Apparmor should include letsencrypt directory for Slapd

Thanks for filing this bug in Ubuntu.

First, let me suggest that any local modifications to apparmor profiles be made in /etc/apparmor.d/local instead of the profile in /etc/apparmor.d, otherwise you will get dpkg conf prompts with every upgrade. For slapd, for example, you have /etc/apparmor.d/local/usr.sbin.slapd

Second, what is the structure of files and directories in /etc/letsencrypt? Is it separated by user, service, or do all certs go in there? It would be good if we could come up with a rule that's a bit more specific.

I'm removing apparmor from the affected list because the apparmor profile is shipped with slapd.

Marked this public security for now so it is on the security team radar and it can be reviewed by them.

I echo ahasenack's question. /etc/letsencrypt/** is pretty broad (especially if it contains private keys).

Once those details are worked out, updating slapd is conceptually fine. We may want to consider updating the ssl_certs and ssl_keys abstractions accordingly if letsencrypt organizing things clearly. (We could also create a letsencrypt abstraction, but let's not go there just yet).

The ssl_certs and ssl_keys abstractions just got the paths for letsencrypt added:
    https://gitlab.com/apparmor/apparmor/merge_requests/283
(also backported to the 2.10..2.13 branches)

The above merge for apparmor appears to solve this issue. I agree with that issue that /etc/letsencrypt/live/** and /etc/letsencrypt/archive/** are probably the main places that have to be added. Shall we fix it in this package, or elsewhere?

tarek : )

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

I suppose we need to ensure that the openldap package is using this abstraction, then, and that the latest apparmor package in Ubuntu contains it.

I do think that Certbot integration for openldap is not relevant for the majority of Ubuntu users though, so am setting Importance: Low and don't expect anyone from the server team to address this any time soon.

We'd be happy to help volunteers get this landed though. First steps would be to identify what needs doing in the development release in apparmor and openldap with respect to this apparmor abstraction.

Andreas fixed that in 2.4.49+dfsg-2ubuntu1 [Focal] which started to have profile in openldap and include ssl_cert which (as Christian Bolz outlined above) do include those paths.

# grep ssl_c /etc/apparmor.d/usr.sbin.slapd
  #include <abstractions/ssl_certs>

# grep enc /etc/apparmor.d/abstractions/ssl_certs
  /etc/letsencrypt/archive/*/cert*.pem r,
  /etc/letsencrypt/archive/*/chain*.pem r,
  /etc/letsencrypt/archive/*/fullchain*.pem r,

Fixed Focal onwads, and since users can modify the local overrides if needed I'm not sure how important an SRU of the same is (changing isolation in SRUs is discouraged AFAIK).