adding apparmor profile for gnunet-helper-nat-server from Jacob

author: Christian Grothoff <christian@grothoff.org> 2011-12-17 18:32:02 +0000
committer: Christian Grothoff <christian@grothoff.org> 2011-12-17 18:32:02 +0000
commit: d73ab29514e8431ea6810cb943a2cd3f7a94e4fd (patch)
tree: d6b1d6bf1cdd746a0bfa1ae6f113e254c61624b0 /contrib/apparmor/usr.bin.gnunet-helper-nat-server
parent: b5074dd699c1bef42995219d6742cec281070f7b (diff)
download: gnunet-d73ab29514e8431ea6810cb943a2cd3f7a94e4fd.tar.gz
gnunet-d73ab29514e8431ea6810cb943a2cd3f7a94e4fd.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/contrib/apparmor/usr.bin.gnunet-helper-nat-server b/contrib/apparmor/usr.bin.gnunet-helper-nat-server
new file mode 100644
index 000000000..d590021d5
--- /dev/null
+++ b/contrib/apparmor/usr.bin.gnunet-helper-nat-server
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#  Copyright (C) 2011 Jacob Appelbaum <jacob@appelbaum.net>
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of version 2 of the GNU General Public
+#  License published by the Free Software Foundation.
+#
+#  This should be placed in /etc/apparmor.d/usr.sbin.gnunet-helper-nat-server
+#  This profile may be a reasonable starting point for other NAT helpers.
+#
+# ------------------------------------------------------------------
+#include <tunables/global>
+/usr/bin/gnunet-helper-nat-server {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  # Allow these
+  capability net_raw,
+  capability setuid,
+  network inet raw,
+  network inet dgram, # UDP IPv4
+  # Deny these
+  deny network inet6 stream, # TCP IPv6
+  deny network inet6 dgram, # UDP IPv6
+  # Deny everything else by default with AppArmor
+}
author	Christian Grothoff <christian@grothoff.org>	2011-12-17 18:32:02 +0000
committer	Christian Grothoff <christian@grothoff.org>	2011-12-17 18:32:02 +0000
commit	d73ab29514e8431ea6810cb943a2cd3f7a94e4fd (patch)
tree	d6b1d6bf1cdd746a0bfa1ae6f113e254c61624b0 /contrib/apparmor/usr.bin.gnunet-helper-nat-server
parent	b5074dd699c1bef42995219d6742cec281070f7b (diff)
download	gnunet-d73ab29514e8431ea6810cb943a2cd3f7a94e4fd.tar.gz gnunet-d73ab29514e8431ea6810cb943a2cd3f7a94e4fd.zip

diff --git a/contrib/apparmor/usr.bin.gnunet-helper-nat-server b/contrib/apparmor/usr.bin.gnunet-helper-nat-server new file mode 100644 index 000000000..d590021d5 --- /dev/null +++ b/contrib/apparmor/usr.bin.gnunet-helper-nat-server
@@ -0,0 +1,30 @@
	1	# ------------------------------------------------------------------
	2	#
	3	# Copyright (C) 2011 Jacob Appelbaum <jacob@appelbaum.net>
	4	#
	5	# This program is free software; you can redistribute it and/or
	6	# modify it under the terms of version 2 of the GNU General Public
	7	# License published by the Free Software Foundation.
	8	#
	9	# This should be placed in /etc/apparmor.d/usr.sbin.gnunet-helper-nat-server
	10	# This profile may be a reasonable starting point for other NAT helpers.
	11	#
	12	# ------------------------------------------------------------------
	13
	14	#include <tunables/global>
	15	/usr/bin/gnunet-helper-nat-server {
	16	#include <abstractions/base>
	17	#include <abstractions/consoles>
	18
	19	# Allow these
	20	capability net_raw,
	21	capability setuid,
	22	network inet raw,
	23	network inet dgram, # UDP IPv4
	24
	25	# Deny these
	26	deny network inet6 stream, # TCP IPv6
	27	deny network inet6 dgram, # UDP IPv6
	28
	29	# Deny everything else by default with AppArmor
	30	}