I mentioned in the Server Security Q&A session yesterday that I had, for example, an AppArmor profile for radicale that constrains radicale to access only the calendar files that it serves.
Since radicale is in universe, this provides some mitigation to a security update not arriving timely. AppArmor will restrict any compromise to just my calendars. I hadn't shared this because it depends on using file paths and an init script that matches mine, so isn't suitable for the radicale package in general unless the package also adopts some standard scheme. Here it is though, for anybody who is interested.
# Last Modified: Sat Dec 15 04:07:46 2012
#include <tunables/global>
/usr/bin/radicale {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/python>
/bin/dash rix,
/etc/radicale/config r,
/etc/radicale/ssl.crt r,
/etc/radicale/ssl.key r,
/etc/radicale/users r,
/proc/*/mounts r,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/python2.7 ix,
/usr/bin/radicale r,
/usr/lib{,32,64}/** mrw,
/var/local/radicale/calendars/** rw,
}
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
