From 11935cee5af5940e487fa67f3e387969fe754ddf Mon Sep 17 00:00:00 2001 From: Darik Horn Date: Thu, 1 May 2014 14:42:20 -0400 Subject: [PATCH] Create an apparmor security profile for softetherd. Install a mandatory access control for restricing SoftEther to network facilities only. This reduces the vulnerability surface of any softetherd exploit, which is an important because SoftEther currently runs as a fully privileged process. --- debian/apparmor/usr.sbin.softetherd | 33 +++++++++++++++++++++++++++++ debian/rules | 4 +++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 debian/apparmor/usr.sbin.softetherd diff --git a/debian/apparmor/usr.sbin.softetherd b/debian/apparmor/usr.sbin.softetherd new file mode 100644 index 00000000..d6f56242 --- /dev/null +++ b/debian/apparmor/usr.sbin.softetherd @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# Author: Darik Horn + +#include + +/usr/sbin/softetherd { + #include + #include + + # These options are described in `man 7 capabilities`. + capability net_admin, + capability net_bind_service, + capability net_raw, + capability sys_nice, + capability sys_resource, + + # Permit all IPv4 and IPv6 actions. + network, + + # SoftEther uses popen() to call dmesg, but /bin/sh is usually diverted + # to dash, so permit any shell in main distribution to be invoked. + /bin/bash ix, + /bin/dash ix, + /bin/sh ix, + /bin/zsh ix, + /bin/dmesg ixr, + + /usr/sbin/softetherd mr, + /var/lib/softether/** klrw, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/threads-max rw, + @{PROC}/sys/net/ipv4/conf/all/arp_filter rw, +} diff --git a/debian/rules b/debian/rules index 8ef99f9c..08dfba69 100755 --- a/debian/rules +++ b/debian/rules @@ -4,5 +4,7 @@ dh $@ --with autoreconf override_dh_install: - dh_install install -m 644 -D debian/softether.ufw debian/softether/etc/ufw/applications.d/softether + install -m 644 -D debian/apparmor/usr.sbin.softetherd debian/softether/etc/apparmor.d/usr.sbin.softetherd + dh_apparmor --profile-name=usr.sbin.softetherd + dh_install