Roundup Tracker

Apparmor is a mandatory access control mechanism (MAC) implemented as a Linux kernel security module. It allows the system administrator to restrict programs' capabilities with per-program profiles. Its goal is similar to selinux or grsecurity. (See https://issues.roundup-tracker.org/issue1113861 for a starter selinux configuration.)

Apparmor uses file paths to implement security boundaries. The following apparmor config supports using roundup-server3 (the python 3 instance) with a sqlite back end for roundup. It would need to be changed to use mysql or postgreql back ends.Probably by allowing read/write access to the database socket.

This was implemented on Ubuntu 18.04 LTS.

For this example, the roundup software is installed in /home/roundup/local/.... The demo tracker is installed in /home/roundup/roundup.demo.

#include <tunables/global>

# define paths here
@{ROUNDUP_TRACKERS} = /home/roundup/roundup.demo
@{ROUNDUP_LOCALE} = /home/roundup/local/share/locale
@{ROUNDUP_SITE_PACKAGES} = /home/roundup/local/lib/python3.*/site-packages
@{ROUNDUP_BIN_DIR} = /home/roundup/local/bin/

# set the policy for the roundup-server running under python 3
/home/roundup/local/bin/roundup-server3 {
  # Allow binding to ports
  #include <abstractions/apache2-common>

  #include <abstractions/base>

  # allow access to installed python support libs.
  #include <abstractions/python>

  # Allow tempfile to work
  #include <abstractions/user-tmp>

  # execute the python binary
  /usr/bin/python3.* ix,
  # read mime types
  /etc/mime.types r,

  # allow reading of the roundup-server script by python 3
  @{ROUNDUP_BIN_DIR}/roundup-server3 r,

  # allow read access to the trackers directory
  @{ROUNDUP_TRACKERS}/ r,
  # and all files underneath
  @{ROUNDUP_TRACKERS}/** r,
  # and allow writing to all files under the db directory
  @{ROUNDUP_TRACKERS}/db/** rw,

  # allow writing to the log files at the root of the tracker and allow them to be rotated
  @{ROUNDUP_TRACKERS}/*.log rw,
  @{ROUNDUP_TRACKERS}/roundup.log.* rw,

  # this is unique to my tracker. It has an rss feed. Allow roundup to write the file in the html subdir.
  @{ROUNDUP_TRACKERS}/html/rss.xml rw,

  # allow read access to the roundup scripts
  @{ROUNDUP_BIN_DIR}/ r,

  # allow read access to the roundup support libraries and locale files since they are not installed under /usr/lib/python...
  @{ROUNDUP_SITE_PACKAGES}/ r,
  @{ROUNDUP_SITE_PACKAGES}/** r,

  @{ROUNDUP_LOCALE}/** r,

}


CategorySecurity