AppArmor Profile

cylo · December 23, 2023, 7:58am

1. The problem I’m having:

With Caddy 1.x, it was easy to further secure it via a custom AppArmor profile. But with 2.x, it seems it’s now much harder to get a working AppArmor profile going for running Caddy ever since it started to interact with sudo. I’ve tried several variations now of generating a new profile via aa-genprof /usr/bin/caddy and carefully stepping through the caddy binary requests to allow them but no matter what, I am met with the inability to effectively let caddy start via systemd without it timing out.

An error surfaced up in the logs upon startup is:

{"level":"error","ts":1703317450.0061278,"msg":"unable to notify to service manager of ready state","error":"dial unixgram /run/systemd/notify: connect: permission denied"}

Though in the apparmor profile I do have it set:

/run/systemd/notify rw,

Either way, it’s been a bit of a bear to get caddy confined with AppArmor. Has anyone had any luck with an existing profile? This would be for Ubuntu 22.04 LTS.

2. Error messages and/or full log output:

Full current AppArmor profile:

# Last Modified: Fri Dec 22 23:23:26 2023
abi <abi/3.0>,

include <tunables/global>

# vim:syntax=apparmor


/usr/bin/caddy flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/gio-open>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>

  capability audit_write,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /var/www/** r,
  /etc/caddy/Caddyfile r,
  /etc/mime.types r,
  /etc/sudoers r,
  /etc/sudoers.d/* r,
  /proc/*/* r,
  /proc/sys/net/core/* r,
  /run/systemd/notify rw,
  /sys/kernel/mm/transparent_hugepage/* r,
  /usr/bin/caddy r,
  /usr/bin/sudo mrix,
  /usr/bin/tee mrix,
  owner /etc/login.defs r,
  owner /etc/pam.d/* r,
  owner /etc/shadow r,
  owner /etc/sudo.conf r,
  owner /etc/sudoers.d/ r,
  owner /run/sudo/ts/caddy rwk,
  owner /usr/libexec/sudo/libsudo_util.so.* mr,
  owner /usr/libexec/sudo/sudoers.so mr,
  owner /var/lib/caddy/*/ rw,
  owner /var/lib/caddy/.config/caddy/* rw,
  owner /var/lib/caddy/.local/share/caddy/** rw,
  owner /var/log/caddy/ r,
  owner /var/log/caddy/* w,
  owner /var/www/ w,
}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Using the official DEB Package via cloudsmith repo as specified in the caddy documentation for Ubuntu stable release.

a. System environment:

Running it directly. Not in a container.

Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy

system · January 22, 2024, 7:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.