I'm giving up on seccomp

Richard Laager rlaager at wiktel.com
Wed Sep 2 22:07:47 UTC 2020 

On 9/2/20 2:30 PM, Hal Murray wrote:
>> I do ship an AppArmor profile.
> 
> Thanks.  That's the word I was fishing for.
> 
> I've never worked with it.  Is there a good introductory writeup?

There is various documentation, but I don't have anything off the top of
my head to direct you to.

> Are their similar facilities available on other OSes/distros?

AppArmor is a cross-distro thing. The "other option" would be SELinux.
Ubuntu uses AppArmor by default. I can't remember if Debian has it
enabled by default now or not; it's been a while since I checked / did a
fresh install. SUSE uses AppArmor too, from what I understand; they
started the ntpd profile (which Canonical modified for Ubuntu). RedHat
(RHEL and by extension CentOS, not sure about Fedora) uses SELinux.

I've attached the profile that I ship in the Debian package.

apparmor-profile         => /etc/apparmor.d/usr.sbin.ntpd
apparmor-profile.tunable => /etc/apparmor.d/tunables/ntpd
(empty file)             => /etc/apparmor.d/local/usr.sbin.ntpd

-- 
Richard
-------------- next part --------------
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <jamie at canonical.com>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2009-2012 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability ipc_lock,
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  capability sys_time,
  capability sys_nice,

  # ntp uses AF_INET, AF_INET6 and AF_UNSPEC
  network dgram,
  network stream,

  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{NTPD_DEVICE} rw,
  # pps devices are almost exclusively used with NTP
  /dev/pps[0-9]* rw,

  /{,s}bin/      r,
  /usr/{,s}bin/  r,
  /usr/local/{,s}bin/  r,
  /usr/sbin/ntpd rmix,

  /etc/ntpsec/ntp.conf r,
  /etc/ntpsec/ntp.d/ r,
  /etc/ntpsec/ntp.d/*.conf r,
  /run/ntpsec/ntp.conf.dhcp r,

  /etc/ntp.keys r,

  /var/lib/ntpsec/ntp.drift rw,
  /var/lib/ntpsec/ntp.drift-tmp rw,
  /usr/share/zoneinfo/leap-seconds.list rw,

  /var/log/ntp w,
  /var/log/ntp.log w,
  /var/log/ntpd w,
  /var/log/ntpsec/clockstats* rwl,
  /var/log/ntpsec/loopstats*  rwl,
  /var/log/ntpsec/peerstats*  rwl,
  /var/log/ntpsec/protostats* rwl,
  /var/log/ntpsec/rawstats*   rwl,
  /var/log/ntpsec/sysstats*   rwl,

  /{,var/}run/ntpd.pid w,

  # to be able to check for running ntpdate
  /run/lock/ntpsec-ntpdate wk,

  # samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,

  # samba4 winbindd pipe
  /run/samba/winbindd/pipe rw,

  # For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though
  # this can be considered dangerous. See https://launchpad.net/bugs/722815
  # for details. To enable, add this to local/usr.sbin.ntpd:
  #     capability ipc_owner,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.ntpd>
}
-------------- next part --------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2011 Canonical, Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#Add your ntpd devices here eg. if you have a DCF clock
# @{NTPD_DEVICE}="/dev/ttyS1"
@{NTPD_DEVICE}="/dev/null"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200902/f13e9deb/attachment.bin>

More information about the devel mailing list