From 42cd79e3dbd4c64f2deb89ccc34d3ccbbb9388a7 Mon Sep 17 00:00:00 2001 From: Giampaolo Fresi Roglia Date: Fri, 4 Oct 2024 16:23:48 +0200 Subject: [PATCH 1/5] apparmor.d: add tnftp profile --- profiles/apparmor.d/tnftp | 85 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 profiles/apparmor.d/tnftp diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp new file mode 100644 index 000000000..0c0977f91 --- /dev/null +++ b/profiles/apparmor.d/tnftp @@ -0,0 +1,85 @@ +#------------------------------------------------------------------ +# Copyright (C) 2024 Canonical Ltd. +# +# Author: Giampaolo Fresi Roglia (gianz) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +#------------------------------------------------------------------ +# vim: ft=apparmor + +abi , + +include + +@{tnftp_rx}=/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ /usr/games/ /usr/local/games/ /snap/bin/ @{HOME}/bin/ @{HOME}/.local/bin/ + +profile tnftp /usr/bin/tnftp { + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + + # readline wants to know terminal capabilities + file r /usr/share/terminfo/**, + + # required for the pager (less, more) to work + file Cx /usr/bin/dash, + + # Sub-profile for the pager to work + profile dash /usr/bin/dash { + include + network (send, receive) inet stream, + network (send, receive) inet6 stream, + + file Px /usr/bin/more -> tnftp//dash//more, + file mr /usr/bin/dash, + } + + # Ideally this would be a subprofile of "dash". + # Defined as sub profile of tnftp for backwards compatibility. + profile dash//more { + include + network (send, receive) inet stream, + network (send, receive) inet6 stream, + + # readline wants to know terminal capabilities + file r /usr/share/terminfo/**, + file mr /usr/bin/more, + } + + # required for the ! command to work. + # here we are restricting execution to files in a limited set of + # directories, for which we also deny write access. + file Cx @{tnftp_rx}/* -> cmds, + deny file w @{tnftp_rx}, + + profile cmds { + include + include + include + include + include + include + + # prevent network access + deny network, + + file ixmr @{tnftp_rx}/*, + deny file w @{tnftp_rx}, + + # allow read on anything on @{HOME} not explicitly denied + owner file r @{HOME}, + owner file r @{HOME}/**, + } + + include if exists +} From aca065a208ffeed28d215e492098c9c979c07c23 Mon Sep 17 00:00:00 2001 From: Giampaolo Fresi Roglia Date: Fri, 4 Oct 2024 17:19:47 +0200 Subject: [PATCH 2/5] apparmor.d/tnftp: add missing @{HOME} rule --- profiles/apparmor.d/tnftp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index 0c0977f91..0ccefcb98 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -34,6 +34,10 @@ profile tnftp /usr/bin/tnftp { # required for the pager (less, more) to work file Cx /usr/bin/dash, + # allow read on anything on @{HOME} not explicitly denied + owner file r @{HOME}, + owner file r @{HOME}/**, + # Sub-profile for the pager to work profile dash /usr/bin/dash { include From 6b0dcf96272a60a1e52ce54127de20551616c4c1 Mon Sep 17 00:00:00 2001 From: Giampaolo Fresi Roglia Date: Mon, 7 Oct 2024 11:33:44 +0200 Subject: [PATCH 3/5] apparmor.d/tnftp: fix deny write rule --- profiles/apparmor.d/tnftp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index 0ccefcb98..815548fed 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -64,7 +64,7 @@ profile tnftp /usr/bin/tnftp { # here we are restricting execution to files in a limited set of # directories, for which we also deny write access. file Cx @{tnftp_rx}/* -> cmds, - deny file w @{tnftp_rx}, + deny file w @{tnftp_rx}/*, profile cmds { include @@ -78,7 +78,7 @@ profile tnftp /usr/bin/tnftp { deny network, file ixmr @{tnftp_rx}/*, - deny file w @{tnftp_rx}, + deny file w @{tnftp_rx}/*, # allow read on anything on @{HOME} not explicitly denied owner file r @{HOME}, From b496786a187cce9e49b4ba1e4856474ebeb94eea Mon Sep 17 00:00:00 2001 From: Giampaolo Fresi Roglia Date: Tue, 8 Oct 2024 10:09:23 +0200 Subject: [PATCH 4/5] apparmor.d/tnftp: remove unnecessary includes --- profiles/apparmor.d/tnftp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index 815548fed..addab038f 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -1,3 +1,4 @@ + #------------------------------------------------------------------ # Copyright (C) 2024 Canonical Ltd. # @@ -22,7 +23,6 @@ profile tnftp /usr/bin/tnftp { include include include - include include network inet stream, @@ -71,7 +71,6 @@ profile tnftp /usr/bin/tnftp { include include include - include include # prevent network access From 06dbaca1c80138c886932d51cfd074d6ed451e51 Mon Sep 17 00:00:00 2001 From: Giampaolo Fresi Roglia Date: Wed, 6 Nov 2024 11:29:14 +0100 Subject: [PATCH 5/5] apply suggestions from @georgiag --- profiles/apparmor.d/tnftp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index addab038f..73a938de2 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -64,7 +64,7 @@ profile tnftp /usr/bin/tnftp { # here we are restricting execution to files in a limited set of # directories, for which we also deny write access. file Cx @{tnftp_rx}/* -> cmds, - deny file w @{tnftp_rx}/*, + audit deny file w @{tnftp_rx}/*, profile cmds { include @@ -77,7 +77,7 @@ profile tnftp /usr/bin/tnftp { deny network, file ixmr @{tnftp_rx}/*, - deny file w @{tnftp_rx}/*, + audit deny file w @{tnftp_rx}/*, # allow read on anything on @{HOME} not explicitly denied owner file r @{HOME},