File: iked.apparmor

package info (click to toggle)
openiked 7.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,896 kB
  • sloc: ansic: 34,441; yacc: 2,816; perl: 690; makefile: 635; sh: 135
file content (110 lines) | stat: -rw-r--r-- 2,507 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# Last Modified: Thu Apr 14 17:48:19 2022
abi <abi/3.0>,

include <tunables/global>

profile iked /usr/sbin/iked {
  include <abstractions/base>

  capability kill,

  # address/route configuration
  capability net_admin,
  network netlink dgram,

  # config file
  include <abstractions/nameservice>
  /etc/iked.conf r,
  /etc/iked/** r,

  # systemd-resolved
  unix bind type=stream addr=@*/bus/iked/system,
  dbus send
     bus=system
     path=/org/freedesktop/resolve1
     interface=org.freedesktop.resolve1.Manager
     member=SetLinkDNS
     peer=(name=(org.freedesktop.resolve1)),
  dbus send
     bus=system
     path=/org/freedesktop/resolve1
     interface=org.freedesktop.resolve1.Manager
     member=SetLinkDefaultRoute
     peer=(name=(org.freedesktop.resolve1)),
  dbus send
     bus=system
     path=/org/freedesktop/network1
     interface=org.freedesktop.network1.Manager
     member=SetLinkDNS
     peer=(name=(org.freedesktop.network1)),
  dbus send
     bus=system
     path=/org/freedesktop/network1
     interface=org.freedesktop.network1.Manager
     member=SetLinkDefaultRoute
     peer=(name=(org.freedesktop.network1)),

  # reexec
  /usr/sbin/iked ix,

  # priv dropping
  capability setuid,
  capability setgid,
  capability sys_chroot,

  # switch profile
  owner @{PROC}/@{tid}/mounts r,
  owner @{PROC}/@{tid}/attr/current w,
  change_profile -> iked//ca,
  change_profile -> iked//control,
  change_profile -> iked//ikev2,

  signal (send) peer=iked//ca,
  signal (send) peer=iked//control,
  signal (send) peer=iked//ikev2,
  signal (send) peer=iked//resolvectl,

  unix (send, receive) type=stream peer=(label=iked//control),
  unix (send, receive) type=stream peer=(label=iked//ikev2),
  unix (send, receive) type=stream peer=(label=iked//ca),

  owner /run/iked.sock w,
  network key raw,

  profile ca {
    include <abstractions/base>

    # privsep
    signal (receive) peer=iked,
    unix (send, receive) type=stream peer=(label=iked),

    # certs/keys
    /etc/iked/** r,
  }

  profile control {
    include <abstractions/base>

    # privsep
    signal (receive) peer=iked,
    unix (send, receive) type=stream peer=(label=iked),
    /run/iked.sock rw,

    # ikectl control sock
    network unix raw,
  }

  profile ikev2 {
    include <abstractions/base>

    # privsep
    signal (receive) peer=iked,
    unix (send, receive) type=stream peer=(label=iked),

    # IKEv2
    network inet dgram,
    network inet6 dgram,
    # PFKEY
    network key raw,
  }
}