From bcbed6d1e7e2e732228ee7ce5ac9c565122c86f5 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 16 Oct 2024 17:36:24 +0200 Subject: [PATCH 01/18] profiles: add frr related profiles --- profiles/apparmor.d/abstractions/frr | 72 +++++++++++++++++++++++ profiles/apparmor.d/abstractions/frr-snmp | 22 +++++++ profiles/apparmor.d/usr.lib.frr.babeld | 26 ++++++++ profiles/apparmor.d/usr.lib.frr.bfdd | 31 ++++++++++ profiles/apparmor.d/usr.lib.frr.bgpd | 33 +++++++++++ profiles/apparmor.d/usr.lib.frr.eigrpd | 26 ++++++++ profiles/apparmor.d/usr.lib.frr.fabricd | 24 ++++++++ profiles/apparmor.d/usr.lib.frr.isisd | 30 ++++++++++ profiles/apparmor.d/usr.lib.frr.ldpd | 28 +++++++++ profiles/apparmor.d/usr.lib.frr.nhrpd | 31 ++++++++++ profiles/apparmor.d/usr.lib.frr.ospf6d | 36 ++++++++++++ profiles/apparmor.d/usr.lib.frr.ospfd | 44 ++++++++++++++ profiles/apparmor.d/usr.lib.frr.pathd | 24 ++++++++ profiles/apparmor.d/usr.lib.frr.pbrd | 26 ++++++++ profiles/apparmor.d/usr.lib.frr.pim6d | 27 +++++++++ profiles/apparmor.d/usr.lib.frr.pimd | 27 +++++++++ profiles/apparmor.d/usr.lib.frr.ripd | 25 ++++++++ profiles/apparmor.d/usr.lib.frr.ripngd | 24 ++++++++ profiles/apparmor.d/usr.lib.frr.staticd | 29 +++++++++ profiles/apparmor.d/usr.lib.frr.vrrpd | 24 ++++++++ 20 files changed, 609 insertions(+) create mode 100644 profiles/apparmor.d/abstractions/frr create mode 100644 profiles/apparmor.d/abstractions/frr-snmp create mode 100644 profiles/apparmor.d/usr.lib.frr.babeld create mode 100644 profiles/apparmor.d/usr.lib.frr.bfdd create mode 100644 profiles/apparmor.d/usr.lib.frr.bgpd create mode 100644 profiles/apparmor.d/usr.lib.frr.eigrpd create mode 100644 profiles/apparmor.d/usr.lib.frr.fabricd create mode 100644 profiles/apparmor.d/usr.lib.frr.isisd create mode 100644 profiles/apparmor.d/usr.lib.frr.ldpd create mode 100644 profiles/apparmor.d/usr.lib.frr.nhrpd create mode 100644 profiles/apparmor.d/usr.lib.frr.ospf6d create mode 100644 profiles/apparmor.d/usr.lib.frr.ospfd create mode 100644 profiles/apparmor.d/usr.lib.frr.pathd create mode 100644 profiles/apparmor.d/usr.lib.frr.pbrd create mode 100644 profiles/apparmor.d/usr.lib.frr.pim6d create mode 100644 profiles/apparmor.d/usr.lib.frr.pimd create mode 100644 profiles/apparmor.d/usr.lib.frr.ripd create mode 100644 profiles/apparmor.d/usr.lib.frr.ripngd create mode 100644 profiles/apparmor.d/usr.lib.frr.staticd create mode 100644 profiles/apparmor.d/usr.lib.frr.vrrpd diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr new file mode 100644 index 000000000..a2546b139 --- /dev/null +++ b/profiles/apparmor.d/abstractions/frr @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + # Common capabilities + network, + capability net_bind_service, + capability chown, + capability setgid, + capability setuid, + capability dac_override, + capability dac_read_search, + + # Common files + /etc/passwd r, + /etc/group r, + /etc/nsswitch.conf r, + /etc/gai.conf r, + + /etc/resolv.conf r, + @{run}/systemd/resolve/stub-resolv.conf r, + + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + @{PROC}/sys/kernel/random/boot_id r, + + @{run}/frr/ r, + @{run}/frr/zserv.api rw, + @{run}/frr/@{DAEMON_NAME}.pid rwk, + @{run}/frr/@{DAEMON_NAME}.vty rw, + + # YANG modules + /usr/share/yang/ r, + /usr/share/yang/modules/ r, + /usr/share/yang/modules/libyang/ r, + /usr/share/yang/modules/libyang/** r, + + # MGMT Backend Server https://docs.frrouting.org/en/latest/mgmtd.html#mgmtd-backend-interface + @{run}/frr/mgmtd_be.sock rw, + + # Daemon config + /etc/frr/ r, + /etc/frr/@{DAEMON_NAME}.conf{,.*} rwl, + + # Log file + /var/log/frr/ w, + /var/log/frr/@{DAEMON_NAME} w, + + # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs + /var/tmp/frr/ w, + /var/tmp/frr/@{DAEMON_NAME}.@{pid}/ w, + /var/tmp/frr/@{DAEMON_NAME}.@{pid}/crashlog w, + /var/tmp/frr/@{DAEMON_NAME}.@{pid}/logbuf.@{tid} rw, + + # Program output (working directory) + / r, + /tmp/ r, + /tmp/topotests/ r, + /tmp/topotests/** rw, + + # Tests for staticd, bgpd, ospfd + /tmp/*.log w, diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp new file mode 100644 index 000000000..76b72af52 --- /dev/null +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi , + + /etc/snmp/frr.conf r, + /etc/snmp/snmp.conf r, + /etc/ssl/openssl.cnf r, + /usr/share/snmp/mibs/{,*} r, + /var/lib/mibs/iana/{,*} r, + /var/lib/mibs/ietf/{,*} r, + /etc/host.conf r, + /etc/hosts r, + /etc/frr/agentx rw, diff --git a/profiles/apparmor.d/usr.lib.frr.babeld b/profiles/apparmor.d/usr.lib.frr.babeld new file mode 100644 index 000000000..0d805a9f6 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.babeld @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=babeld + +profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { + include + include + + @{run}/frr/babel-state w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.bfdd b/profiles/apparmor.d/usr.lib.frr.bfdd new file mode 100644 index 000000000..b9450c4e9 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.bfdd @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=bfdd + +profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability sys_admin, + + @{run}/netns/* r, + + @{run}/frr/bfdd.sock w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.bgpd b/profiles/apparmor.d/usr.lib.frr.bgpd new file mode 100644 index 000000000..e1ce1e670 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.bgpd @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=bgpd + +profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + /etc/services r, + @{run}/netns/* r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.eigrpd b/profiles/apparmor.d/usr.lib.frr.eigrpd new file mode 100644 index 000000000..236e94e19 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.eigrpd @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=eigrpd + +profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { + include + include + + capability net_raw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.fabricd b/profiles/apparmor.d/usr.lib.frr.fabricd new file mode 100644 index 000000000..35ccab25d --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.fabricd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=fabricd + +profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.isisd b/profiles/apparmor.d/usr.lib.frr.isisd new file mode 100644 index 000000000..33abe1f9a --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.isisd @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=isisd + +profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + + /var/lib/frr/ r, + /var/lib/frr/isisd.json{,.sav} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.ldpd b/profiles/apparmor.d/usr.lib.frr.ldpd new file mode 100644 index 000000000..0eee1e0a2 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.ldpd @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=ldpd + +profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { + include + include + include + + /usr/lib/frr/ldpd ix, + @{run}/frr/ldpd.sock rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.nhrpd b/profiles/apparmor.d/usr.lib.frr.nhrpd new file mode 100644 index 000000000..c224d8a04 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.nhrpd @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=nhrpd + +profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + /usr/bin/dash ix, + @{PROC}/sys/net/ipv4/conf/*/send_redirects w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} + diff --git a/profiles/apparmor.d/usr.lib.frr.ospf6d b/profiles/apparmor.d/usr.lib.frr.ospf6d new file mode 100644 index 000000000..01152a1b4 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.ospf6d @@ -0,0 +1,36 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=ospf6d + +profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + /etc/services r, + @{run}/netns/* r, + + @{run}/frr/ospf6d-gr.json w, + + /var/lib/frr/ r, + /var/lib/frr/ospf6d.json{,.sav} rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.ospfd b/profiles/apparmor.d/usr.lib.frr.ospfd new file mode 100644 index 000000000..59a29478e --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.ospfd @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=ospfd + +profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { + include + include + include + + capability net_raw, + capability sys_admin, + + /etc/services r, + @{run}/netns/* r, + + @{run}/frr/ospfd-gr.json w, + + /var/lib/frr/ r, + /var/lib/frr/ospfd.json{,.sav} rw, + + # For OSPFv3 + /var/tmp/frr/ospfd-3.*/ w, + /var/tmp/frr/ospfd-3.*/crashlog w, + /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw, + + @{run}/frr/ospfd-3.pid rwk, + @{run}/frr/ospfd-3.vty rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.pathd b/profiles/apparmor.d/usr.lib.frr.pathd new file mode 100644 index 000000000..ac3bc4b0b --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.pathd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=pathd + +profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.pbrd b/profiles/apparmor.d/usr.lib.frr.pbrd new file mode 100644 index 000000000..7dc13084f --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.pbrd @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=pbrd + +profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { + include + include + + /etc/protocols r, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.pim6d b/profiles/apparmor.d/usr.lib.frr.pim6d new file mode 100644 index 000000000..d93f898c0 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.pim6d @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=pim6d + +profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.pimd b/profiles/apparmor.d/usr.lib.frr.pimd new file mode 100644 index 000000000..d534a5149 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.pimd @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=pimd + +profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { + include + include + + capability net_raw, + capability net_admin, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.ripd b/profiles/apparmor.d/usr.lib.frr.ripd new file mode 100644 index 000000000..258996329 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.ripd @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=ripd + +profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { + include + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.ripngd b/profiles/apparmor.d/usr.lib.frr.ripngd new file mode 100644 index 000000000..6e95725b4 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.ripngd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=ripngd + +profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.staticd b/profiles/apparmor.d/usr.lib.frr.staticd new file mode 100644 index 000000000..de54f0fcd --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.staticd @@ -0,0 +1,29 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=staticd + +profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { + include + include + + /etc/frr/zebra.conf r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/net/core/somaxconn r, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/profiles/apparmor.d/usr.lib.frr.vrrpd b/profiles/apparmor.d/usr.lib.frr.vrrpd new file mode 100644 index 000000000..0224862b7 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.frr.vrrpd @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2024 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{DAEMON_NAME}=vrrpd + +profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { + include + include + + # Site-specific additions and overrides. See local/README for details. + include if exists +} From d48cdea589768fb7969d85810708d81e6e5f4935 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 17 Oct 2024 10:41:01 +0200 Subject: [PATCH 02/18] profiles/usr.lib.frr.ospfd: add missing rule and use @{pid} and @{tid} --- profiles/apparmor.d/usr.lib.frr.ospfd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/usr.lib.frr.ospfd b/profiles/apparmor.d/usr.lib.frr.ospfd index 59a29478e..6bf876d69 100644 --- a/profiles/apparmor.d/usr.lib.frr.ospfd +++ b/profiles/apparmor.d/usr.lib.frr.ospfd @@ -32,12 +32,13 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { /var/lib/frr/ospfd.json{,.sav} rw, # For OSPFv3 - /var/tmp/frr/ospfd-3.*/ w, - /var/tmp/frr/ospfd-3.*/crashlog w, + /var/tmp/frr/ospfd-3.@{pid}/ w, + /var/tmp/frr/ospfd-3.@{pid}/crashlog w, /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw, @{run}/frr/ospfd-3.pid rwk, @{run}/frr/ospfd-3.vty rw, + @{run}/frr/ospfd-3.json{,.sav} rw, # Site-specific additions and overrides. See local/README for details. include if exists From df917755f2a0b81b812680b392b737596e662fb6 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 11:07:17 +0100 Subject: [PATCH 03/18] profiles/*frr*: replace @{DAEMON_NAME} with @{profile_name} --- profiles/apparmor.d/abstractions/frr | 14 +++++++------- profiles/apparmor.d/usr.lib.frr.babeld | 2 -- profiles/apparmor.d/usr.lib.frr.bfdd | 2 -- profiles/apparmor.d/usr.lib.frr.bgpd | 2 -- profiles/apparmor.d/usr.lib.frr.eigrpd | 2 -- profiles/apparmor.d/usr.lib.frr.fabricd | 2 -- profiles/apparmor.d/usr.lib.frr.isisd | 2 -- profiles/apparmor.d/usr.lib.frr.ldpd | 2 -- profiles/apparmor.d/usr.lib.frr.nhrpd | 2 -- profiles/apparmor.d/usr.lib.frr.ospf6d | 2 -- profiles/apparmor.d/usr.lib.frr.ospfd | 2 -- profiles/apparmor.d/usr.lib.frr.pathd | 2 -- profiles/apparmor.d/usr.lib.frr.pbrd | 2 -- profiles/apparmor.d/usr.lib.frr.pim6d | 2 -- profiles/apparmor.d/usr.lib.frr.pimd | 2 -- profiles/apparmor.d/usr.lib.frr.ripd | 2 -- profiles/apparmor.d/usr.lib.frr.ripngd | 2 -- profiles/apparmor.d/usr.lib.frr.staticd | 2 -- profiles/apparmor.d/usr.lib.frr.vrrpd | 2 -- 19 files changed, 7 insertions(+), 43 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index a2546b139..536548e6e 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -36,8 +36,8 @@ @{run}/frr/ r, @{run}/frr/zserv.api rw, - @{run}/frr/@{DAEMON_NAME}.pid rwk, - @{run}/frr/@{DAEMON_NAME}.vty rw, + @{run}/frr/@{profile_name}.pid rwk, + @{run}/frr/@{profile_name}.vty rw, # YANG modules /usr/share/yang/ r, @@ -50,17 +50,17 @@ # Daemon config /etc/frr/ r, - /etc/frr/@{DAEMON_NAME}.conf{,.*} rwl, + /etc/frr/@{profile_name}.conf{,.*} rwl, # Log file /var/log/frr/ w, - /var/log/frr/@{DAEMON_NAME} w, + /var/log/frr/@{profile_name} w, # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs /var/tmp/frr/ w, - /var/tmp/frr/@{DAEMON_NAME}.@{pid}/ w, - /var/tmp/frr/@{DAEMON_NAME}.@{pid}/crashlog w, - /var/tmp/frr/@{DAEMON_NAME}.@{pid}/logbuf.@{tid} rw, + /var/tmp/frr/@{profile_name}.@{pid}/ w, + /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, + /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, # Program output (working directory) / r, diff --git a/profiles/apparmor.d/usr.lib.frr.babeld b/profiles/apparmor.d/usr.lib.frr.babeld index 0d805a9f6..9a23058a7 100644 --- a/profiles/apparmor.d/usr.lib.frr.babeld +++ b/profiles/apparmor.d/usr.lib.frr.babeld @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=babeld - profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.bfdd b/profiles/apparmor.d/usr.lib.frr.bfdd index b9450c4e9..0f4622068 100644 --- a/profiles/apparmor.d/usr.lib.frr.bfdd +++ b/profiles/apparmor.d/usr.lib.frr.bfdd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=bfdd - profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.bgpd b/profiles/apparmor.d/usr.lib.frr.bgpd index e1ce1e670..1481583df 100644 --- a/profiles/apparmor.d/usr.lib.frr.bgpd +++ b/profiles/apparmor.d/usr.lib.frr.bgpd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=bgpd - profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.eigrpd b/profiles/apparmor.d/usr.lib.frr.eigrpd index 236e94e19..ca7c0bc3f 100644 --- a/profiles/apparmor.d/usr.lib.frr.eigrpd +++ b/profiles/apparmor.d/usr.lib.frr.eigrpd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=eigrpd - profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.fabricd b/profiles/apparmor.d/usr.lib.frr.fabricd index 35ccab25d..2b4faf017 100644 --- a/profiles/apparmor.d/usr.lib.frr.fabricd +++ b/profiles/apparmor.d/usr.lib.frr.fabricd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=fabricd - profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.isisd b/profiles/apparmor.d/usr.lib.frr.isisd index 33abe1f9a..fda9f31de 100644 --- a/profiles/apparmor.d/usr.lib.frr.isisd +++ b/profiles/apparmor.d/usr.lib.frr.isisd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=isisd - profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.ldpd b/profiles/apparmor.d/usr.lib.frr.ldpd index 0eee1e0a2..17583d897 100644 --- a/profiles/apparmor.d/usr.lib.frr.ldpd +++ b/profiles/apparmor.d/usr.lib.frr.ldpd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=ldpd - profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.nhrpd b/profiles/apparmor.d/usr.lib.frr.nhrpd index c224d8a04..56202e527 100644 --- a/profiles/apparmor.d/usr.lib.frr.nhrpd +++ b/profiles/apparmor.d/usr.lib.frr.nhrpd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=nhrpd - profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.ospf6d b/profiles/apparmor.d/usr.lib.frr.ospf6d index 01152a1b4..f6427b317 100644 --- a/profiles/apparmor.d/usr.lib.frr.ospf6d +++ b/profiles/apparmor.d/usr.lib.frr.ospf6d @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=ospf6d - profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.ospfd b/profiles/apparmor.d/usr.lib.frr.ospfd index 6bf876d69..f7a391c0f 100644 --- a/profiles/apparmor.d/usr.lib.frr.ospfd +++ b/profiles/apparmor.d/usr.lib.frr.ospfd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=ospfd - profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.pathd b/profiles/apparmor.d/usr.lib.frr.pathd index ac3bc4b0b..621743761 100644 --- a/profiles/apparmor.d/usr.lib.frr.pathd +++ b/profiles/apparmor.d/usr.lib.frr.pathd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=pathd - profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.pbrd b/profiles/apparmor.d/usr.lib.frr.pbrd index 7dc13084f..94238614a 100644 --- a/profiles/apparmor.d/usr.lib.frr.pbrd +++ b/profiles/apparmor.d/usr.lib.frr.pbrd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=pbrd - profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.pim6d b/profiles/apparmor.d/usr.lib.frr.pim6d index d93f898c0..1a48d10a2 100644 --- a/profiles/apparmor.d/usr.lib.frr.pim6d +++ b/profiles/apparmor.d/usr.lib.frr.pim6d @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=pim6d - profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.pimd b/profiles/apparmor.d/usr.lib.frr.pimd index d534a5149..804908db7 100644 --- a/profiles/apparmor.d/usr.lib.frr.pimd +++ b/profiles/apparmor.d/usr.lib.frr.pimd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=pimd - profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.ripd b/profiles/apparmor.d/usr.lib.frr.ripd index 258996329..a4a137470 100644 --- a/profiles/apparmor.d/usr.lib.frr.ripd +++ b/profiles/apparmor.d/usr.lib.frr.ripd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=ripd - profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.ripngd b/profiles/apparmor.d/usr.lib.frr.ripngd index 6e95725b4..c7a0c0eeb 100644 --- a/profiles/apparmor.d/usr.lib.frr.ripngd +++ b/profiles/apparmor.d/usr.lib.frr.ripngd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=ripngd - profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.staticd b/profiles/apparmor.d/usr.lib.frr.staticd index de54f0fcd..16cb609bd 100644 --- a/profiles/apparmor.d/usr.lib.frr.staticd +++ b/profiles/apparmor.d/usr.lib.frr.staticd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=staticd - profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { include include diff --git a/profiles/apparmor.d/usr.lib.frr.vrrpd b/profiles/apparmor.d/usr.lib.frr.vrrpd index 0224862b7..c9758d06c 100644 --- a/profiles/apparmor.d/usr.lib.frr.vrrpd +++ b/profiles/apparmor.d/usr.lib.frr.vrrpd @@ -13,8 +13,6 @@ abi , include -@{DAEMON_NAME}=vrrpd - profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { include include From 8d644e0d182df9ae564c5c56b4a325252956d5ff Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 11:18:03 +0100 Subject: [PATCH 04/18] profiles/*frr*: include abstractions/nameservice-strict --- profiles/apparmor.d/abstractions/frr | 16 ++-------------- profiles/apparmor.d/usr.lib.frr.pbrd | 2 -- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index 536548e6e..b34c2fd5b 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -11,6 +11,8 @@ abi , + include + # Common capabilities network, capability net_bind_service, @@ -20,20 +22,6 @@ capability dac_override, capability dac_read_search, - # Common files - /etc/passwd r, - /etc/group r, - /etc/nsswitch.conf r, - /etc/gai.conf r, - - /etc/resolv.conf r, - @{run}/systemd/resolve/stub-resolv.conf r, - - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, - - @{PROC}/sys/kernel/random/boot_id r, - @{run}/frr/ r, @{run}/frr/zserv.api rw, @{run}/frr/@{profile_name}.pid rwk, diff --git a/profiles/apparmor.d/usr.lib.frr.pbrd b/profiles/apparmor.d/usr.lib.frr.pbrd index 94238614a..443f078ae 100644 --- a/profiles/apparmor.d/usr.lib.frr.pbrd +++ b/profiles/apparmor.d/usr.lib.frr.pbrd @@ -17,8 +17,6 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include include - /etc/protocols r, - # Site-specific additions and overrides. See local/README for details. include if exists } From 77b20c9ba16f096f228a72db583ba175eb931544 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 11:21:28 +0100 Subject: [PATCH 05/18] profiles/*frr*: set # LOGPROF-SUGGEST: no in frr specific profiles --- profiles/apparmor.d/abstractions/frr | 1 + profiles/apparmor.d/abstractions/frr-snmp | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index b34c2fd5b..ae960e661 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -1,4 +1,5 @@ # vim:syntax=apparmor +# LOGPROF-SUGGEST: no # ------------------------------------------------------------------ # # Copyright (C) 2024 Canonical Ltd. diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp index 76b72af52..df11eb9fa 100644 --- a/profiles/apparmor.d/abstractions/frr-snmp +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -1,4 +1,5 @@ # vim:syntax=apparmor +# LOGPROF-SUGGEST: no # ------------------------------------------------------------------ # # Copyright (C) 2024 Canonical Ltd. @@ -17,6 +18,6 @@ /usr/share/snmp/mibs/{,*} r, /var/lib/mibs/iana/{,*} r, /var/lib/mibs/ietf/{,*} r, - /etc/host.conf r, + /etc/host.conf r, /etc/hosts r, /etc/frr/agentx rw, From c63d37f19335b05ac4a0da6aed21d2d6bac5926e Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 11:41:10 +0100 Subject: [PATCH 06/18] profiles/*frr*: add owner to @{PROC}/@{pid}/task/@{tid}/comm rw, --- profiles/apparmor.d/usr.lib.frr.bgpd | 2 +- profiles/apparmor.d/usr.lib.frr.staticd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/usr.lib.frr.bgpd b/profiles/apparmor.d/usr.lib.frr.bgpd index 1481583df..2b4a8817e 100644 --- a/profiles/apparmor.d/usr.lib.frr.bgpd +++ b/profiles/apparmor.d/usr.lib.frr.bgpd @@ -24,7 +24,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { /etc/services r, @{run}/netns/* r, - @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.frr.staticd b/profiles/apparmor.d/usr.lib.frr.staticd index 16cb609bd..34ef1ec12 100644 --- a/profiles/apparmor.d/usr.lib.frr.staticd +++ b/profiles/apparmor.d/usr.lib.frr.staticd @@ -19,7 +19,7 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { /etc/frr/zebra.conf r, - @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/net/core/somaxconn r, # Site-specific additions and overrides. See local/README for details. From 142d72100cc60ed5f25de77915c9183753f950a5 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 11:47:42 +0100 Subject: [PATCH 07/18] profiles/*frr*: update profiles name --- profiles/apparmor.d/{usr.lib.frr.babeld => babeld} | 2 +- profiles/apparmor.d/{usr.lib.frr.bfdd => bfdd} | 2 +- profiles/apparmor.d/{usr.lib.frr.bgpd => bgpd} | 2 +- profiles/apparmor.d/{usr.lib.frr.eigrpd => eigrpd} | 2 +- profiles/apparmor.d/{usr.lib.frr.fabricd => fabricd} | 2 +- profiles/apparmor.d/{usr.lib.frr.isisd => isisd} | 2 +- profiles/apparmor.d/{usr.lib.frr.ldpd => ldpd} | 2 +- profiles/apparmor.d/{usr.lib.frr.nhrpd => nhrpd} | 2 +- profiles/apparmor.d/{usr.lib.frr.ospf6d => ospf6d} | 2 +- profiles/apparmor.d/{usr.lib.frr.ospfd => ospfd} | 2 +- profiles/apparmor.d/{usr.lib.frr.pathd => pathd} | 2 +- profiles/apparmor.d/{usr.lib.frr.pbrd => pbrd} | 2 +- profiles/apparmor.d/{usr.lib.frr.pim6d => pim6d} | 2 +- profiles/apparmor.d/{usr.lib.frr.pimd => pimd} | 2 +- profiles/apparmor.d/{usr.lib.frr.ripd => ripd} | 2 +- profiles/apparmor.d/{usr.lib.frr.ripngd => ripngd} | 2 +- profiles/apparmor.d/{usr.lib.frr.staticd => staticd} | 2 +- profiles/apparmor.d/{usr.lib.frr.vrrpd => vrrpd} | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) rename profiles/apparmor.d/{usr.lib.frr.babeld => babeld} (93%) rename profiles/apparmor.d/{usr.lib.frr.bfdd => bfdd} (94%) rename profiles/apparmor.d/{usr.lib.frr.bgpd => bgpd} (94%) rename profiles/apparmor.d/{usr.lib.frr.eigrpd => eigrpd} (93%) rename profiles/apparmor.d/{usr.lib.frr.fabricd => fabricd} (93%) rename profiles/apparmor.d/{usr.lib.frr.isisd => isisd} (94%) rename profiles/apparmor.d/{usr.lib.frr.ldpd => ldpd} (94%) rename profiles/apparmor.d/{usr.lib.frr.nhrpd => nhrpd} (94%) rename profiles/apparmor.d/{usr.lib.frr.ospf6d => ospf6d} (94%) rename profiles/apparmor.d/{usr.lib.frr.ospfd => ospfd} (95%) rename profiles/apparmor.d/{usr.lib.frr.pathd => pathd} (93%) rename profiles/apparmor.d/{usr.lib.frr.pbrd => pbrd} (93%) rename profiles/apparmor.d/{usr.lib.frr.pim6d => pim6d} (93%) rename profiles/apparmor.d/{usr.lib.frr.pimd => pimd} (93%) rename profiles/apparmor.d/{usr.lib.frr.ripd => ripd} (93%) rename profiles/apparmor.d/{usr.lib.frr.ripngd => ripngd} (93%) rename profiles/apparmor.d/{usr.lib.frr.staticd => staticd} (94%) rename profiles/apparmor.d/{usr.lib.frr.vrrpd => vrrpd} (93%) diff --git a/profiles/apparmor.d/usr.lib.frr.babeld b/profiles/apparmor.d/babeld similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.babeld rename to profiles/apparmor.d/babeld index 9a23058a7..25068d57b 100644 --- a/profiles/apparmor.d/usr.lib.frr.babeld +++ b/profiles/apparmor.d/babeld @@ -20,5 +20,5 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { @{run}/frr/babel-state w, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.bfdd b/profiles/apparmor.d/bfdd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.bfdd rename to profiles/apparmor.d/bfdd index 0f4622068..83d2369e0 100644 --- a/profiles/apparmor.d/usr.lib.frr.bfdd +++ b/profiles/apparmor.d/bfdd @@ -25,5 +25,5 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { @{run}/frr/bfdd.sock w, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.bgpd b/profiles/apparmor.d/bgpd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.bgpd rename to profiles/apparmor.d/bgpd index 2b4a8817e..861eb39e2 100644 --- a/profiles/apparmor.d/usr.lib.frr.bgpd +++ b/profiles/apparmor.d/bgpd @@ -27,5 +27,5 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.eigrpd b/profiles/apparmor.d/eigrpd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.eigrpd rename to profiles/apparmor.d/eigrpd index ca7c0bc3f..083db5352 100644 --- a/profiles/apparmor.d/usr.lib.frr.eigrpd +++ b/profiles/apparmor.d/eigrpd @@ -20,5 +20,5 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { capability net_raw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.fabricd b/profiles/apparmor.d/fabricd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.fabricd rename to profiles/apparmor.d/fabricd index 2b4faf017..4779a2aa1 100644 --- a/profiles/apparmor.d/usr.lib.frr.fabricd +++ b/profiles/apparmor.d/fabricd @@ -18,5 +18,5 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.isisd b/profiles/apparmor.d/isisd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.isisd rename to profiles/apparmor.d/isisd index fda9f31de..3bb9b78fb 100644 --- a/profiles/apparmor.d/usr.lib.frr.isisd +++ b/profiles/apparmor.d/isisd @@ -24,5 +24,5 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { /var/lib/frr/isisd.json{,.sav} rw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.ldpd b/profiles/apparmor.d/ldpd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.ldpd rename to profiles/apparmor.d/ldpd index 17583d897..5a6e61376 100644 --- a/profiles/apparmor.d/usr.lib.frr.ldpd +++ b/profiles/apparmor.d/ldpd @@ -22,5 +22,5 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { @{run}/frr/ldpd.sock rw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.nhrpd b/profiles/apparmor.d/nhrpd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.nhrpd rename to profiles/apparmor.d/nhrpd index 56202e527..743004f0a 100644 --- a/profiles/apparmor.d/usr.lib.frr.nhrpd +++ b/profiles/apparmor.d/nhrpd @@ -24,6 +24,6 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { @{PROC}/sys/net/ipv4/conf/*/send_redirects w, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.ospf6d b/profiles/apparmor.d/ospf6d similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.ospf6d rename to profiles/apparmor.d/ospf6d index f6427b317..e2e16d515 100644 --- a/profiles/apparmor.d/usr.lib.frr.ospf6d +++ b/profiles/apparmor.d/ospf6d @@ -30,5 +30,5 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { /var/lib/frr/ospf6d.json{,.sav} rw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.ospfd b/profiles/apparmor.d/ospfd similarity index 95% rename from profiles/apparmor.d/usr.lib.frr.ospfd rename to profiles/apparmor.d/ospfd index f7a391c0f..89ca4fb2f 100644 --- a/profiles/apparmor.d/usr.lib.frr.ospfd +++ b/profiles/apparmor.d/ospfd @@ -39,5 +39,5 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { @{run}/frr/ospfd-3.json{,.sav} rw, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.pathd b/profiles/apparmor.d/pathd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.pathd rename to profiles/apparmor.d/pathd index 621743761..a636179a8 100644 --- a/profiles/apparmor.d/usr.lib.frr.pathd +++ b/profiles/apparmor.d/pathd @@ -18,5 +18,5 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.pbrd b/profiles/apparmor.d/pbrd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.pbrd rename to profiles/apparmor.d/pbrd index 443f078ae..7d3b7ec6d 100644 --- a/profiles/apparmor.d/usr.lib.frr.pbrd +++ b/profiles/apparmor.d/pbrd @@ -18,5 +18,5 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.pim6d b/profiles/apparmor.d/pim6d similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.pim6d rename to profiles/apparmor.d/pim6d index 1a48d10a2..373da03d0 100644 --- a/profiles/apparmor.d/usr.lib.frr.pim6d +++ b/profiles/apparmor.d/pim6d @@ -21,5 +21,5 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { capability net_admin, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.pimd b/profiles/apparmor.d/pimd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.pimd rename to profiles/apparmor.d/pimd index 804908db7..1ca7e6269 100644 --- a/profiles/apparmor.d/usr.lib.frr.pimd +++ b/profiles/apparmor.d/pimd @@ -21,5 +21,5 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { capability net_admin, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.ripd b/profiles/apparmor.d/ripd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.ripd rename to profiles/apparmor.d/ripd index a4a137470..d41e58d0c 100644 --- a/profiles/apparmor.d/usr.lib.frr.ripd +++ b/profiles/apparmor.d/ripd @@ -19,5 +19,5 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.ripngd b/profiles/apparmor.d/ripngd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.ripngd rename to profiles/apparmor.d/ripngd index c7a0c0eeb..ea6bfa866 100644 --- a/profiles/apparmor.d/usr.lib.frr.ripngd +++ b/profiles/apparmor.d/ripngd @@ -18,5 +18,5 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.staticd b/profiles/apparmor.d/staticd similarity index 94% rename from profiles/apparmor.d/usr.lib.frr.staticd rename to profiles/apparmor.d/staticd index 34ef1ec12..61f3e1dbf 100644 --- a/profiles/apparmor.d/usr.lib.frr.staticd +++ b/profiles/apparmor.d/staticd @@ -23,5 +23,5 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { @{PROC}/sys/net/core/somaxconn r, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } diff --git a/profiles/apparmor.d/usr.lib.frr.vrrpd b/profiles/apparmor.d/vrrpd similarity index 93% rename from profiles/apparmor.d/usr.lib.frr.vrrpd rename to profiles/apparmor.d/vrrpd index c9758d06c..bc6c1734c 100644 --- a/profiles/apparmor.d/usr.lib.frr.vrrpd +++ b/profiles/apparmor.d/vrrpd @@ -18,5 +18,5 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { include # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } From 7ff8f21d040e55dd3092178c774e9d0a1b64b16b Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Thu, 7 Nov 2024 12:03:57 +0100 Subject: [PATCH 08/18] profiles/*frr*: missing clean up after including abstractions/nameservice-strict to abstraction frr ( 8d644e0d182df9ae564c5c56b4a325252956d5ff) --- profiles/apparmor.d/ospfd | 1 - 1 file changed, 1 deletion(-) diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd index 89ca4fb2f..f1d8083a3 100644 --- a/profiles/apparmor.d/ospfd +++ b/profiles/apparmor.d/ospfd @@ -21,7 +21,6 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /etc/services r, @{run}/netns/* r, @{run}/frr/ospfd-gr.json w, From 63e3a04e3050769d92db902cd398248efc343df8 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Tue, 7 Jan 2025 11:31:06 +0100 Subject: [PATCH 09/18] profiles/abstractions/frr: add owner to world-writable directories --- profiles/apparmor.d/abstractions/frr | 18 +++++++++--------- profiles/apparmor.d/ospfd | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index ae960e661..a28f6cf02 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -46,16 +46,16 @@ /var/log/frr/@{profile_name} w, # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs - /var/tmp/frr/ w, - /var/tmp/frr/@{profile_name}.@{pid}/ w, - /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, - /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, + owner /var/tmp/frr/ w, + owner /var/tmp/frr/@{profile_name}.@{pid}/ w, + owner /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, + owner /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, # Program output (working directory) - / r, - /tmp/ r, - /tmp/topotests/ r, - /tmp/topotests/** rw, + owner / r, + owner /tmp/ r, + owner /tmp/topotests/ r, + owner /tmp/topotests/** rw, # Tests for staticd, bgpd, ospfd - /tmp/*.log w, + owner /tmp/*.log w, diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd index f1d8083a3..91262f459 100644 --- a/profiles/apparmor.d/ospfd +++ b/profiles/apparmor.d/ospfd @@ -29,9 +29,9 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { /var/lib/frr/ospfd.json{,.sav} rw, # For OSPFv3 - /var/tmp/frr/ospfd-3.@{pid}/ w, - /var/tmp/frr/ospfd-3.@{pid}/crashlog w, - /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw, + owner /var/tmp/frr/ospfd-3.@{pid}/ w, + owner /var/tmp/frr/ospfd-3.@{pid}/crashlog w, + owner /var/tmp/frr/ospfd-3.@{pid}/logbuf.@{tid} rw, @{run}/frr/ospfd-3.pid rwk, @{run}/frr/ospfd-3.vty rw, From e20400f10fcc46cb49bb04e2a7844f0623d9fe05 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Tue, 7 Jan 2025 11:36:25 +0100 Subject: [PATCH 10/18] profiles/ospf6d: remove duplicated /etc/services r --- profiles/apparmor.d/ospf6d | 1 - 1 file changed, 1 deletion(-) diff --git a/profiles/apparmor.d/ospf6d b/profiles/apparmor.d/ospf6d index e2e16d515..0f6738045 100644 --- a/profiles/apparmor.d/ospf6d +++ b/profiles/apparmor.d/ospf6d @@ -21,7 +21,6 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /etc/services r, @{run}/netns/* r, @{run}/frr/ospf6d-gr.json w, From 045bb7d77e25c89a85b4c0728a8b835f40e3e41e Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Tue, 7 Jan 2025 11:39:10 +0100 Subject: [PATCH 11/18] profiles/*frr*: fix includes --- profiles/apparmor.d/abstractions/frr | 2 ++ profiles/apparmor.d/abstractions/frr-snmp | 2 ++ profiles/apparmor.d/nhrpd | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index a28f6cf02..a31096fac 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -59,3 +59,5 @@ # Tests for staticd, bgpd, ospfd owner /tmp/*.log w, + +include if exists \ No newline at end of file diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp index df11eb9fa..7acc6a7c9 100644 --- a/profiles/apparmor.d/abstractions/frr-snmp +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -21,3 +21,5 @@ /etc/host.conf r, /etc/hosts r, /etc/frr/agentx rw, + + include if exists \ No newline at end of file diff --git a/profiles/apparmor.d/nhrpd b/profiles/apparmor.d/nhrpd index 743004f0a..d986139ad 100644 --- a/profiles/apparmor.d/nhrpd +++ b/profiles/apparmor.d/nhrpd @@ -24,6 +24,6 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { @{PROC}/sys/net/ipv4/conf/*/send_redirects w, # Site-specific additions and overrides. See local/README for details. - include if exists + include if exists } From 78ea948e4b5b97de1abee352a6859120f69487dd Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Tue, 7 Jan 2025 11:55:37 +0100 Subject: [PATCH 12/18] profiles/abstractions/frr: typo --- profiles/apparmor.d/abstractions/frr | 2 +- profiles/apparmor.d/abstractions/frr-snmp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index a31096fac..1194b7833 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -60,4 +60,4 @@ # Tests for staticd, bgpd, ospfd owner /tmp/*.log w, -include if exists \ No newline at end of file + include if exists diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp index 7acc6a7c9..1b08e671b 100644 --- a/profiles/apparmor.d/abstractions/frr-snmp +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -22,4 +22,4 @@ /etc/hosts r, /etc/frr/agentx rw, - include if exists \ No newline at end of file + include if exists From fa28d65f449efebed7c3509c37fd55a7263917fb Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 16:27:57 +0100 Subject: [PATCH 13/18] profiles/a/frr-snmp: use abstractions/openssl --- profiles/apparmor.d/abstractions/frr-snmp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/frr-snmp b/profiles/apparmor.d/abstractions/frr-snmp index 1b08e671b..4a44af1e5 100644 --- a/profiles/apparmor.d/abstractions/frr-snmp +++ b/profiles/apparmor.d/abstractions/frr-snmp @@ -12,9 +12,10 @@ abi , + include + /etc/snmp/frr.conf r, /etc/snmp/snmp.conf r, - /etc/ssl/openssl.cnf r, /usr/share/snmp/mibs/{,*} r, /var/lib/mibs/iana/{,*} r, /var/lib/mibs/ietf/{,*} r, From 7a98040b1b2d4238eebc1ce38b55858cc1c884f3 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 16:29:29 +0100 Subject: [PATCH 14/18] profiles/a/frr: remove owner keyword causing failures --- profiles/apparmor.d/abstractions/frr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index 1194b7833..75b413d49 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -46,7 +46,7 @@ /var/log/frr/@{profile_name} w, # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs - owner /var/tmp/frr/ w, + /var/tmp/frr/ w, owner /var/tmp/frr/@{profile_name}.@{pid}/ w, owner /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, owner /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, From c67061c64f6c2e95ff6f8713b98ad6cf690e55f7 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 16:31:03 +0100 Subject: [PATCH 15/18] profiles/a/frr: clean up rules only needed by topotests --- profiles/apparmor.d/abstractions/frr | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index 75b413d49..b42b17357 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -23,6 +23,7 @@ capability dac_override, capability dac_read_search, + / r, @{run}/frr/ r, @{run}/frr/zserv.api rw, @{run}/frr/@{profile_name}.pid rwk, @@ -39,7 +40,7 @@ # Daemon config /etc/frr/ r, - /etc/frr/@{profile_name}.conf{,.*} rwl, + /etc/frr/@{profile_name}.conf rw, # Log file /var/log/frr/ w, @@ -51,13 +52,4 @@ owner /var/tmp/frr/@{profile_name}.@{pid}/crashlog w, owner /var/tmp/frr/@{profile_name}.@{pid}/logbuf.@{tid} rw, - # Program output (working directory) - owner / r, - owner /tmp/ r, - owner /tmp/topotests/ r, - owner /tmp/topotests/** rw, - - # Tests for staticd, bgpd, ospfd - owner /tmp/*.log w, - include if exists From 4fa3a021274cb29792d4c5f720534fdfb1b21c71 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 16:31:32 +0100 Subject: [PATCH 16/18] profiles/a/frr: add additional configuration file location --- profiles/apparmor.d/abstractions/frr | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index b42b17357..299de06fa 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -38,9 +38,10 @@ # MGMT Backend Server https://docs.frrouting.org/en/latest/mgmtd.html#mgmtd-backend-interface @{run}/frr/mgmtd_be.sock rw, - # Daemon config + # Daemon config https://docs.frrouting.org/en/latest/basic.html /etc/frr/ r, /etc/frr/@{profile_name}.conf rw, + /etc/frr/frr.conf rw, # Log file /var/log/frr/ w, From a6c2efcb4a867215c0ce1f3a55891a12ad918041 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 16:32:54 +0100 Subject: [PATCH 17/18] profiles/a/frr: allow any file in log directory --- profiles/apparmor.d/abstractions/frr | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/apparmor.d/abstractions/frr b/profiles/apparmor.d/abstractions/frr index 299de06fa..d456dad34 100644 --- a/profiles/apparmor.d/abstractions/frr +++ b/profiles/apparmor.d/abstractions/frr @@ -43,9 +43,9 @@ /etc/frr/@{profile_name}.conf rw, /etc/frr/frr.conf rw, - # Log file + # Log file https://docs.frrouting.org/en/latest/basic.html /var/log/frr/ w, - /var/log/frr/@{profile_name} w, + /var/log/frr/* w, # Crash logs https://docs.frrouting.org/en/latest/setup.html#crash-logs /var/tmp/frr/ w, From 42297559e8cf17f46e09df942e601bc16a901796 Mon Sep 17 00:00:00 2001 From: Jorge Sancho Larraz Date: Wed, 5 Feb 2025 17:00:22 +0100 Subject: [PATCH 18/18] profiles/bgpd: remove redundant /etc/services --- profiles/apparmor.d/bgpd | 1 - 1 file changed, 1 deletion(-) diff --git a/profiles/apparmor.d/bgpd b/profiles/apparmor.d/bgpd index 861eb39e2..06fdc041b 100644 --- a/profiles/apparmor.d/bgpd +++ b/profiles/apparmor.d/bgpd @@ -21,7 +21,6 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /etc/services r, @{run}/netns/* r, owner @{PROC}/@{pid}/task/@{tid}/comm rw,