Created
May 16, 2017 22:45
-
-
Save Carlgo11/514bfc26d434d58965b19b5d3ddfc091 to your computer and use it in GitHub Desktop.
Apparmor Configs - TeamSpeak3 Server & JTS3Server Bot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Last Modified: Thu May 16 00:00:00 2017 | |
#include <tunables/global> | |
@{bot_dir} = /usr/local/teamspeak3_bot | |
/usr/local/teamspeak3_bot/start_bot.sh { | |
#include <abstractions/base> | |
#include <abstractions/bash> | |
network inet6 stream, | |
/proc/*/net/if_inet6 r, | |
/usr/lib/jvm/java-8-oracle/jre/bin/java rCix, | |
@{bot_dir}/JTS3ServerMod.jar rix, | |
@{bot_dir}/config/* r, | |
@{bot_dir}/config/JTS3ServerMod_InstanceManager.cfg.lock rw, | |
@{bot_dir}/start_bot.sh r, | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Last Modified: Thu May 16 00:00:00 2017 | |
#include <tunables/global> | |
@{home_dir} = /usr/local/teamspeak3_server | |
/usr/local/teamspeak3_server/ts3server_startscript.sh { | |
#include <abstractions/base> | |
#include <abstractions/bash> | |
network inet dgram, | |
network inet stream, | |
network inet6 dgram, | |
network inet6 stream, | |
network netlink raw, | |
deny /etc/hosts r, | |
/bin/cat rux, | |
/bin/dash rux, | |
/bin/grep rux, | |
/bin/ps rux, | |
/bin/readlink rux, | |
/bin/rm rux, | |
/bin/sleep rux, | |
/bin/uname rux, | |
/dev/shm/7gbhujb54g8z9hu43jre8 rw, | |
/run/resolvconf/resolv.conf r, | |
/run/shm/* rw, | |
/usr/bin/dirname rix, | |
/usr/local/teamspeak3_server/ts3server rix, | |
@{home_dir}/* r, | |
@{home_dir}/files/** rw, | |
@{home_dir}/logs/ts3server_0.log rw, | |
@{home_dir}/logs/ts3server_1.log rw, | |
@{home_dir}/redist/* r, | |
@{home_dir}/sql/* rix, | |
@{home_dir}/ts3server rix, | |
@{home_dir}/ts3server.pid rw, | |
@{home_dir}/ts3server.sqlitedb* w, | |
@{home_dir}/ts3server_startscript.sh rix, | |
@{home_dir}/tsdns/* r, | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
These files are Apparmor configuration files for a Teamspeak3 server and JTS3Server Bot running on Ubuntu 16.04 LTS.
Teamspeak3 Server
This file is mostly a hack because of how TeamSpeak is built. The server calls a bunch of Linux native commands (as seen with /bin/*) and I didn't want to give it access to all commands.
I run the TeamSpeak server with a MySQL(MariaDB) database and therefor there are a few SQL related things in the config.
TeamSpeak really likes to log every single thing it can and as I don't want all communication to be logged I limited the server to only use 2 logs. One for the server itself and one for the virtual server "1". You typically run most things on the virtual server.
JTS3Server Bot
This config is the better one in my opinion. I was able to limit off what the bot can see in it's own directory and limit off most of the server along with most Linux commands.
I chose to only give it access to the files in the main directory that it needed while allowing access to all files inside the
~/config
directory.After running this I found some unusual behavior where the oddest thing is that the bot tried to read
/etc/passwd
on startup. I cannot come up with a good explanation for why this would be useful to the bot so either this is some weird bug or debug thing left behind with the code or the author has the data sent to them and collects it for whatever reason.Maybe it does something malicious when it runs as root? 🤔