Accepting request 1005892 from home:stroeder:sys

- corrected comment in AppArmor profile - added AppArmor profile - added sandboxing options to systemd service unit OBS-URL: https://build.opensuse.org/request/show/1005892 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/golang-github-lusitaniae-apache_exporter?expand=0&rev=19
2022-10-01 11:01:44 +00:00
parent 693a19e8ee
commit 2c2f6f0bac
4 changed files with 88 additions and 0 deletions
--- a/apparmor-usr.bin.prometheus-apache_exporter
+++ b/apparmor-usr.bin.prometheus-apache_exporter
@@ -0,0 +1,24 @@
+# AppArmor profile for prometheus apache-exporter
+
+#include <tunables/global>
+
+profile /usr/bin/prometheus-apache_exporter flags=(attach_disconnected) {
+
+  #include <abstractions/base>
+
+  network inet  stream,
+  network inet6 stream,
+
+  /etc/ld.so.cache r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+
+  @{PROC}/sys/net/core/somaxconn r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/{stat,limits} r,
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  # grant read access to mtail executable
+  /usr/bin/prometheus-apache_exporter r,
+  
+}
--- a/golang-github-lusitaniae-apache_exporter.changes
+++ b/golang-github-lusitaniae-apache_exporter.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sun Sep 25 14:12:03 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- corrected comment in AppArmor profile
+
+-------------------------------------------------------------------
+Thu Sep 22 17:25:32 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- added AppArmor profile
+- added sandboxing options to systemd service unit
+
 -------------------------------------------------------------------
 Tue Sep 20 09:40:38 UTC 2022 - Witek Bedyk <witold.bedyk@suse.com>

--- a/golang-github-lusitaniae-apache_exporter.spec
+++ b/golang-github-lusitaniae-apache_exporter.spec
@@ -23,6 +23,8 @@
 %undefine _missing_build_ids_terminate_build
 %endif

+%bcond_without  apparmor
+
 # Templating vars to simplify and standardize Prometheus exporters spec files
 %define	githubrepo    github.com/lusitaniae/apache_exporter
 %define	upstreamname  apache_exporter
@@ -39,6 +41,7 @@ URL:            http://%{githubrepo}
 Source:         %{upstreamname}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        %{targetname}.service
+Source3:        apparmor-usr.bin.%{targetname}
 BuildRequires:  fdupes
 BuildRequires:  golang-packaging
 BuildRequires:  xz
@@ -49,6 +52,11 @@ Requires(pre):  shadow-utils
 BuildRequires:  golang(API) = 1.15
 Requires(pre):  shadow
 %endif
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Recommends:     apparmor-abstractions
+%endif
 ExcludeArch:    s390
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?systemd_requires}
@@ -69,6 +77,11 @@ install -d -m 0755 %{buildroot}%{_unitdir}
 install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}
 install -d -m 0755 %{buildroot}%{_sbindir}
 ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%{targetname}
+%if %{with apparmor}
+# AppArmor profile
+mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d
+install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif

 %check
 %if 0%{?rhel}
@@ -89,6 +102,9 @@ getent passwd %{serviceuser} >/dev/null || %{_sbindir}/useradd -r -g %{serviceus
 %else
 %service_add_post %{targetname}.service
 %endif
+%if %{with apparmor}
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif

 %preun
 %if 0%{?rhel}
@@ -111,5 +127,9 @@ getent passwd %{serviceuser} >/dev/null || %{_sbindir}/useradd -r -g %{serviceus
 %{_bindir}/%{targetname}
 %{_unitdir}/%{targetname}.service
 %{_sbindir}/rc%{targetname}
+%if %{with apparmor}
+%dir %{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif

 %changelog
--- a/prometheus-apache_exporter.service
+++ b/prometheus-apache_exporter.service
@@ -11,5 +11,38 @@ ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no

+# various hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+StandardInput=null
+UMask=0077
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectProc=invisible
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectClock=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+KeyringMode=private
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+DevicePolicy=closed
+PrivateIPC=yes
+RemoveIPC=yes
+MemoryDenyWriteExecute=yes
+ProcSubset=pid
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey @setuid @timer
+
 [Install]
 WantedBy=multi-user.target