mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2025-06-28 11:55:08 +03:00
11935cee5a
Install a mandatory access control for restricing SoftEther to network facilities only. This reduces the vulnerability surface of any softetherd exploit, which is an important because SoftEther currently runs as a fully privileged process.
34 lines
800 B
Plaintext
34 lines
800 B
Plaintext
# vim:syntax=apparmor
|
|
# Author: Darik Horn <dajhorn@vanadac.com>
|
|
|
|
#include <tunables/global>
|
|
|
|
/usr/sbin/softetherd {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
# These options are described in `man 7 capabilities`.
|
|
capability net_admin,
|
|
capability net_bind_service,
|
|
capability net_raw,
|
|
capability sys_nice,
|
|
capability sys_resource,
|
|
|
|
# Permit all IPv4 and IPv6 actions.
|
|
network,
|
|
|
|
# SoftEther uses popen() to call dmesg, but /bin/sh is usually diverted
|
|
# to dash, so permit any shell in main distribution to be invoked.
|
|
/bin/bash ix,
|
|
/bin/dash ix,
|
|
/bin/sh ix,
|
|
/bin/zsh ix,
|
|
/bin/dmesg ixr,
|
|
|
|
/usr/sbin/softetherd mr,
|
|
/var/lib/softether/** klrw,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
@{PROC}/sys/kernel/threads-max rw,
|
|
@{PROC}/sys/net/ipv4/conf/all/arp_filter rw,
|
|
}
|