Merge profiles/apparmor.d: add profile for tinyproxy

This was tested using the test-tinyproxy.py script from qa-regression-testing as well as by running the upstream test suite with a brief hack to ensure it invokes tinyproxy with aa-exec -p tinyproxy first. Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1477 Approved-by: Ryan Lee <rlee287@yahoo.com> Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2025-02-06 19:28:41 +00:00 · 2025-02-06 19:28:41 +00:00 · 5585a4fc9e
commit 5585a4fc9e
parent e86fe8c96c 0217af9d82
3 changed files with 73 additions and 0 deletions
--- a/.image-garden.mk
+++ b/.image-garden.mk
@ -35,6 +35,7 @@ packages:
 - python3-tk
 - python3-ttkthemes
 - swig
+- tinyproxy
 - toybox
 endef

--- a/profiles/apparmor.d/tinyproxy
+++ b/profiles/apparmor.d/tinyproxy
@ -0,0 +1,58 @@
+# -*- mode: apparmor; -*-
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile tinyproxy /usr/bin/tinyproxy {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  # allow to drop privileges
+  capability setuid,
+  capability setgid,
+
+  # to provide flexibility, when run as root tinyproxy may need to read files
+  # owned by other users
+  capability dac_override,
+  capability dac_read_search,
+  # also tinyproxy may be configured to bind to a privileged port so ensure we
+  # allow this as well
+  capability net_bind_service,
+
+  file mr /usr/bin/tinyproxy,
+
+  file r @{etc_ro}/tinyproxy/tinyproxy.conf,
+  # tinyproxy.conf allows to configure the locations of various files that will
+  # be written to by tinyproxy including ErrorFile, DefaultErrorFile, LogFile,
+  # and StatFile as well as PidFile. This profile allows tinyproxy to write to
+  # the default locations but if these are changed in the configuration file,
+  # additional rules should be added to the /etc/apparmor.d/local/tinyproxy file
+  # to allow this access
+  file rw /run/tinyproxy/tinyproxy.pid,  # PidFile
+  file rw /var/log/tinyproxy/tinyproxy.log, # LogFile
+
+  file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc
+
+  # for network access
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+
+  # for DNS resolution
+  network netlink raw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tinyproxy>
+}
--- a/tests/profiles/tinyproxy/task.yaml
+++ b/tests/profiles/tinyproxy/task.yaml
@ -0,0 +1,14 @@
+summary: smoke test for the tinyproxy profile
+execute: |
+    # restart tinyproxy service as it may already be running
+    systemctl restart tinyproxy
+
+    # wait for it to be running
+    sleep 1
+
+    # check is running
+    systemctl is-active tinyproxy
+
+    # check tinyproxy system service is confined
+    cat /proc/$(pidof tinyproxy)/attr/apparmor/current | MATCH 'tinyproxy \(enforce\)'
+