From bfdeaac7ef5c4816759acb0dddc299a58bf27755 Mon Sep 17 00:00:00 2001 From: Guido Günther Date: Mon, 25 Sep 2017 19:22:15 +0200 Subject: Initial commit --- profiles/Makefile | 2 + profiles/apache2.conf | 81 +++++++++++++++++++++ profiles/apache2.d/kopano-webapp | 26 +++++++ profiles/kopano-webapp | 28 ++++++++ profiles/usr.sbin.apache2 | 109 ++++++++++++++++++++++++++++ profiles/usr.sbin.kopano-dagent | 35 +++++++++ profiles/usr.sbin.kopano-search | 50 +++++++++++++ profiles/usr.sbin.kopano-server | 43 +++++++++++ profiles/usr.sbin.mysqld | 152 +++++++++++++++++++++++++++++++++++++++ 9 files changed, 526 insertions(+) create mode 100644 profiles/Makefile create mode 100644 profiles/apache2.conf create mode 100644 profiles/apache2.d/kopano-webapp create mode 100644 profiles/kopano-webapp create mode 100644 profiles/usr.sbin.apache2 create mode 100644 profiles/usr.sbin.kopano-dagent create mode 100644 profiles/usr.sbin.kopano-search create mode 100644 profiles/usr.sbin.kopano-server create mode 100644 profiles/usr.sbin.mysqld (limited to 'profiles') diff --git a/profiles/Makefile b/profiles/Makefile new file mode 100644 index 0000000..210b72f --- /dev/null +++ b/profiles/Makefile @@ -0,0 +1,2 @@ +all: + for p in usr.sbin.kopano-{dagent,server} usr.sbin.mysqld usr.sbin.kopano-search apache2.d/kopano-webapp; do scp autopkgtest:/etc/apparmor.d/$$p ./$$p; done diff --git a/profiles/apache2.conf b/profiles/apache2.conf new file mode 100644 index 0000000..ce0095c --- /dev/null +++ b/profiles/apache2.conf @@ -0,0 +1,81 @@ +# example main configuration for kopano-webapp +#vim: set ft=apache ts=4 sw=4 expandtab :# + + + DirectoryIndex index.php + Options -Indexes +FollowSymLinks + AllowOverride Options + + + AAHatName kopano-webapp + + + # Only server Apache2.4 + = 2.3> + Require all granted + + + FileETag All + + # Uncomment to enhance security of WebApp by restricting cookies to + # only be provided over HTTPS connections. + # php_flag session.cookie_secure on + # php_flag session.cookie_httponly on + + # The maximum POST limit. To upload large files, this value must be + # larger than upload_max_filesize. + php_value post_max_size 31M + php_value upload_max_filesize 30M + + # Manipulate the cache control headers if mod_expires and + # mod_headers are both enabled; otherwise the client will depend + # on the ETag header. However, you can set FileETag to "None" if + # you have multiple servers serving WebApp to the same user. In + # that case, apache will fall back to the config below so make + # sure these two modules are loaded! + + + ExpiresActive On + ExpiresDefault "now" + + + # All (static) resources set to 2 months expiration time. + ExpiresDefault "access plus 2 months" + Header append Cache-Control "public" + + + + # All non-dynamic files set to 2 weeks expiration time. + ExpiresDefault "access plus 2 weeks" + # User agents are requested to revalidate for each resource + # so that the server can always serve a newer version if + # necessary. + Header append Cache-Control "no-cache, must-revalidate" + + # Treat IE a little differently due to the remarks on no-cache + # on http://support.microsoft.com/kb/234067 + + BrowserMatch MSIE ie_bug + + Header set Cache-Control "must-revalidate, private" env=ie_bug + + + + # PHP files must always be retrieved from the server. + ExpiresActive Off + Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" + Header set Pragma "no-cache" + + + + + # Enable gzip compression if the module is available + + + SetOutputFilter DEFLATE + + + + + +# vim: autoindent ts=4 sw=4 expandtab softtabstop=4 ft=conf diff --git a/profiles/apache2.d/kopano-webapp b/profiles/apache2.d/kopano-webapp new file mode 100644 index 0000000..17654c5 --- /dev/null +++ b/profiles/apache2.d/kopano-webapp @@ -0,0 +1,26 @@ +# Last Modified: Fri Sep 11 13:27:22 2009 +# Author: Guido Günther + + ^kopano-webapp { + #include + #include + #include + #include + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /etc/kopano/webapp/config.php r, + + /usr/share/kopano-webapp/** r, + + /var/lib/kopano-webapp/tmp/** rwk, + + /var/log/apache2/ r, + # FIXME: we should use separate logfiles for kopano upfront + /var/log/apache2/error.log rw, + /var/log/apache2/other_vhosts_access.log rw, + } diff --git a/profiles/kopano-webapp b/profiles/kopano-webapp new file mode 100644 index 0000000..28d11bd --- /dev/null +++ b/profiles/kopano-webapp @@ -0,0 +1,28 @@ +# Author: Guido Günther + + ^kopano-webapp { + #include + #include + #include + #include + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /etc/kopano/webapp/*.php r, + + /usr/share/kopano-webapp/** r, + + /var/lib/kopano-webapp/tmp/** rwk, + + /var/log/apache2/ r, + # FIXME: we should use separate logfiles for kopano upfront + /var/log/apache2/error.log rw, + /var/log/apache2/other_vhosts_access.log rw, + + # Useful when in debugging mode + /usr/share/kopano-webapp/debug.txt rw, + } diff --git a/profiles/usr.sbin.apache2 b/profiles/usr.sbin.apache2 new file mode 100644 index 0000000..dd23f51 --- /dev/null +++ b/profiles/usr.sbin.apache2 @@ -0,0 +1,109 @@ +# Author: Marc Deslauriers + +#include +/usr/sbin/apache2 flags=(attach_disconnected) { + + # This profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # + # In order to enable this profile, you must: + # + # 0- Stop apache: + # sudo service apache2 stop + # + # 1- Enable the profile: + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 2- Load the mpm_prefork and mod_apparmor modules: + # sudo a2dismod + # sudo a2enmod mpm_prefork + # sudo a2enmod apparmor + # sudo service apache2 restart + # + # 3- Place an appropriate profile containing the desired hat in the + # /etc/apparmor.d/apache2.d directory. Such profiles must include + # the "apache2-common" abstraction: + # + # ^example.com flags=(complain) { + # #include + # /var/www/html/ r, + # /var/www/html/** r, + # /var/log/apache2/*.log w, + # } + # + # 4- Use the "AADefaultHatName" apache configuration option to specify a + # hat to be used for a given apache virtualhost or "AAHatName" for + # a given apache directory or location directive: + # + # + # + # AADefaultHatName example.com + # + # ... + # + # + # + # There is an example profile for phpsysinfo included in the + # apparmor-profiles package. To try it: + # + # 1- Install the phpsysinfo and the apparmor-profiles packages: + # sudo apt-get install phpsysinfo apparmor-profiles + # + # 2- Enable the main apache2 profile + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 3- Configure apache with the following (or similar): + # Alias /phpsysinfo /usr/share/phpsysinfo + # + # + # AAHatName phpsysinfo + # + # + # # adjust as necessary: + # Options None + # Require local + # Require ip 192.168.0.0/16 + # + # + + #include + #include + + # Send signals to all hats. + signal (send) peer=@{profile_name}//*, + + capability dac_override, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_tty_config, + + / rw, + /** mrwlkix, + + + ^DEFAULT_URI flags=(attach_disconnected) { + #include + #include + + / rw, + /** mrwlkix, + } + + ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) { + #include + + / rw, + /** mrwlkix, + } + + # This directory contains web application + # package-specific apparmor files. + + #include + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.kopano-dagent b/profiles/usr.sbin.kopano-dagent new file mode 100644 index 0000000..068919b --- /dev/null +++ b/profiles/usr.sbin.kopano-dagent @@ -0,0 +1,35 @@ +#include + +/usr/sbin/kopano-dagent { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gai.conf r, + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + /etc/kopano/dagent.cfg r, + + /usr/share/kopano-dagent/python/*.py{,c} r, + + /var/lib/kopano/dagent/plugins/ r, + + /etc/mapi/ r, + /etc/mapi/* r, + + /run/kopano/dagent.pid rw, + /var/log/kopano/dagent.log rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.kopano-search b/profiles/usr.sbin.kopano-search new file mode 100644 index 0000000..6ee700b --- /dev/null +++ b/profiles/usr.sbin.kopano-search @@ -0,0 +1,50 @@ +# Last Modified: Fri Sep 8 14:49:47 2017 +#include + +/usr/sbin/kopano-search { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + deny /usr/lib/python2.7/dist-packages/kopano_search/*.pyc w, + + # FIXME: it would be nice if search would use search- like pa + /dev/shm/* rwl, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /lib/x86_64-linux-gnu/ld-*.so mr, + /usr/bin/python2.7 ix, + /usr/sbin/kopano-search r, + + /etc/kopano/search.cfg r, + + /bin/dash Pix, + /bin/rm Pix, + /sbin/ldconfig Pix, + + /etc/mapi/ r, + /etc/mapi/kopano.inf r, + /etc/mapi/zcontacts.inf r, + + /run/kopano/search.pid rw, + /run/kopano/search.pid.lock lrw, + /run/kopano/search.sock rw, + /run/kopano/*.*-* rw, + + /var/lib/kopano/search/** rwlk, + /var/log/kopano/search.log rw, +} diff --git a/profiles/usr.sbin.kopano-server b/profiles/usr.sbin.kopano-server new file mode 100644 index 0000000..0f3648c --- /dev/null +++ b/profiles/usr.sbin.kopano-server @@ -0,0 +1,43 @@ +#include + +/usr/sbin/kopano-server { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + network tcp, + + /etc/kopano/debian-db.cfg r, + /etc/kopano/server.cfg r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + + /run/kopano/prio.sock rw, + /run/kopano/server.pid rw, + /run/kopano/server.sock rw, + + /usr/lib/x86_64-linux-gnu/kopano/*.so m, + + /var/lib/kopano/attachments/ r, + /var/lib/kopano/attachments/** rw, + /var/log/kopano/server.log rw, + + /etc/kopano/userscripts/* Cxr -> kopano_userscripts, + + # There's little we can do if the server is allowed to run + # arbitrary scripts + profile kopano_userscripts { + file, + network, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.mysqld b/profiles/usr.sbin.mysqld new file mode 100644 index 0000000..862cee0 --- /dev/null +++ b/profiles/usr.sbin.mysqld @@ -0,0 +1,152 @@ +# Last Modified: Fri Mar 1 18:55:47 2013 +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. + +#include + +/usr/sbin/mysqld { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability setgid, + capability setuid, + capability sys_rawio, + capability sys_resource, + + network tcp, + + /bin/dash rcx, + /dev/dm-0 r, + /etc/gai.conf r, + /etc/group r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ld.so.cache r, + /etc/mtab r, + /etc/my.cnf r, + /etc/mysql/*.cnf r, + /etc/mysql/*.pem r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /etc/mysql/mariadb.conf.d/ r, + /etc/mysql/mariadb.conf.d/* r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/services r, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + /sys/devices/system/cpu/ r, + owner /tmp/** lk, + /tmp/** rw, + /usr/lib/mysql/plugin/ r, + /usr/lib/mysql/plugin/*.so* mr, + /usr/sbin/mysqld mr, + /usr/share/mysql/** r, + /var/lib/mysql/ r, + /var/lib/mysql/** rwk, + /var/log/mysql.err rw, + /var/log/mysql.log rw, + /var/log/mysql/ r, + /var/log/mysql/* rw, + /var/run/mysqld/mysqld.pid w, + /var/run/mysqld/mysqld.sock w, + + + profile /bin/dash { + #include + #include + #include + #include + #include + + + + /bin/cat rix, + /bin/dash rix, + /bin/date rix, + /bin/grep rix, + /bin/nc.openbsd rix, + /bin/netstat rix, + /bin/ps rix, + /bin/rm rix, + /bin/sed rix, + /bin/sleep rix, + /bin/tar rix, + /bin/which rix, + /dev/tty rw, + /etc/ld.so.cache r, + /etc/my.cnf r, + /proc/ r, + /proc/*/cmdline r, + /proc/*/fd/ r, + /proc/*/net/dev r, + /proc/*/net/if_inet6 r, + /proc/*/net/tcp r, + /proc/*/net/tcp6 r, + /proc/*/stat r, + /proc/*/status r, + /proc/sys/kernel/pid_max r, + /proc/tty/drivers r, + /proc/uptime r, + /proc/version r, + /sbin/ifconfig rix, + /sys/devices/system/cpu/ r, + /tmp/** rw, + /usr/bin/cut rix, + /usr/bin/dirname rix, + /usr/bin/gawk rix, + /usr/bin/innobackupex rix, + /usr/bin/mysql rix, + /usr/bin/perl rix, + /usr/bin/seq rix, + /usr/bin/wsrep_sst* rix, + /usr/bin/wsrep_sst_common r, + /usr/bin/xtrabackup* rix, + /var/lib/mysql/ r, + /var/lib/mysql/** rw, + /var/lib/mysql/*.log w, + /var/lib/mysql/*.err w, + +# MariaDB additions + ptrace peer=@{profile_name}, + + /bin/hostname rix, + /bin/ip rix, + /bin/mktemp rix, + /bin/ss rix, + /bin/sync rix, + /bin/touch rix, + /bin/uname rix, + /etc/mysql/*.cnf r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /proc/*/attr/current r, + /proc/*/fdinfo/* r, + /proc/*/net/* r, + /proc/locks r, + /proc/sys/net/ipv4/ip_local_port_range r, + /run/mysqld/mysqld.sock rw, + /sbin/ip rix, + /usr/bin/basename rix, + /usr/bin/du rix, + /usr/bin/find rix, + /usr/bin/lsof rix, + /usr/bin/my_print_defaults rix, + /usr/bin/mysqldump rix, + /usr/bin/pv rix, + /usr/bin/rsync rix, + /usr/bin/socat rix, + /usr/bin/tail rix, + /usr/bin/timeout rix, + /usr/bin/xargs rix, + /usr/bin/xbstream rix, + } + # Site-specific additions and overrides. See local/README for details. + #include +} -- cgit v1.2.3