Hi,
as mentioned earlier in another thread, I built an apparmor profile for Logitech Media Server 7.8.0 in order to enhance server security. If you don't know apparmor, you should probably not read further (at least until you make yourself familiar with it).
I'd like to share the profile with the community and put it up for discussion. Consider this a "beta" profile that still needs testing and adjustment to other usage scenarios than mine.
Disclaimer:
I tested the profile for several weeks now by using the server and my Logitech Squeezebox Touch the same way I always do, which includes listening to music from my library, listening to internet radio stations, editing playlists and favorites, scanning the library, using the web interface including the server configuration panel, etc. The profile was built for LMS 7.8.0 on an Ubuntu 14.04 machine. I don't use many plugins - only a few of those that come with the server itself. So if you use different versions of LMS, other plugins I don't use, or run LMS on other platforms, this profile might need some adjustment to your needs. I'd recommend to put it in complain mode for a while and use aa-logprof to see if it needs any additional rights for your usage scenarios. This profiles does not come with any warranty - use it at your own risk!
So, here's the profile, which needs to be stored in /etc/apparmor.d/usr.sbin.squeezeboxserver (at least on Ubuntu machines):
Required adjustments depending on the location of your library:
About BASEPATH and PATH_TO_YOUR_MUSIC_FOLDER. You have to give LMS the rights to read the files and folders in your music library, so you need to adjust these paths. You also have to include the path to your playlist folder for read and write access. If you want to be able to use the filesystem browser function when first setting up LMS you should also include read access to parent directories of your library and playlist location.
Example:
My library is located on an external drive mounted in /media/external_flashdrive/
The complete path to my library would be:
/media/external_flashdrive/library/music/
My playlists are stored in:
/media/external_flashdrive/library/playlists/
So in the profile example I would have to replace those two lines:
with
To be able to use the file browser for picking your library location, you need to give read acces to the parent directories to your library. So I replace those two lines in the example:
with
The first line means the server may list the contents of /media/ but not the child folders (e.g. other mounted drives). The second lines allows read access to all folders on my external flashdrive recursively (I don't have other stuff on my flashdrive than my music library, so this is ok for me. If you want to be more restrictive you can omit the ** and add a line for each parent folder seperately.
Discussion:
It would be nice if others can test this profiles and give feedback which addictional rights might be required for different usage scenarios or different versions of LMS.
Cheers,
Timo
as mentioned earlier in another thread, I built an apparmor profile for Logitech Media Server 7.8.0 in order to enhance server security. If you don't know apparmor, you should probably not read further (at least until you make yourself familiar with it).
I'd like to share the profile with the community and put it up for discussion. Consider this a "beta" profile that still needs testing and adjustment to other usage scenarios than mine.
Disclaimer:
I tested the profile for several weeks now by using the server and my Logitech Squeezebox Touch the same way I always do, which includes listening to music from my library, listening to internet radio stations, editing playlists and favorites, scanning the library, using the web interface including the server configuration panel, etc. The profile was built for LMS 7.8.0 on an Ubuntu 14.04 machine. I don't use many plugins - only a few of those that come with the server itself. So if you use different versions of LMS, other plugins I don't use, or run LMS on other platforms, this profile might need some adjustment to your needs. I'd recommend to put it in complain mode for a while and use aa-logprof to see if it needs any additional rights for your usage scenarios. This profiles does not come with any warranty - use it at your own risk!
So, here's the profile, which needs to be stored in /etc/apparmor.d/usr.sbin.squeezeboxserver (at least on Ubuntu machines):
Code:
#include <tunables/global>
/usr/sbin/squeezeboxserver flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
network inet stream,
network inet dgram,
/BASEPATH/ r,
/BASEPATH/**/ r,
/BASEPATH/PATH_TO_YOUR_MUSIC_FOLDER/** r,
/BASEPATH/PATH_TO_YOUR_PLAYLIST_FOLDER/** rw,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/protocols r,
/etc/squeezeboxserver/* r,
/run/resolvconf/resolv.conf r,
/usr/bin/perl ix,
/usr/sbin/squeezeboxserver r,
/usr/sbin/squeezeboxserver-scanner r,
/usr/share/squeezeboxserver/** r,
/usr/share/squeezeboxserver/CPAN/** mr,
/var/lib/squeezeboxserver/** r,
/var/lib/squeezeboxserver/cache/** rwk,
/var/lib/squeezeboxserver/prefs/** rw,
/var/log/squeezeboxserver/perfmon.log rw,
/var/log/squeezeboxserver/scanner.log rw,
/var/log/squeezeboxserver/server.log rw,
/var/tmp/* rw,
}About BASEPATH and PATH_TO_YOUR_MUSIC_FOLDER. You have to give LMS the rights to read the files and folders in your music library, so you need to adjust these paths. You also have to include the path to your playlist folder for read and write access. If you want to be able to use the filesystem browser function when first setting up LMS you should also include read access to parent directories of your library and playlist location.
Example:
My library is located on an external drive mounted in /media/external_flashdrive/
The complete path to my library would be:
/media/external_flashdrive/library/music/
My playlists are stored in:
/media/external_flashdrive/library/playlists/
So in the profile example I would have to replace those two lines:
Code:
/BASEPATH/PATH_TO_YOUR_LIBRARY/** r,
/BASEPATH/PATH_TO_YOUR_PLAYLIST_FOLDER/** rw,Code:
/media/external_flashdrive/library/music/** r,
/media/external_flashdrive/library/playlists/** rw,Code:
/BASEPATH/ r,
/BASEPATH/**/ r,Code:
/media/ r,
/media/external_flashdrive/**/ r,Discussion:
It would be nice if others can test this profiles and give feedback which addictional rights might be required for different usage scenarios or different versions of LMS.
Cheers,
Timo