[apparmor] [patch] Update abstractions/ssl_* for acmetool-generated certificates

Mon Mar 28 18:32:38 UTC 2016

On Sun, Mar 27, 2016 at 06:40:20PM +0200, Christian Boltz wrote:
> Hello,
> 
> acmetool is an alternative client for Let's Encrypt.
> (https://github.com/hlandau/acme/)

Heh, I've heard enough about acme that I assumed it was the official
client.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> It stores the certificates etc. in the following directory layout:
> 
>     /var/lib/acme/live/<domain> -> ../certs/<hash>
>     /var/lib/acme/certs/<hash>/cert
>     /var/lib/acme/certs/<hash>/chain
>     /var/lib/acme/certs/<hash>/privkey -> ../../keys/<hash>/privkey
>     /var/lib/acme/certs/<hash>/url
>     /var/lib/acme/certs/<hash>/fullchain
>     /var/lib/acme/keys/<hash>/privkey
> 
> This patch adds the needed permissions to the ssl_certs and ssl_keys
> abstractions so that the certificates can be used.
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.
> 
> 
> [ abstractions-ssl-acmetool.diff ]
> 
> === modified file 'profiles/apparmor.d/abstractions/ssl_certs'
> --- profiles/apparmor.d/abstractions/ssl_certs  2015-01-31 15:51:17 +0000
> +++ profiles/apparmor.d/abstractions/ssl_certs  2016-03-27 16:28:03 +0000
> @@ -23,3 +23,7 @@
>    /usr/local/share/ca-certificates/** r,
>    /var/lib/ca-certificates/ r,
>    /var/lib/ca-certificates/** r,
> +
> +  # acmetool
> +  /var/lib/acme/certs/*/chain r,
> +  /var/lib/acme/certs/*/cert r,
> 
> === modified file 'profiles/apparmor.d/abstractions/ssl_keys'
> --- profiles/apparmor.d/abstractions/ssl_keys   2010-12-20 20:29:10 +0000
> +++ profiles/apparmor.d/abstractions/ssl_keys   2016-03-27 16:32:32 +0000
> @@ -16,3 +16,7 @@
>    /etc/ssl/ r,
>    /etc/ssl/** r,
>  
> +  # acmetool
> +  /var/lib/acme/live/* r,
> +  /var/lib/acme/certs/** r,
> +  /var/lib/acme/keys/** r,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160328/180b3bf9/attachment.pgp>