adding apparmor profile for gnunet-helper-nat-server from Jacob

author Christian Grothoff <christian@grothoff.org>

Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)

committer Christian Grothoff <christian@grothoff.org>

Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)
author Christian Grothoff <christian@grothoff.org>
Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)
committer Christian Grothoff <christian@grothoff.org>
Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)
diff --git a/contrib/apparmor/usr.bin.gnunet-helper-nat-server b/contrib/apparmor/usr.bin.gnunet-helper-nat-server

new file mode 100644 (file)

index 0000000..d590021
--- /dev/null
+++ b/contrib/apparmor/usr.bin.gnunet-helper-nat-server
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#  Copyright (C) 2011 Jacob Appelbaum <jacob@appelbaum.net>
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of version 2 of the GNU General Public
+#  License published by the Free Software Foundation.
+#
+#  This should be placed in /etc/apparmor.d/usr.sbin.gnunet-helper-nat-server
+#  This profile may be a reasonable starting point for other NAT helpers.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+/usr/bin/gnunet-helper-nat-server {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+
+  # Allow these
+  capability net_raw,
+  capability setuid,
+  network inet raw,
+  network inet dgram, # UDP IPv4
+
+  # Deny these
+  deny network inet6 stream, # TCP IPv6
+  deny network inet6 dgram, # UDP IPv6
+
+  # Deny everything else by default with AppArmor
+}
author	Christian Grothoff <christian@grothoff.org>
	Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)
committer	Christian Grothoff <christian@grothoff.org>
	Sat, 17 Dec 2011 18:32:02 +0000 (18:32 +0000)