From e892093c06ba8157d1536b5c4eb30915b5c655cf Mon Sep 17 00:00:00 2001
From: bruce-canonical <bruce.cable@canonical.com>
Date: Mon, 12 May 2025 14:27:27 +0000
Subject: [PATCH] ProFTPD Profile

---
 .image-garden.mk                  |  1 +
 profiles/apparmor.d/proftpd       | 58 +++++++++++++++++++
 tests/profiles/proftpd/task.yaml  | 94 +++++++++++++++++++++++++++++++
 tests/profiles/proftpd/upload.txt |  1 +
 4 files changed, 154 insertions(+)
 create mode 100644 profiles/apparmor.d/proftpd
 create mode 100644 tests/profiles/proftpd/task.yaml
 create mode 100644 tests/profiles/proftpd/upload.txt

diff --git a/.image-garden.mk b/.image-garden.mk
index 69d5e9083..e00f7de37 100644
--- a/.image-garden.mk
+++ b/.image-garden.mk
@@ -32,6 +32,7 @@ packages:
 - libtool
 - liburing-dev
 - pkg-config
+- proftpd-core
 - python3-all-dev
 - python3-gi
 - python3-notify2
diff --git a/profiles/apparmor.d/proftpd b/profiles/apparmor.d/proftpd
new file mode 100644
index 000000000..0229cf833
--- /dev/null
+++ b/profiles/apparmor.d/proftpd
@@ -0,0 +1,58 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile proftpd /usr/sbin/proftpd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/private-files-strict>
+
+  capability setgid,
+  capability setuid,
+  # Required for logging user login attempts
+  capability audit_write,
+  # Required for chrooting ftp users when accessing files (Used by DefaultRoot in proftpd.conf)
+  capability sys_chroot,
+
+  mqueue getattr type=posix /,
+  mqueue read type=posix /,
+
+
+  # Configuration files
+  /etc/ftpusers r,
+  /etc/shells r,
+  owner /etc/security/capability.conf r,
+
+  # User/Group Records
+  /run/systemd/userdb/ r,
+  /run/systemd/userdb/io.systemd.DynamicUser rw,
+
+  # ProFTPD logs
+  /var/log/proftpd/** rw,
+  owner /etc/proftpd/** rw,
+
+  # Process info
+  owner /run/proftpd.delay rwk,
+  owner /run/proftpd.pid rwk,
+  owner /run/proftpd.scoreboard rwk,
+  owner /run/proftpd.scoreboard.lck rwk,
+  owner /run/proftpd/* rw,
+  owner /run/test.sock w,
+  owner /var/log/xferlog w,
+
+  # Need to be able to write to where FTP is configured
+  owner @{HOME}/** rw,
+  @{HOME} rw,
+  /srv/ftp/** rw,
+  /srv/www/** rw,
+  /var/ftp/** rw,
+  /var/www/** rw,
+
+  # For running in confined environments
+  /usr/sbin/proftpd mr,
+
+  include if exists <local/proftpd>
+}
diff --git a/tests/profiles/proftpd/task.yaml b/tests/profiles/proftpd/task.yaml
new file mode 100644
index 000000000..358be31ea
--- /dev/null
+++ b/tests/profiles/proftpd/task.yaml
@@ -0,0 +1,94 @@
+summary: smoke test for the ProFTPD profile
+execute: |
+    # restart ProFTPD service as it may already be running
+    systemctl restart proftpd
+
+    # wait for it to be running
+    sleep 1
+
+    # check is running
+    systemctl is-active proftpd
+
+    # check proftpd system service is confined
+    cat /proc/$(pidof proftpd)/attr/apparmor/current | MATCH 'proftpd \(enforce\)'
+
+    # Create user ftpuser
+    getent passwd ftpuser || useradd -m -d /home/ftpuser ftpuser
+
+    # Set password to "password"
+    echo "ftpuser:password" | chpasswd
+
+    # Make user directory accessible
+    chmod 755 /home/ftpuser
+
+    # Create test file to retrieve via FTP
+    echo "This is a test file" > /home/ftpuser/test.txt
+
+    # Create file in directory
+    mkdir -p /home/ftpuser/test-dir
+    echo "This is a file in a directory" > /home/ftpuser/test-dir/nested-file.txt
+
+    # Download file from FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    get test.txt
+
+    quit
+    EOF
+
+    # Check file was downloaded
+    if [ -e test.txt ]
+    then
+        ls -l
+        echo "File downloaded successfully"
+    else
+        echo "Failed to download file"
+        exit 1
+    fi
+
+    # Test upload to FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    put upload.txt
+    ls
+
+    quit
+    EOF
+
+    # Check file was uploaded
+    if [ -e /home/ftpuser/upload.txt ]
+    then
+        ls -l /home/ftpuser/
+        echo "File uploaded successfully"
+    else
+        echo "Failed to upload file"
+        exit 1
+    fi
+   
+    # Download file from directory from FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    cd test-dir
+    pwd
+    ls
+    get nested-file.txt
+
+    quit
+    EOF
+
+    # Check file was downloaded
+    if [ -e nested-file.txt ]
+    then
+        ls -l
+        echo "File downloaded successfully"
+    else
+        echo "Failed to download file"
+        exit 1
+    fi
+
diff --git a/tests/profiles/proftpd/upload.txt b/tests/profiles/proftpd/upload.txt
new file mode 100644
index 000000000..b8d395a8f
--- /dev/null
+++ b/tests/profiles/proftpd/upload.txt
@@ -0,0 +1 @@
+This is a test file for testing uploading to a ProFTPd server.