[ubuntu-hardened] AppArmor profile for radicale

Robie Basak robie.basak at ubuntu.com
Wed Jun 11 11:25:39 UTC 2014

I mentioned in the Server Security Q&A session yesterday that I had, for
example, an AppArmor profile for radicale that constrains radicale to
access only the calendar files that it serves.

Since radicale is in universe, this provides some mitigation to a
security update not arriving timely. AppArmor will restrict any
compromise to just my calendars.

I hadn't shared this because it depends on using file paths and an init
script that matches mine, so isn't suitable for the radicale package in
general unless the package also adopts some standard scheme.

Here it is though, for anybody who is interested.
-------------- next part --------------
# Last Modified: Sat Dec 15 04:07:46 2012
#include <tunables/global>

/usr/bin/radicale {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/python>

  /bin/dash rix,
  /etc/radicale/config r,
  /etc/radicale/ssl.crt r,
  /etc/radicale/ssl.key r,
  /etc/radicale/users r,
  /proc/*/mounts r,
  /sbin/ldconfig rix,
  /sbin/ldconfig.real rix,
  /usr/bin/python2.7 ix,
  /usr/bin/radicale r,
  /usr/lib{,32,64}/** mrw,
  /var/local/radicale/calendars/** rw,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20140611/2e829d07/attachment.pgp>

More information about the ubuntu-hardened mailing list