Merge ProFTPD Profile

Creates an AA profile for ProFTPD. The profile has been tested on Oracular with version `1.3.8.b+dfsg-2ubuntu1`, using the source integration/unit tests and via FTP commands. As an FTP package any directory can be used for manipulating files. I've included read/write permissions to several usual locations located at the end of the profile. However these are too loose, any suggestions for how they could be tightened is much appreciated. Thanks! MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1524 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-05-12 14:27:28 +00:00 · 2025-05-12 14:27:28 +00:00 · 672bfcb72b
commit 672bfcb72b
parent 16fd1dab67 e892093c06
4 changed files with 154 additions and 0 deletions
--- a/.image-garden.mk
+++ b/.image-garden.mk
@ -32,6 +32,7 @@ packages:
 - libtool
 - liburing-dev
 - pkg-config
+- proftpd-core
 - python3-all-dev
 - python3-gi
 - python3-notify2
--- a/profiles/apparmor.d/proftpd
+++ b/profiles/apparmor.d/proftpd
@ -0,0 +1,58 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile proftpd /usr/sbin/proftpd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/private-files-strict>
+
+  capability setgid,
+  capability setuid,
+  # Required for logging user login attempts
+  capability audit_write,
+  # Required for chrooting ftp users when accessing files (Used by DefaultRoot in proftpd.conf)
+  capability sys_chroot,
+
+  mqueue getattr type=posix /,
+  mqueue read type=posix /,
+
+
+  # Configuration files
+  /etc/ftpusers r,
+  /etc/shells r,
+  owner /etc/security/capability.conf r,
+
+  # User/Group Records
+  /run/systemd/userdb/ r,
+  /run/systemd/userdb/io.systemd.DynamicUser rw,
+
+  # ProFTPD logs
+  /var/log/proftpd/** rw,
+  owner /etc/proftpd/** rw,
+
+  # Process info
+  owner /run/proftpd.delay rwk,
+  owner /run/proftpd.pid rwk,
+  owner /run/proftpd.scoreboard rwk,
+  owner /run/proftpd.scoreboard.lck rwk,
+  owner /run/proftpd/* rw,
+  owner /run/test.sock w,
+  owner /var/log/xferlog w,
+
+  # Need to be able to write to where FTP is configured
+  owner @{HOME}/** rw,
+  @{HOME} rw,
+  /srv/ftp/** rw,
+  /srv/www/** rw,
+  /var/ftp/** rw,
+  /var/www/** rw,
+
+  # For running in confined environments
+  /usr/sbin/proftpd mr,
+
+  include if exists <local/proftpd>
+}
--- a/tests/profiles/proftpd/task.yaml
+++ b/tests/profiles/proftpd/task.yaml
@ -0,0 +1,94 @@
+summary: smoke test for the ProFTPD profile
+execute: |
+    # restart ProFTPD service as it may already be running
+    systemctl restart proftpd
+
+    # wait for it to be running
+    sleep 1
+
+    # check is running
+    systemctl is-active proftpd
+
+    # check proftpd system service is confined
+    cat /proc/$(pidof proftpd)/attr/apparmor/current | MATCH 'proftpd \(enforce\)'
+
+    # Create user ftpuser
+    getent passwd ftpuser || useradd -m -d /home/ftpuser ftpuser
+
+    # Set password to "password"
+    echo "ftpuser:password" | chpasswd
+
+    # Make user directory accessible
+    chmod 755 /home/ftpuser
+
+    # Create test file to retrieve via FTP
+    echo "This is a test file" > /home/ftpuser/test.txt
+
+    # Create file in directory
+    mkdir -p /home/ftpuser/test-dir
+    echo "This is a file in a directory" > /home/ftpuser/test-dir/nested-file.txt
+
+    # Download file from FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    get test.txt
+
+    quit
+    EOF
+
+    # Check file was downloaded
+    if [ -e test.txt ]
+    then
+        ls -l
+        echo "File downloaded successfully"
+    else
+        echo "Failed to download file"
+        exit 1
+    fi
+
+    # Test upload to FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    put upload.txt
+    ls
+
+    quit
+    EOF
+
+    # Check file was uploaded
+    if [ -e /home/ftpuser/upload.txt ]
+    then
+        ls -l /home/ftpuser/
+        echo "File uploaded successfully"
+    else
+        echo "Failed to upload file"
+        exit 1
+    fi
+   
+    # Download file from directory from FTP server
+    ftp -n 127.0.0.1 <<EOF
+    quote USER ftpuser 
+    quote PASS password
+
+    cd test-dir
+    pwd
+    ls
+    get nested-file.txt
+
+    quit
+    EOF
+
+    # Check file was downloaded
+    if [ -e nested-file.txt ]
+    then
+        ls -l
+        echo "File downloaded successfully"
+    else
+        echo "Failed to download file"
+        exit 1
+    fi
+
--- a/tests/profiles/proftpd/upload.txt
+++ b/tests/profiles/proftpd/upload.txt
@ -0,0 +1 @@
+This is a test file for testing uploading to a ProFTPd server.
				`@ -0,0 +1 @@`
				`This is a test file for testing uploading to a ProFTPd server.`