diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr new file mode 100644 index 000000000..d456dad34 --- /dev/null +++ b/profiles/apparmor.d/abstractions/frr @@ -0,0 +1,56 @@ +# vim:syntax=apparmor +# LOGPROF-SUGGEST: no +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + include + + # Common capabilities + network, + capability net_bind_service, + capability chown, + capability setgid, + capability setuid, + capability dac_override, + capability dac_read_search, + + / r, + @{run}/frr/ r, + @{run}/frr/zserv.api rw, + @{run}/frr/@{profile_name}.pid rwk, + @{run}/frr/@{profile_name}.vty rw, + + # YANG modules + /usr/share/yang/ r, + /usr/share/yang/modules/ r, + /usr/share/yang/modules/libyang/ r, + /usr/share/yang/modules/libyang/** r, + + # MGMT Backend Server https://docs.frrouting.org/en/latest/mgmtd.html#mgmtd-backend-interface + @{run}/frr/mgmtd_be.sock rw, + + # Daemon config https://docs.frrouting.org/en/latest/basic.html + /etc/frr/ r, + /etc/frr/@{profile_name}.conf rw, + /etc/frr/frr.conf rw, + + # Log file https://docs.frrouting.org/en/latest/basic.html + /var/log/frr/ w, + /var/log/frr/* w, + + # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs + /var/tmp/frr/ w, + owner /var/tmp/frr/@{profile_name}.@{pid}/ w, + owner /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, + owner /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, + + include if exists diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp new file mode 100644 index 000000000..4a44af1e5 --- /dev/null +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# LOGPROF-SUGGEST: no +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + include + + /etc/snmp/frr.conf r, + /etc/snmp/snmp.conf r, + /usr/share/snmp/mibs/{,*} r, + /var/lib/mibs/iana/{,*} r, + /var/lib/mibs/ietf/{,*} r, + /etc/host.conf r, + /etc/hosts r, + /etc/frr/agentx rw, + + include if exists diff --git a/profiles/apparmor.d/babeld b/profiles/apparmor.d/babeld new file mode 100644 index 000000000..25068d57b --- /dev/null +++ b/profiles/apparmor.d/babeld @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { + include + include + + @{run}/frr/babel-state w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/bfdd b/profiles/apparmor.d/bfdd new file mode 100644 index 000000000..83d2369e0 --- /dev/null +++ b/profiles/apparmor.d/bfdd @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability sys_admin, + + @{run}/netns/* r, + + @{run}/frr/bfdd.sock w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/bgpd b/profiles/apparmor.d/bgpd new file mode 100644 index 000000000..06fdc041b --- /dev/null +++ b/profiles/apparmor.d/bgpd @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + @{run}/netns/* r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/eigrpd b/profiles/apparmor.d/eigrpd new file mode 100644 index 000000000..083db5352 --- /dev/null +++ b/profiles/apparmor.d/eigrpd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { + include + include + + capability net_raw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/fabricd b/profiles/apparmor.d/fabricd new file mode 100644 index 000000000..4779a2aa1 --- /dev/null +++ b/profiles/apparmor.d/fabricd @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/isisd b/profiles/apparmor.d/isisd new file mode 100644 index 000000000..3bb9b78fb --- /dev/null +++ b/profiles/apparmor.d/isisd @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + + /var/lib/frr/ r, + /var/lib/frr/isisd.json{,.sav} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/ldpd b/profiles/apparmor.d/ldpd new file mode 100644 index 000000000..5a6e61376 --- /dev/null +++ b/profiles/apparmor.d/ldpd @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { + include + include + include + + /usr/lib/frr/ldpd ix, + @{run}/frr/ldpd.sock rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/nhrpd b/profiles/apparmor.d/nhrpd new file mode 100644 index 000000000..d986139ad --- /dev/null +++ b/profiles/apparmor.d/nhrpd @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + /usr/bin/dash ix, + @{PROC}/sys/net/ipv4/conf/*/send_redirects w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} + diff --git a/profiles/apparmor.d/ospf6d b/profiles/apparmor.d/ospf6d new file mode 100644 index 000000000..0f6738045 --- /dev/null +++ b/profiles/apparmor.d/ospf6d @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + @{run}/netns/* r, + + @{run}/frr/ospf6d-gr.json w, + + /var/lib/frr/ r, + /var/lib/frr/ospf6d.json{,.sav} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd new file mode 100644 index 000000000..91262f459 --- /dev/null +++ b/profiles/apparmor.d/ospfd @@ -0,0 +1,42 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + @{run}/netns/* r, + + @{run}/frr/ospfd-gr.json w, + + /var/lib/frr/ r, + /var/lib/frr/ospfd.json{,.sav} rw, + + # For OSPFv3 + owner /var/tmp/frr/ospfd-3.@{pid}/ w, + owner /var/tmp/frr/ospfd-3.@{pid}/crashlog w, + owner /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw, + + @{run}/frr/ospfd-3.pid rwk, + @{run}/frr/ospfd-3.vty rw, + @{run}/frr/ospfd-3.json{,.sav} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/pathd b/profiles/apparmor.d/pathd new file mode 100644 index 000000000..a636179a8 --- /dev/null +++ b/profiles/apparmor.d/pathd @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/pbrd b/profiles/apparmor.d/pbrd new file mode 100644 index 000000000..7d3b7ec6d --- /dev/null +++ b/profiles/apparmor.d/pbrd @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/pim6d b/profiles/apparmor.d/pim6d new file mode 100644 index 000000000..373da03d0 --- /dev/null +++ b/profiles/apparmor.d/pim6d @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/pimd b/profiles/apparmor.d/pimd new file mode 100644 index 000000000..1ca7e6269 --- /dev/null +++ b/profiles/apparmor.d/pimd @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/ripd b/profiles/apparmor.d/ripd new file mode 100644 index 000000000..d41e58d0c --- /dev/null +++ b/profiles/apparmor.d/ripd @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { + include + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/ripngd b/profiles/apparmor.d/ripngd new file mode 100644 index 000000000..ea6bfa866 --- /dev/null +++ b/profiles/apparmor.d/ripngd @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/staticd b/profiles/apparmor.d/staticd new file mode 100644 index 000000000..61f3e1dbf --- /dev/null +++ b/profiles/apparmor.d/staticd @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { + include + include + + /etc/frr/zebra.conf r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/net/core/somaxconn r, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/vrrpd b/profiles/apparmor.d/vrrpd new file mode 100644 index 000000000..bc6c1734c --- /dev/null +++ b/profiles/apparmor.d/vrrpd @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +}