/bin/tinyproxy, file r @{etc_ro}/tinyproxy/tinyproxy.conf, From 3ba204a635cae2bcffb41578eb822f4acba23345 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 22 Jan 2025 15:01:36 +1030 Subject: [PATCH 03/10] profiles/apparmor.d/tinyproxy: clarify use of local override Add comments to the profile to explain the use of the local override if the default configuration is changed. As suggested by @rlee287. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 530b709d7..b17500c1a 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -18,7 +18,6 @@ profile tinyproxy /usr/bin/tinyproxy { include include - file rw /run/tinyproxy/tinyproxy.pid, # to provide flexibility, when run as a root tinyproxy may need to run files # owned by other users and similarly when run as an unprivileged user allow # tinyproxy to bind to privileged ports @@ -29,9 +28,16 @@ profile tinyproxy /usr/bin/tinyproxy { file mr /usr/bin/tinyproxy, file r @{etc_ro}/tinyproxy/tinyproxy.conf, - file rw /var/log/tinyproxy/tinyproxy.log, + # tinyproxy.conf allows to configure the locations of various files that will + # be written to by tinyproxy including ErrorFile, DefaultErrorFile, LogFile, + # and StatFile as well as PidFile. This profile allows tinyproxy to write to + # the default locations but if these are changed in the configuration file, + # additional rules should be added to the /etc/apparmor.d/local/tinyproxy file + # to allow this access + file rw /run/tinyproxy/tinyproxy.pid, # PidFile + file rw /var/log/tinyproxy/tinyproxy.log, # LogFile - file r /usr/share/tinyproxy/*, + file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc network inet stream, network inet6 stream, From 503a89e5ef5100093d4c50050f9fd791ec826c4d Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 23 Jan 2025 12:11:42 +1030 Subject: [PATCH 04/10] profiles/apparmor.d/tinyproxy: clarify comments regarding capabilities As suggested by @cboltz. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index b17500c1a..b3c40849a 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -18,11 +18,12 @@ profile tinyproxy /usr/bin/tinyproxy { include include - # to provide flexibility, when run as a root tinyproxy may need to run files - # owned by other users and similarly when run as an unprivileged user allow - # tinyproxy to bind to privileged ports + # to provide flexibility, when run as root tinyproxy may need to read files + # owned by other users capability dac_override, capability dac_read_search, + # also tinyproxy may be configured to bind to a privileged port so ensure we + # allow this as well capability net_bind_service, file mr /usr/bin/tinyproxy, From 861be3904b77061b5660a585211d7640e3976cbe Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Tue, 4 Feb 2025 11:26:24 +1030 Subject: [PATCH 05/10] profiles/apparmor.d/tinyproxy: use nameservice-strict abstraction tinyproxy does not need all of nameservice, nameservice-strict is sufficient. Thanks to @cboltz for the suggestion. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index b3c40849a..d0d551f03 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -16,7 +16,7 @@ include profile tinyproxy /usr/bin/tinyproxy { include - include + include # to provide flexibility, when run as root tinyproxy may need to read files # owned by other users From 8729c65bfe36e760ae54adebd0f60a1818eea086 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Tue, 4 Feb 2025 16:44:37 +1030 Subject: [PATCH 06/10] tests/profiles/tinyproxy: add spread smoke test for tinyproxy Signed-off-by: Alex Murray --- .image-garden.mk | 1 + tests/profiles/tinyproxy/task.yaml | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 tests/profiles/tinyproxy/task.yaml diff --git a/.image-garden.mk b/.image-garden.mk index bd12d1a4f..19cc2ded1 100644 --- a/.image-garden.mk +++ b/.image-garden.mk @@ -35,6 +35,7 @@ packages: - python3-tk - python3-ttkthemes - swig +- tinyproxy - toybox endef diff --git a/tests/profiles/tinyproxy/task.yaml b/tests/profiles/tinyproxy/task.yaml new file mode 100644 index 000000000..6c61b662c --- /dev/null +++ b/tests/profiles/tinyproxy/task.yaml @@ -0,0 +1,10 @@ +summary: smoke test for the tinyproxy profile +execute: | + # enable tinyproxy service + systemctl start tinyproxy + + # check is running + systemctl is-active tinyproxy + + # tinyproxy system service is confined + cat /proc/$(pidof tinyproxy)/attr/apparmor/current | MATCH 'tinyproxy (enforce)' From f2a6860767474307865b48ce7701ce6b1833e1fa Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 6 Feb 2025 18:15:00 +1030 Subject: [PATCH 07/10] profiles/apparmor.d/tinyproxy: allow dgram and netlink network access This is required for DNS resolution Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index d0d551f03..2b075474f 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -40,8 +40,14 @@ profile tinyproxy /usr/bin/tinyproxy { file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc + # for network access network inet stream, + network inet dgram, network inet6 stream, + network inet6 dgram, + + # for DNS resolution + network netlink raw, # Site-specific additions and overrides. See local/README for details. include if exists From 965a678cb746339f94a5eafe7300bbe72552b05f Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 6 Feb 2025 18:15:18 +1030 Subject: [PATCH 08/10] profiles/apparmor.d/tinyproxy: allow capability setgid tinyproxy drops privileges in some configurations so ensure we allow it. Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 2b075474f..0376bbfe2 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -18,6 +18,9 @@ profile tinyproxy /usr/bin/tinyproxy { include include + # allow to drop privileges + capability setgid, + # to provide flexibility, when run as root tinyproxy may need to read files # owned by other users capability dac_override, From 94d494d8fec98e18bd475a5c2a2f4006caba5fe1 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 6 Feb 2025 18:50:42 +1030 Subject: [PATCH 09/10] profiles/apparmor.d/tinyproxy: allow capability set[ug]id Signed-off-by: Alex Murray --- profiles/apparmor.d/tinyproxy | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 0376bbfe2..22c8c9881 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -19,6 +19,7 @@ profile tinyproxy /usr/bin/tinyproxy { include # allow to drop privileges + capability setuid, capability setgid, # to provide flexibility, when run as root tinyproxy may need to read files From 0217af9d82e6a93702b8766329c3ca8f9511a19d Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 6 Feb 2025 21:32:36 +1030 Subject: [PATCH 10/10] tests/profiles/tinyproxy/task.yaml: fix tinyproxy smoke test Signed-off-by: Alex Murray --- tests/profiles/tinyproxy/task.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tests/profiles/tinyproxy/task.yaml b/tests/profiles/tinyproxy/task.yaml index 6c61b662c..056e55f07 100644 --- a/tests/profiles/tinyproxy/task.yaml +++ b/tests/profiles/tinyproxy/task.yaml @@ -1,10 +1,14 @@ summary: smoke test for the tinyproxy profile execute: | - # enable tinyproxy service - systemctl start tinyproxy + # restart tinyproxy service as it may already be running + systemctl restart tinyproxy + + # wait for it to be running + sleep 1 # check is running systemctl is-active tinyproxy - # tinyproxy system service is confined - cat /proc/$(pidof tinyproxy)/attr/apparmor/current | MATCH 'tinyproxy (enforce)' + # check tinyproxy system service is confined + cat /proc/$(pidof tinyproxy)/attr/apparmor/current | MATCH 'tinyproxy \(enforce\)' +