AppArmor profiles for SUID binaries. At this moment only for ping.

2013-05-11 08:41:36 +03:00 · 2013-05-11 08:41:36 +03:00 · 748ab74d1f
parent d7cc2415ea
commit 748ab74d1f
2 changed files with 43 additions and 0 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -47,6 +47,7 @@
  ./programs/wvdial.nix
  ./rename.nix
  ./security/apparmor.nix
+  ./security/apparmor-suid.nix
  ./security/ca.nix
  ./security/pam.nix
  ./security/pam_usb.nix
--- a/modules/security/apparmor-suid.nix
+++ b/modules/security/apparmor-suid.nix
@ -0,0 +1,42 @@
+{pkgs, config, ...}:
+let
+  cfg = config.security.apparmor;
+in
+with pkgs.lib;
+{
+
+  options.security.apparmor.confineSUIDApplications = mkOption {
+    default = true;
+    description = ''
+      Install AppArmor profiles for commonly-used SUID application
+      to mitigate potential privilege escalation attacks due to bugs
+      in such applications.
+
+      Currently available profiles: ping
+    '';
+  };
+
+  config = mkIf (cfg.confineSUIDApplications) {
+    security.apparmor.profiles = [ (pkgs.writeText "ping" ''
+      #include <tunables/global>
+      /var/setuid-wrappers/ping {
+	#include <abstractions/base>
+	#include <abstractions/consoles>
+	#include <abstractions/nameservice>
+
+	capability net_raw,
+	capability setuid,
+	network inet raw,
+
+	${pkgs.glibc}/lib/*.so mr,
+	/var/setuid-wrappers/ping.real mixr,
+	${pkgs.iputils}/sbin/ping mixr,
+	#/etc/modules.conf r,
+
+	## Site-specific additions and overrides. See local/README for details.
+	##include <local/bin.ping>
+      }
+    '') ];
+  };
+
+}