diff --git a/packaging/ubuntu/bitoj-guards b/packaging/ubuntu/bitoj-guards new file mode 100644 index 0000000..4e86441 --- /dev/null +++ b/packaging/ubuntu/bitoj-guards @@ -0,0 +1,68 @@ +#include + +# BitOJ guard profiles +/usr/lib/bitoj/scripts/binary-guard { + #include + + /var/lib/bitoj/data/**/main mrix, + /usr/lib/bitoj/data/**/main mrix, +} + +/usr/lib/bitoj/scripts/java-guard { + #include + capability sys_ptrace, + + /var/lib/bitoj/data/**/*.class mr, + /usr/lib/bitoj/data/**/*.class mr, + /usr/bin/java mrix, + + /etc/passwd mr, + /etc/nsswitch.conf mr, + /etc/java*/* mr, + /proc/** mr, + /sys/** mr, + /usr/lib/jvm/**/** mr, + /usr/lib/jvm/java-6-sun*/jre/bin/* mrix, + + /tmp/hsperfdata_ojrun*/ mrw, + /tmp/hsperfdata_ojrun*/* mrw, +} + +/usr/lib/bitoj/scripts/mono-guard { + #include + + /var/lib/bitoj/data/**/main.exe mr, + /usr/lib/bitoj/data/**/main.exe mr, + /var/lib/bitoj/data/**/.wapi/ mrw, + /var/lib/bitoj/data/**/.wapi/* mrw, + /usr/lib/bitoj/data/**/.wapi/ mrw, + /usr/lib/bitoj/data/**/.wapi/* mrw, + + /usr/bin/mono mrix, + /usr/lib/mono/2.0/* mr, + /usr/lib/mono/2.0/**/* mr, + /etc/mono/config mr, + /etc/nsswitch.conf mr, + /etc/passwd mr, + /proc/**/* mr, +} + +/usr/lib/bitoj/scripts/python-guard { + #include + #include + + /var/lib/bitoj/data/**/main.py mr, + /usr/lib/bitoj/data/**/main.py mr, + /usr/bin/python2.5 mrix, + /usr/lib/python2.5/lib-dynload/** mr, +} + +/usr/lib/bitoj/scripts/bash-guard { + #include + #include + + /var/lib/bitoj/data/**/main.sh mr, + /usr/lib/bitoj/data/**/main.sh mr, + /bin/* mrix, + /usr/bin/* mrix, +} diff --git a/packaging/ubuntu/build-deb.sh b/packaging/ubuntu/build-deb.sh index ea3ea97..b1491e8 100644 --- a/packaging/ubuntu/build-deb.sh +++ b/packaging/ubuntu/build-deb.sh @@ -13,6 +13,7 @@ rm -rf "$BUILD_DIR" "$OUT_DIR" mkdir -p "$PKG_ROOT/DEBIAN" \ "$PKG_ROOT/usr/lib/bitoj" \ "$PKG_ROOT/etc/bitoj" \ + "$PKG_ROOT/etc/apparmor.d" \ "$PKG_ROOT/lib/systemd/system" \ "$PKG_ROOT/var/lib/bitoj" \ "$PKG_ROOT/var/log/bitoj" @@ -24,6 +25,7 @@ cp "$SCRIPT_DIR/postrm" "$PKG_ROOT/DEBIAN/postrm" chmod 0755 "$PKG_ROOT/DEBIAN/postinst" "$PKG_ROOT/DEBIAN/prerm" "$PKG_ROOT/DEBIAN/postrm" cp "$SCRIPT_DIR/bitoj.service" "$PKG_ROOT/lib/systemd/system/bitoj.service" +cp "$SCRIPT_DIR/bitoj-guards" "$PKG_ROOT/etc/apparmor.d/bitoj-guards" mkdir -p "$PKG_ROOT/usr/lib/tmpfiles.d" cp "$SCRIPT_DIR/tmpfiles.conf" "$PKG_ROOT/usr/lib/tmpfiles.d/bitoj.conf" diff --git a/packaging/ubuntu/postinst b/packaging/ubuntu/postinst index b597481..9eb66bc 100644 --- a/packaging/ubuntu/postinst +++ b/packaging/ubuntu/postinst @@ -29,6 +29,17 @@ fi chown -R oj:oj /var/lib/bitoj || true chmod 755 /var/lib/bitoj /var/log/bitoj +if [ -f /etc/apparmor.d/bitoj-guards ]; then + if command -v apparmor_parser >/dev/null 2>&1; then + apparmor_parser -r /etc/apparmor.d/bitoj-guards || true + fi + if command -v service >/dev/null 2>&1; then + service apparmor reload >/dev/null 2>&1 || true + elif [ -x /etc/init.d/apparmor ]; then + /etc/init.d/apparmor reload >/dev/null 2>&1 || true + fi +fi + if command -v systemctl >/dev/null 2>&1; then systemctl daemon-reload if command -v systemd-tmpfiles >/dev/null 2>&1; then diff --git a/packaging/ubuntu/postrm b/packaging/ubuntu/postrm index 5eb28fb..2e07429 100644 --- a/packaging/ubuntu/postrm +++ b/packaging/ubuntu/postrm @@ -7,6 +7,12 @@ fi if [ "$1" = "purge" ]; then rm -rf /etc/bitoj + rm -f /etc/apparmor.d/bitoj-guards + if command -v service >/dev/null 2>&1; then + service apparmor reload >/dev/null 2>&1 || true + elif [ -x /etc/init.d/apparmor ]; then + /etc/init.d/apparmor reload >/dev/null 2>&1 || true + fi fi exit 0 diff --git a/scripts/run-guard.py b/scripts/run-guard.py index 33af69a..b1a2ed4 100755 --- a/scripts/run-guard.py +++ b/scripts/run-guard.py @@ -58,8 +58,7 @@ class RunGuard: self.usepickle = True v = os.getenv('GUARD_RLIMIT_OFILE') - if v: - self.ofile = int(v) + if v: self.ofile = int(v) self.ldpreload = os.getenv('GUARD_LD_PRELOAD') def execute(self):