mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

ProFTPD Profile

Browse Source
This commit is contained in:
bruce-canonical 2025-05-12 14:27:27 +00:00 committed by Maxime Bélair
parent b7ce9b81fa
commit e892093c06
4 changed files with 154 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.image-garden.mk
View File

@ -32,6 +32,7 @@ packages:
- libtool
- liburing-dev
- pkg-config
- proftpd-core
- python3-all-dev
- python3-gi
- python3-notify2

58
profiles/apparmor.d/proftpd Normal file
View File

@ -0,0 +1,58 @@
abi <abi/4.0>,
include <tunables/global>
profile proftpd /usr/sbin/proftpd {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/user-tmp>
include <abstractions/wutmp>
include <abstractions/authentication>
include <abstractions/private-files-strict>
capability setgid,
capability setuid,
# Required for logging user login attempts
capability audit_write,
# Required for chrooting ftp users when accessing files (Used by DefaultRoot in proftpd.conf)
capability sys_chroot,
mqueue getattr type=posix /,
mqueue read type=posix /,
# Configuration files
/etc/ftpusers r,
/etc/shells r,
owner /etc/security/capability.conf r,
# User/Group Records
/run/systemd/userdb/ r,
/run/systemd/userdb/io.systemd.DynamicUser rw,
# ProFTPD logs
/var/log/proftpd/** rw,
owner /etc/proftpd/** rw,
# Process info
owner /run/proftpd.delay rwk,
owner /run/proftpd.pid rwk,
owner /run/proftpd.scoreboard rwk,
owner /run/proftpd.scoreboard.lck rwk,
owner /run/proftpd/* rw,
owner /run/test.sock w,
owner /var/log/xferlog w,
# Need to be able to write to where FTP is configured
owner @{HOME}/** rw,
@{HOME} rw,
/srv/ftp/** rw,
/srv/www/** rw,
/var/ftp/** rw,
/var/www/** rw,
# For running in confined environments
/usr/sbin/proftpd mr,
include if exists <local/proftpd>
}

94
tests/profiles/proftpd/task.yaml Normal file
View File

@ -0,0 +1,94 @@
summary: smoke test for the ProFTPD profile
execute: |
# restart ProFTPD service as it may already be running
systemctl restart proftpd
# wait for it to be running
sleep 1
# check is running
systemctl is-active proftpd
# check proftpd system service is confined
cat /proc/$(pidof proftpd)/attr/apparmor/current | MATCH 'proftpd \(enforce\)'
# Create user ftpuser
getent passwd ftpuser || useradd -m -d /home/ftpuser ftpuser
# Set password to "password"
echo "ftpuser:password" | chpasswd
# Make user directory accessible
chmod 755 /home/ftpuser
# Create test file to retrieve via FTP
echo "This is a test file" > /home/ftpuser/test.txt
# Create file in directory
mkdir -p /home/ftpuser/test-dir
echo "This is a file in a directory" > /home/ftpuser/test-dir/nested-file.txt
# Download file from FTP server
ftp -n 127.0.0.1 <<EOF
quote USER ftpuser
quote PASS password
get test.txt
quit
EOF
# Check file was downloaded
if [ -e test.txt ]
then
ls -l
echo "File downloaded successfully"
else
echo "Failed to download file"
exit 1
fi
# Test upload to FTP server
ftp -n 127.0.0.1 <<EOF
quote USER ftpuser
quote PASS password
put upload.txt
ls
quit
EOF
# Check file was uploaded
if [ -e /home/ftpuser/upload.txt ]
then
ls -l /home/ftpuser/
echo "File uploaded successfully"
else
echo "Failed to upload file"
exit 1
fi
# Download file from directory from FTP server
ftp -n 127.0.0.1 <<EOF
quote USER ftpuser
quote PASS password
cd test-dir
pwd
ls
get nested-file.txt
quit
EOF
# Check file was downloaded
if [ -e nested-file.txt ]
then
ls -l
echo "File downloaded successfully"
else
echo "Failed to download file"
exit 1
fi

1
tests/profiles/proftpd/upload.txt Normal file
View File

@ -0,0 +1 @@
This is a test file for testing uploading to a ProFTPd server.