Merge profiles/apparmor.d: add tnftp profile

Add AA profile for tnftp. This profile has been tested on the latest oracular tnftp version 20230507-2build3 which is also the latest upstream version. This profile limits the file downloads to common download directories and /tmp. It also cripples the "!" command denying access to network and allowing the execution of binaries located directories for which we deny write access. Any feedback is welcome. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1363 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 00:14:44 +01:00 · 2025-02-07 07:31:25 +00:00 · 2025-02-07 07:31:25 +00:00 · c7be379d1b
commit c7be379d1b
parent 91849b31e0 06dbaca1c8
1 changed files with 88 additions and 0 deletions
--- a/profiles/apparmor.d/tnftp
+++ b/profiles/apparmor.d/tnftp
@ -0,0 +1,88 @@
+
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Giampaolo Fresi Roglia (gianz)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{tnftp_rx}=/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ /usr/games/ /usr/local/games/ /snap/bin/ @{HOME}/bin/ @{HOME}/.local/bin/
+
+profile tnftp /usr/bin/tnftp {
+  include <abstractions/authentication>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/user-download>
+  include <abstractions/private-files-strict>
+
+  network inet stream,
+  network inet6 stream,
+
+  # readline wants to know terminal capabilities
+  file r /usr/share/terminfo/**,
+
+  # required for the pager (less, more) to work
+  file Cx /usr/bin/dash,
+
+  # allow read on anything on @{HOME} not explicitly denied
+  owner file r @{HOME},
+  owner file r @{HOME}/**,
+
+  # Sub-profile for the pager to work
+  profile dash /usr/bin/dash {
+    include <abstractions/base>
+    network (send, receive) inet stream,
+    network (send, receive) inet6 stream,
+
+    file Px /usr/bin/more -> tnftp//dash//more,
+    file mr /usr/bin/dash,
+  }
+
+  # Ideally this would be a subprofile of "dash".
+  # Defined as sub profile of tnftp for backwards compatibility.
+  profile dash//more {
+    include <abstractions/base>
+    network (send, receive) inet stream,
+    network (send, receive) inet6 stream,
+
+    # readline wants to know terminal capabilities
+    file r /usr/share/terminfo/**,
+    file mr /usr/bin/more,
+  }
+
+  # required for the ! command to work.
+  # here we are restricting execution to files in a limited set of
+  # directories, for which we also deny write access.
+  file Cx @{tnftp_rx}/* -> cmds,
+  audit deny file w @{tnftp_rx}/*,
+  
+  profile cmds {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/user-tmp>
+    include <abstractions/user-download>
+    include <abstractions/private-files-strict>
+
+    # prevent network access
+    deny network,
+
+    file ixmr @{tnftp_rx}/*,
+    audit deny file w @{tnftp_rx}/*,
+
+    # allow read on anything on @{HOME} not explicitly denied
+    owner file r @{HOME},
+    owner file r @{HOME}/**,
+  }
+
+  include if exists <local/tnftp>
+}