From 29b05546e4248bdf95b62ea356bd98767e3a59b0 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:20:08 +0000 Subject: [PATCH 1/6] Create usr.lib.security-misc.permission-lockdown --- .../usr.lib.security-misc.permission-lockdown | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 etc/apparmor.d/usr.lib.security-misc.permission-lockdown diff --git a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown new file mode 100644 index 0000000..018090e --- /dev/null +++ b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown @@ -0,0 +1,35 @@ +#include + +/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) { + #include + + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + + /bin/bash ix, + /bin/chmod mrix, + /bin/echo mrix, + /bin/mkdir mrix, + /bin/touch mrix, + /usr/bin/basename mrix, + /usr/bin/touch mrix, + /usr/lib/security-misc/permission-lockdown r, + + /home/*/ w, + + /{usr/,}lib{,32,64}/** mr, + + /etc/ld.so.cache r, + owner /etc/locale.alias r, + owner /etc/nsswitch.conf r, + owner /etc/passwd r, + + owner /var/cache/security-misc/state-files/ rw, + owner /var/cache/security-misc/state-files/* rw, + + /dev/tty rw, + + #include +} From 1b8b3610b17ae31bc81c3827cea24bd09822a0e3 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:20:59 +0000 Subject: [PATCH 2/6] Create usr.lib.security-misc.pam_tally2-info --- .../usr.lib.security-misc.pam_tally2-info | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 etc/apparmor.d/usr.lib.security-misc.pam_tally2-info diff --git a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info new file mode 100644 index 0000000..5082af7 --- /dev/null +++ b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info @@ -0,0 +1,33 @@ +#include + +/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) { + #include + + capability dac_override, + capability dac_read_search, + + /bin/bash ix, + /bin/cat mrix, + /bin/grep mrix, + /usr/bin/cut mrix, + /usr/bin/tail mrix, + /sbin/pam_tally2 mrix, + /usr/lib/security-misc/pam_tally2-info r, + + /etc/ld.so.cache r, + /etc/locale.alias r, + + /{usr/,}lib{,32,64}/** mr, + + owner /etc/nsswitch.conf r, + owner /etc/pam.d/* r, + owner /etc/passwd r, + + owner /usr/share/zoneinfo/** r, + owner /var/log/tallylog rw, + + /dev/tty rw, + owner /dev/pts/[0-9]* rw, + + #include +} From fe4e29d392ed8db5571d69b10ef0f8a24eec1829 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:22:47 +0000 Subject: [PATCH 3/6] Depend on dh-apparmor --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 8b833f0..8989b13 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 12), genmkfile, config-package-dev +Build-Depends: debhelper (>= 12), genmkfile, config-package-dev, dh-apparmor Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Git: https://github.com/Whonix/security-misc.git From 0699747fcb6d79ba6abeccdba99c3bc032c615c6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:24:37 +0000 Subject: [PATCH 4/6] Debian packaging --- debian/rules | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/debian/rules b/debian/rules index ae11b19..d95d78e 100755 --- a/debian/rules +++ b/debian/rules @@ -10,3 +10,8 @@ override_dh_installchangelogs: dh_installchangelogs changelog.upstream upstream + +override_dh_install: + dh_apparmor --profile-name='usr.lib.security-misc.pam_tally2-info' + dh_apparmor --profile-name='usr.lib.security-misc.permission-lockdown' + dh_install From 5d5ad92638ea0ca079bbf8bb03201e8d5c030b1c Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:26:05 +0000 Subject: [PATCH 5/6] Licensing --- etc/apparmor.d/usr.lib.security-misc.pam_tally2-info | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info index 5082af7..dbf14ac 100644 --- a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +++ b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info @@ -1,3 +1,6 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + #include /usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) { From 0e49bdc45f6c94b3f6c2874fd48a6b1c75519790 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Oct 2019 14:26:14 +0000 Subject: [PATCH 6/6] Licensing --- etc/apparmor.d/usr.lib.security-misc.permission-lockdown | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown index 018090e..c2f4111 100644 --- a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown +++ b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown @@ -1,3 +1,6 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + #include /usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) {