mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 14:55:10 +00:00
Merge socat: add profile
Add AA profile for `socat`. This profile has been tested on the latest oracular socat version `1.8.0.0-4build3` and the latest upstream version `1.8.0.1`. I raised the PR and this profile has already been merged on the `roddhjav/apparmor.d` repo, [here](https://github.com/roddhjav/apparmor.d/pull/454). For now, I have added this profile in "extra", but let me know if you think otherwise, any feedback is welcome. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1319 Approved-by: Ryan Lee <rlee287@yahoo.com> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
55
profiles/apparmor/profiles/extras/socat
Normal file
55
profiles/apparmor/profiles/extras/socat
Normal file
@@ -0,0 +1,55 @@
|
|||||||
|
#------------------------------------------------------------------
|
||||||
|
# Copyright (C) 2024 Canonical Ltd.
|
||||||
|
#
|
||||||
|
# Author: Nishit Majithia (0xnishit)
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
|
# License published by the Free Software Foundation.
|
||||||
|
#------------------------------------------------------------------
|
||||||
|
# vim: ft=apparmor
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
profile socat /usr/bin/socat {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
|
capability dac_override,
|
||||||
|
capability net_raw,
|
||||||
|
capability net_admin,
|
||||||
|
capability sys_module,
|
||||||
|
capability sys_admin,
|
||||||
|
capability fsetid,
|
||||||
|
capability chown,
|
||||||
|
capability net_bind_service,
|
||||||
|
capability sys_resource,
|
||||||
|
|
||||||
|
# Allow creation of network sockets and `socat` uses dccp for some
|
||||||
|
# fuctionalities that is why it is necessary to allow whole `network`
|
||||||
|
network,
|
||||||
|
|
||||||
|
# Allow executable mapping and read for the binary
|
||||||
|
file mr /usr/bin/socat,
|
||||||
|
|
||||||
|
# Enable /dev/ptmx access for testsuite
|
||||||
|
# file rw /dev/ptmx,
|
||||||
|
|
||||||
|
# TUN/TAP device
|
||||||
|
file rw /dev/net/tun,
|
||||||
|
|
||||||
|
# Process-specific access
|
||||||
|
file rw @{PROC}/@{pid}/fdinfo/[0-9]*,
|
||||||
|
file r @{PROC}/@{pid}/stat,
|
||||||
|
|
||||||
|
# For bi-directional communication between vms and host/hypervisor
|
||||||
|
file r /dev/vsock,
|
||||||
|
|
||||||
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
|
include if exists <local/socat>
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user