From 1486e04cdf0a2968f848fa69c864f4c9a74c4a90 Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Thu, 12 Sep 2024 15:10:02 -0300 Subject: [PATCH 1/6] Add netcat-openbsd profile --- profiles/apparmor.d/usr.bin.nc.openbsd | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 profiles/apparmor.d/usr.bin.nc.openbsd diff --git a/profiles/apparmor.d/usr.bin.nc.openbsd b/profiles/apparmor.d/usr.bin.nc.openbsd new file mode 100644 index 000000000..c4d02152f --- /dev/null +++ b/profiles/apparmor.d/usr.bin.nc.openbsd @@ -0,0 +1,28 @@ +#------------------------------------------------------------------ +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +#------------------------------------------------------------------ +# vim: ft=apparmor + +abi , + +include + +profile nc.openbsd /usr/bin/nc.openbsd { + include + include + + file r @{etc_ro}/host.conf, + file r @{etc_ro}/hosts, + file r @{etc_ro}/nsswitch.conf, + + file r @{run}/systemd/resolve/stub-resolv.conf, + + /usr/bin/nc.openbsd mr, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} From a6ae543ae2e384bbf7ace466ef6a1c5db694dea8 Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Thu, 12 Sep 2024 15:30:06 -0300 Subject: [PATCH 2/6] fix local import --- profiles/apparmor.d/usr.bin.nc.openbsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/usr.bin.nc.openbsd b/profiles/apparmor.d/usr.bin.nc.openbsd index c4d02152f..b744c2619 100644 --- a/profiles/apparmor.d/usr.bin.nc.openbsd +++ b/profiles/apparmor.d/usr.bin.nc.openbsd @@ -24,5 +24,5 @@ profile nc.openbsd /usr/bin/nc.openbsd { /usr/bin/nc.openbsd mr, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } From f962bf65a924155b9f4b4a080402165bdc63d4d4 Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Fri, 13 Sep 2024 10:55:42 -0300 Subject: [PATCH 3/6] Fallback to DAC for files permissions to allow unix socket usage --- profiles/apparmor.d/usr.bin.nc.openbsd | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/profiles/apparmor.d/usr.bin.nc.openbsd b/profiles/apparmor.d/usr.bin.nc.openbsd index b744c2619..3cc2098d4 100644 --- a/profiles/apparmor.d/usr.bin.nc.openbsd +++ b/profiles/apparmor.d/usr.bin.nc.openbsd @@ -15,11 +15,7 @@ profile nc.openbsd /usr/bin/nc.openbsd { include include - file r @{etc_ro}/host.conf, - file r @{etc_ro}/hosts, - file r @{etc_ro}/nsswitch.conf, - - file r @{run}/systemd/resolve/stub-resolv.conf, + file rw /**, /usr/bin/nc.openbsd mr, From 0a6f7456214394a72f83ff051fbb0c9ec3558740 Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Fri, 13 Sep 2024 10:56:22 -0300 Subject: [PATCH 4/6] Rename profile filename --- profiles/apparmor.d/{usr.bin.nc.openbsd => nc.openbsd} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename profiles/apparmor.d/{usr.bin.nc.openbsd => nc.openbsd} (93%) diff --git a/profiles/apparmor.d/usr.bin.nc.openbsd b/profiles/apparmor.d/nc.openbsd similarity index 93% rename from profiles/apparmor.d/usr.bin.nc.openbsd rename to profiles/apparmor.d/nc.openbsd index 3cc2098d4..fe34eadc0 100644 --- a/profiles/apparmor.d/usr.bin.nc.openbsd +++ b/profiles/apparmor.d/nc.openbsd @@ -20,5 +20,5 @@ profile nc.openbsd /usr/bin/nc.openbsd { /usr/bin/nc.openbsd mr, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } From 08070fd2bb3c43ce3e951af0d85ab6b887cc83cf Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Wed, 18 Sep 2024 10:59:05 -0300 Subject: [PATCH 5/6] Allow network access --- profiles/apparmor.d/nc.openbsd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/apparmor.d/nc.openbsd b/profiles/apparmor.d/nc.openbsd index fe34eadc0..61a41d6e9 100644 --- a/profiles/apparmor.d/nc.openbsd +++ b/profiles/apparmor.d/nc.openbsd @@ -17,6 +17,9 @@ profile nc.openbsd /usr/bin/nc.openbsd { file rw /**, + # we need to enable all networking in order to allow DCCP (this also allows unix sockets) + network, + /usr/bin/nc.openbsd mr, # Site-specific additions and overrides. See local/README for details. From ab633ea82fae0ff2b9f30c0cc478e7077d331f5f Mon Sep 17 00:00:00 2001 From: Octavio Galland Date: Thu, 23 Jan 2025 14:27:20 -0300 Subject: [PATCH 6/6] spread smoke-test for nc.openbsd --- tests/profiles/nc.openbsd/task.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 tests/profiles/nc.openbsd/task.yaml diff --git a/tests/profiles/nc.openbsd/task.yaml b/tests/profiles/nc.openbsd/task.yaml new file mode 100644 index 000000000..80e10e5b9 --- /dev/null +++ b/tests/profiles/nc.openbsd/task.yaml @@ -0,0 +1,12 @@ +summary: smoke test for the nc.openbsd profile +execute: | + # IPv4, IPv6 + nc -4 -l 4321 & (echo "hi" | nc -4 -q 0 127.0.0.1 4321) + nc -6 -l 4321 & (echo "hi" | nc -6 -q 0 ::1 4321) + + # UNIX sockets + nc -l -U /tmp/socket & (echo "hi" | nc -q 0 -U /tmp/socket) + nc -l -U '@tmpsocket' & (echo "hi" | nc -q 0 -U '@tmpsocket') + + # The profile is attached based on the program path. + "$SPREAD_PATH"/tests/bin/actual-profile-of nc.openbsd | MATCH 'nc.openbsd \(enforce\)'