Merge profiles: add frr related profiles

Add several profiles for daemons included in the frr package. It have been tested following upstream testing guide https://docs.frrouting.org/projects/dev-guide/en/latest/testing.html

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1380
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

profiles/apparmor.d/abstractions/frr

@@ -0,0 +1,56 @@
+# vim:syntax=apparmor
+# LOGPROF-SUGGEST: no
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/4.0>,
+
+  include <abstractions/nameservice-strict>
+
+  # Common capabilities
+  network,
+  capability net_bind_service,
+  capability chown,
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+
+  / r,
+  @{run}/frr/ r,
+  @{run}/frr/zserv.api rw,
+  @{run}/frr/@{profile_name}.pid rwk,
+  @{run}/frr/@{profile_name}.vty rw,
+
+  # YANG modules
+  /usr/share/yang/ r, 
+  /usr/share/yang/modules/ r,
+  /usr/share/yang/modules/libyang/ r,
+  /usr/share/yang/modules/libyang/** r,
+
+  # MGMT Backend Server https://docs.frrouting.org/en/latest/mgmtd.html#mgmtd-backend-interface
+  @{run}/frr/mgmtd_be.sock rw,
+
+  # Daemon config https://docs.frrouting.org/en/latest/basic.html
+  /etc/frr/ r, 
+  /etc/frr/@{profile_name}.conf rw,
+  /etc/frr/frr.conf rw,
+
+  # Log file https://docs.frrouting.org/en/latest/basic.html
+  /var/log/frr/ w,
+  /var/log/frr/* w,
+
+  # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs
+  /var/tmp/frr/ w,
+  owner /var/tmp/frr/@{profile_name}.@{pid}/ w,
+  owner /var/tmp/frr/@{profile_name}.@{pid}/crashlog w,
+  owner /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw,
+
+  include if exists <abstractions/frr.d>

profiles/apparmor.d/abstractions/frr-snmp

@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# LOGPROF-SUGGEST: no
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/4.0>,
+
+  include <abstractions/openssl>
+
+  /etc/snmp/frr.conf r,
+  /etc/snmp/snmp.conf r,
+  /usr/share/snmp/mibs/{,*} r,
+  /var/lib/mibs/iana/{,*} r,
+  /var/lib/mibs/ietf/{,*} r,
+  /etc/host.conf r,
+  /etc/hosts r,
+  /etc/frr/agentx rw,
+
+  include if exists <abstractions/frr-snmp.d>

profiles/apparmor.d/babeld

@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  @{run}/frr/babel-state w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/babeld>
+}

profiles/apparmor.d/bfdd

@@ -0,0 +1,29 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  capability net_raw,
+  capability sys_admin,
+
+  @{run}/netns/* r,
+
+  @{run}/frr/bfdd.sock w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bfdd>
+}

profiles/apparmor.d/bgpd

@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  capability net_raw,
+  capability sys_admin,
+
+  @{run}/netns/* r,
+
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bgpd>
+}

profiles/apparmor.d/eigrpd

@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  capability net_raw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/eigrpd>
+}

profiles/apparmor.d/fabricd

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/fabricd>
+}

profiles/apparmor.d/isisd

@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  capability net_raw,
+
+  /var/lib/frr/ r, 
+  /var/lib/frr/isisd.json{,.sav} rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/isisd>
+}

profiles/apparmor.d/ldpd

@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  /usr/lib/frr/ldpd ix,
+  @{run}/frr/ldpd.sock rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ldpd>
+}

profiles/apparmor.d/nhrpd

@@ -0,0 +1,29 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+ 
+  capability net_raw,
+  capability net_admin,
+
+  /usr/bin/dash ix,
+  @{PROC}/sys/net/ipv4/conf/*/send_redirects w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/nhrpd>
+}
+

profiles/apparmor.d/ospf6d

@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  capability net_raw,
+  capability sys_admin,
+
+  @{run}/netns/* r,
+
+  @{run}/frr/ospf6d-gr.json w,
+
+  /var/lib/frr/ r,
+  /var/lib/frr/ospf6d.json{,.sav} rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ospf6d>
+}

profiles/apparmor.d/ospfd

@@ -0,0 +1,42 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  capability net_raw,
+  capability sys_admin,
+
+  @{run}/netns/* r,
+
+  @{run}/frr/ospfd-gr.json w,
+
+  /var/lib/frr/ r,
+  /var/lib/frr/ospfd.json{,.sav} rw,
+
+  # For OSPFv3
+  owner /var/tmp/frr/ospfd-3.@{pid}/ w,
+  owner /var/tmp/frr/ospfd-3.@{pid}/crashlog w,
+  owner /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw,
+
+  @{run}/frr/ospfd-3.pid rwk,
+  @{run}/frr/ospfd-3.vty rw,
+  @{run}/frr/ospfd-3.json{,.sav} rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ospfd>
+}

profiles/apparmor.d/pathd

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pathd>
+}

profiles/apparmor.d/pbrd

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pbrd>
+}

profiles/apparmor.d/pim6d

@@ -0,0 +1,25 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  capability net_raw,
+  capability net_admin,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pim6d>
+}

profiles/apparmor.d/pimd

@@ -0,0 +1,25 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  capability net_raw,
+  capability net_admin,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pimd>
+}

profiles/apparmor.d/ripd

@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+  include <abstractions/frr-snmp>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ripd>
+}

profiles/apparmor.d/ripngd

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ripngd>
+}

profiles/apparmor.d/staticd

@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+ 
+  /etc/frr/zebra.conf r,
+
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  @{PROC}/sys/net/core/somaxconn r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/staticd>
+}

profiles/apparmor.d/vrrpd

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/frr>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/vrrpd>
+}