# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/vsftpd
@{att} = ""
profile vsftpd /{,usr/}bin/vsftpd flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/authentication>
  include <abstractions/hosts_access>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

  # To be able to listen on ports < 1024
  capability net_bind_service,

  # To be able to chroot local users
  capability sys_chroot,

  # To run vsftpd as ftp:ftp
  capability setgid,
  capability setuid,

  # To change ownership of uploaded files
  capability chown,

  # Something to do with local users (?)
  capability audit_write,

  # Needed when container isolation is set (isolate=YES and isolate_network=YES), but vsftpd can
  # work witout it as its code is set up to continue happily if container isolation is not
  # available (when first written, many kernels didn't have the underlying support).
  capability sys_admin,

  # Needed when vsftpd maintains sessions (session_support=YES)
  capability net_admin,
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mr,

  # To validate allowed users shells
  /etc/shells r,

  # List of users disallowed FTP access
  /etc/ftpusers r,

  # vsftpd config files
  /etc/vsftpd.conf r,
  /etc/vsftpd/**/ r,
  /etc/vsftpd/* r,
  /etc/vsftpd/users/* r,

  # Certs for SSL/TLS conection
  /etc/vsftpd/certs/*.crt r,
  /etc/vsftpd/certs/*.key r,

  # Logs
  /var/log/vsftpd.log wk,
  /var/log/xferlog w,

  # A directory which vsftpd will try to change into after a user login
  # Set "rw" when vsftpd allows users to send files
  # The "k" flag is needed when lock_upload_files=YES
  @{MOUNTS}/ftp/ r,
  @{MOUNTS}/ftp/** rwk,

  include if exists <local/vsftpd>
}

# vim:syntax=apparmor
