Merge pull request #35 from madaidan/apparmor

Apparmor profiles
This commit is contained in:
Patrick Schleizer 2019-10-28 14:30:45 +00:00 committed by GitHub
commit 5a3cbe8100
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 80 additions and 1 deletions

2
debian/control vendored
View File

@ -5,7 +5,7 @@ Source: security-misc
Section: misc Section: misc
Priority: optional Priority: optional
Maintainer: Patrick Schleizer <adrelanos@riseup.net> Maintainer: Patrick Schleizer <adrelanos@riseup.net>
Build-Depends: debhelper (>= 12), genmkfile, config-package-dev Build-Depends: debhelper (>= 12), genmkfile, config-package-dev, dh-apparmor
Homepage: https://github.com/Whonix/security-misc Homepage: https://github.com/Whonix/security-misc
Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc
Vcs-Git: https://github.com/Whonix/security-misc.git Vcs-Git: https://github.com/Whonix/security-misc.git

5
debian/rules vendored
View File

@ -10,3 +10,8 @@
override_dh_installchangelogs: override_dh_installchangelogs:
dh_installchangelogs changelog.upstream upstream dh_installchangelogs changelog.upstream upstream
override_dh_install:
dh_apparmor --profile-name='usr.lib.security-misc.pam_tally2-info'
dh_apparmor --profile-name='usr.lib.security-misc.permission-lockdown'
dh_install

View File

@ -0,0 +1,36 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#include <tunables/global>
/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) {
#include <abstractions/bash>
capability dac_override,
capability dac_read_search,
/bin/bash ix,
/bin/cat mrix,
/bin/grep mrix,
/usr/bin/cut mrix,
/usr/bin/tail mrix,
/sbin/pam_tally2 mrix,
/usr/lib/security-misc/pam_tally2-info r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/{usr/,}lib{,32,64}/** mr,
owner /etc/nsswitch.conf r,
owner /etc/pam.d/* r,
owner /etc/passwd r,
owner /usr/share/zoneinfo/** r,
owner /var/log/tallylog rw,
/dev/tty rw,
owner /dev/pts/[0-9]* rw,
#include <local/usr.lib.security-misc.pam_tally2-info>
}

View File

@ -0,0 +1,38 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#include <tunables/global>
/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) {
#include <abstractions/bash>
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
/bin/bash ix,
/bin/chmod mrix,
/bin/echo mrix,
/bin/mkdir mrix,
/bin/touch mrix,
/usr/bin/basename mrix,
/usr/bin/touch mrix,
/usr/lib/security-misc/permission-lockdown r,
/home/*/ w,
/{usr/,}lib{,32,64}/** mr,
/etc/ld.so.cache r,
owner /etc/locale.alias r,
owner /etc/nsswitch.conf r,
owner /etc/passwd r,
owner /var/cache/security-misc/state-files/ rw,
owner /var/cache/security-misc/state-files/* rw,
/dev/tty rw,
#include <local/usr.lib.security-misc.permission-lockdown>
}