Merge pull request #50 from mdegat01/readd-apparmor

Adding back apparmor profile with amd64 fixes

loki/apparmor.txt

@@ -0,0 +1,134 @@
+include <tunables/global>
+
+# Docker overlay
+@{fs_root}=/ /docker/overlay2/*/diff/
+@{do_etc_rw}=@{fs_root}/@{etc_rw}/
+@{do_etc_ro}=@{fs_root}/@{etc_ro}/
+@{do_run}=@{fs_root}/@{run}/
+@{do_usr}=@{fs_root}/usr/
+@{do_var}=@{fs_root}/var/
+
+# Nginx data dirs
+@{nginx_data}=@{do_usr}/lib/nginx/ @{do_usr}/share/nginx/ @{do_var}/lib/nginx/
+
+profile loki flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+
+  # Send signals to children
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # Capabilities
+  capability kill,
+  capability dac_override,
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability setuid,
+  capability setgid,
+
+  # S6-Overlay
+  /init                             rix,
+  /bin/**                           rix,
+  /usr/bin/**                       rix,
+  @{do_etc_ro}/s6/**                rix,
+  @{do_etc_rw}/services.d/{,**}     rwix,
+  @{do_etc_rw}/cont-init.d/{,**}    rwix,
+  @{do_etc_rw}/cont-finish.d/{,**}  rwix,
+  @{do_etc_rw}/fix-attrs.d/{,**}    rw,
+  @{do_run}/s6/**                   rwix,
+  @{do_run}/**                      rwk,
+  /dev/tty                          rw,
+  @{fs_root}/usr/lib/locale/{,**}   r,
+  @{do_etc_ro}/group                r,
+  @{do_etc_ro}/passwd               r,
+  @{do_etc_ro}/hosts                r,
+  @{do_etc_ro}/ssl/openssl.cnf      r,
+  /dev/null                         k,
+
+  # Bashio
+  /usr/lib/bashio/**                ix,
+  /tmp/**                           rw,
+
+  # Options.json & addon data
+  /data                             r,
+  /data/**                          rw,
+
+  # Needed for setup
+  @{do_etc_rw}/loki/{,**}           rw,
+  @{do_etc_rw}/nginx/{,**}          rw,
+  @{nginx_data}/{,**}               rw,
+  @{do_var}/log/nginx/{,**}         rw,
+  /share/{,**}                      r,
+  /ssl/{,**}                        r,
+
+  # Programs
+  /usr/bin/loki                     cx,
+  /usr/sbin/nginx                   Cx,
+
+  # Shell access
+  owner @{HOME}/.*                  rw,
+  @{do_etc_ro}/inputrc              r,
+  @{do_etc_ro}/terminfo/x/xterm-256color r,
+
+  profile /usr/bin/loki flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+
+    # Receive signals from S6-Overlay & ourselves
+    signal receive,
+    signal peer=@{profile_name},
+
+    # Send & receive tcp traffic
+    network tcp,
+
+    # Addon data
+    /data/**                        r,
+    /data/loki/**                   rwk,
+
+    # Config
+    @{do_etc_ro}/loki/*             r,
+    /share/**                       r,
+
+    # Runtime usage
+    /usr/bin/loki                   rm,
+    @{do_etc_ro}/hosts              r,
+    @{do_etc_ro}/resolv.conf        r,
+    @{do_etc_ro}/nsswitch.conf      r,
+    @{PROC}/sys/net/core/somaxconn  r,
+    @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  }
+
+  profile /usr/sbin/nginx flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+
+    # Receive signals from S6-Overlay & ourselves
+    signal receive peer=*_loki,
+    signal peer=@{profile_name},
+
+    # Send & receive tcp traffic
+    network tcp,
+
+    # Capabilities
+    capability dac_override,
+    capability mknod,
+    capability setuid,
+    capability setgid,
+    ptrace (read) peer=*_loki,
+
+    # Config files
+    @{do_etc_ro}/nginx/**           r,
+    /ssl/**                         r,
+
+    # Service data
+    @{nginx_data}/**                r,
+    @{do_var}/lib/nginx/tmp/**      rw,
+    @{do_var}/log/nginx/*           w,
+
+    # Runtime usage
+    /usr/sbin/nginx                 rm,
+    @{do_etc_ro}/group              r,
+    @{do_etc_ro}/passwd             r,
+    @{do_etc_ro}/ssl/openssl.cnf    r,
+    @{do_run}/nginx.pid             rw,
+    @{PROC}/1/fd/1                  w,
+  }
+}