[apparmor] [PATCH] profiles: certbot and dehydrated config dirs for SSL certificates

Christian Boltz apparmor at cboltz.de
Tue Mar 13 21:48:02 UTC 2018 

Hello,

Am Freitag, 9. März 2018, 17:26:24 CET schrieb Goldwyn Rodrigues:
> From: Goldwyn Rodrigues <rgoldwyn at suse.com>
> 
> From: Sven Uebelacker <sven at uebelacker.net>
> 
> Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
> ---
>  profiles/apparmor.d/abstractions/ssl_certs | 7 +++++++
>  profiles/apparmor.d/abstractions/ssl_keys  | 7 +++++++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/profiles/apparmor.d/abstractions/ssl_certs
> b/profiles/apparmor.d/abstractions/ssl_certs index 0234fd4b..4a6c17b4
> 100644
> --- a/profiles/apparmor.d/abstractions/ssl_certs
> +++ b/profiles/apparmor.d/abstractions/ssl_certs
> @@ -27,3 +27,10 @@
>    # acmetool
>    /var/lib/acme/certs/*/chain r,
>    /var/lib/acme/certs/*/cert r,
> +
> +  # certbot
> +  /etc/certbot/live/** r,
> +  /etc/certbot/archive/** r,
> +
> +  # dehydrated
> +  /etc/dehydrated/certs/** r,
> diff --git a/profiles/apparmor.d/abstractions/ssl_keys
> b/profiles/apparmor.d/abstractions/ssl_keys index c6f29ad2..e805bff1
> 100644
> --- a/profiles/apparmor.d/abstractions/ssl_keys
> +++ b/profiles/apparmor.d/abstractions/ssl_keys
> @@ -20,3 +20,10 @@
>    /var/lib/acme/live/* r,
>    /var/lib/acme/certs/** r,
>    /var/lib/acme/keys/** r,
> +
> +  # certbot
> +  /etc/certbot/live/** r,
> +  /etc/certbot/archive/** r,
> +
> +  # dehydrated
> +  /etc/dehydrated/certs/** r,

This looks like the patch from 
https://build.opensuse.org/request/show/533380
and I still think that granting access to the private keys in the 
ssl_certs abstraction isn't a good idea, so we'll need more restrictive 
rules.

I'm guilty of not answering Sven's questions in the SR for months, but 
just added a comment and hope for some feedback. As an alternative, do 
you know the directory layout used by certbot and dehydrated so that I 
can come up with some more restrictive rules myself?


Regards,

Christian Boltz

PS: Random signature as usual, but it matches perfectly ;-)
-- 
<sarnold> it's been on my todo list for eight or nine years,
          I'm sure I'll get around to it right quick :)
[from #apparmor]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180313/61acaeeb/attachment.sig>

More information about the AppArmor mailing list