diff --git a/loki/apparmor.txt b/loki/apparmor.txt new file mode 100644 index 0000000..40bb5d4 --- /dev/null +++ b/loki/apparmor.txt @@ -0,0 +1,134 @@ +include + +# Docker overlay +@{fs_root}=/ /docker/overlay2/*/diff/ +@{do_etc_rw}=@{fs_root}/@{etc_rw}/ +@{do_etc_ro}=@{fs_root}/@{etc_ro}/ +@{do_run}=@{fs_root}/@{run}/ +@{do_usr}=@{fs_root}/usr/ +@{do_var}=@{fs_root}/var/ + +# Nginx data dirs +@{nginx_data}=@{do_usr}/lib/nginx/ @{do_usr}/share/nginx/ @{do_var}/lib/nginx/ + +profile loki flags=(attach_disconnected,mediate_deleted) { + include + + # Send signals to children + signal (send) set=(kill,term,int,hup,cont), + + # Capabilities + capability kill, + capability dac_override, + capability chown, + capability fowner, + capability fsetid, + capability setuid, + capability setgid, + + # S6-Overlay + /init rix, + /bin/** rix, + /usr/bin/** rix, + @{do_etc_ro}/s6/** rix, + @{do_etc_rw}/services.d/{,**} rwix, + @{do_etc_rw}/cont-init.d/{,**} rwix, + @{do_etc_rw}/cont-finish.d/{,**} rwix, + @{do_etc_rw}/fix-attrs.d/{,**} rw, + @{do_run}/s6/** rwix, + @{do_run}/** rwk, + /dev/tty rw, + @{fs_root}/usr/lib/locale/{,**} r, + @{do_etc_ro}/group r, + @{do_etc_ro}/passwd r, + @{do_etc_ro}/hosts r, + @{do_etc_ro}/ssl/openssl.cnf r, + /dev/null k, + + # Bashio + /usr/lib/bashio/** ix, + /tmp/** rw, + + # Options.json & addon data + /data r, + /data/** rw, + + # Needed for setup + @{do_etc_rw}/loki/{,**} rw, + @{do_etc_rw}/nginx/{,**} rw, + @{nginx_data}/{,**} rw, + @{do_var}/log/nginx/{,**} rw, + /share/{,**} r, + /ssl/{,**} r, + + # Programs + /usr/bin/loki cx, + /usr/sbin/nginx Cx, + + # Shell access + owner @{HOME}/.* rw, + @{do_etc_ro}/inputrc r, + @{do_etc_ro}/terminfo/x/xterm-256color r, + + profile /usr/bin/loki flags=(attach_disconnected,mediate_deleted) { + include + + # Receive signals from S6-Overlay & ourselves + signal receive, + signal peer=@{profile_name}, + + # Send & receive tcp traffic + network tcp, + + # Addon data + /data/** r, + /data/loki/** rwk, + + # Config + @{do_etc_ro}/loki/* r, + /share/** r, + + # Runtime usage + /usr/bin/loki rm, + @{do_etc_ro}/hosts r, + @{do_etc_ro}/resolv.conf r, + @{do_etc_ro}/nsswitch.conf r, + @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + } + + profile /usr/sbin/nginx flags=(attach_disconnected,mediate_deleted) { + include + + # Receive signals from S6-Overlay & ourselves + signal receive peer=*_loki, + signal peer=@{profile_name}, + + # Send & receive tcp traffic + network tcp, + + # Capabilities + capability dac_override, + capability mknod, + capability setuid, + capability setgid, + ptrace (read) peer=*_loki, + + # Config files + @{do_etc_ro}/nginx/** r, + /ssl/** r, + + # Service data + @{nginx_data}/** r, + @{do_var}/lib/nginx/tmp/** rw, + @{do_var}/log/nginx/* w, + + # Runtime usage + /usr/sbin/nginx rm, + @{do_etc_ro}/group r, + @{do_etc_ro}/passwd r, + @{do_etc_ro}/ssl/openssl.cnf r, + @{do_run}/nginx.pid rw, + @{PROC}/1/fd/1 w, + } +} diff --git a/loki/ignore_apparmor.txt b/loki/ignore_apparmor.txt deleted file mode 100644 index 7a31f38..0000000 --- a/loki/ignore_apparmor.txt +++ /dev/null @@ -1,129 +0,0 @@ -include - -# Docker overlay -@{fs_root}=/ /docker/overlay2/*/diff/ - -# Nginx data dirs -@{nginx_data}=/usr/lib/nginx/ /usr/share/nginx/ /var/lib/nginx/ - -profile loki flags=(attach_disconnected,mediate_deleted) { - include - - # Send signals to children - signal (send) set=(kill,term,int,hup,cont), - - # Capabilities - capability kill, - capability dac_override, - capability chown, - capability fowner, - capability fsetid, - capability setuid, - capability setgid, - - # S6-Overlay - /init rix, - /bin/** rix, - /usr/bin/** rix, - @{fs_root}/@{etc_ro}/s6/** rix, - @{fs_root}/@{etc_rw}/services.d/{,**} rwix, - @{fs_root}/@{etc_rw}/cont-init.d/{,**} rwix, - @{fs_root}/@{etc_rw}/cont-finish.d/{,**} rwix, - @{fs_root}/@{etc_rw}/fix-attrs.d/{,**} rw, - @{fs_root}/@{run}/s6/** rwix, - @{fs_root}/@{run}/** rwk, - /dev/tty rw, - @{fs_root}/usr/lib/locale/{,**} r, - @{fs_root}/@{etc_ro}/group r, - @{fs_root}/@{etc_ro}/passwd r, - @{fs_root}/@{etc_ro}/hosts r, - @{fs_root}/@{etc_ro}/ssl/openssl.cnf r, - /dev/null k, - - # Bashio - /usr/lib/bashio/** ix, - /tmp/** rw, - - # Options.json & addon data - /data r, - /data/** rw, - - # Needed for setup - @{fs_root}/@{etc_rw}/loki/{,**} rw, - @{fs_root}/@{etc_rw}/nginx/{,**} rw, - @{nginx_data}/{,**} rw, - /var/log/nginx/{,**} rw, - /share/{,**} r, - /ssl/{,**} r, - - # Programs - /usr/bin/loki cx, - /usr/sbin/nginx Cx, - - # Shell access - owner @{HOME}/.* rw, - @{fs_root}/@{etc_ro}/inputrc r, - @{fs_root}/@{etc_ro}/terminfo/x/xterm-256color r, - - profile /usr/bin/loki flags=(attach_disconnected,mediate_deleted) { - include - - # Receive signals from S6-Overlay & ourselves - signal receive, - signal peer=@{profile_name}, - - # Send & receive tcp traffic - network tcp, - - # Addon data - /data/** r, - /data/loki/** rwk, - - # Config - @{fs_root}/@{etc_ro}loki/* r, - /share/** r, - - # Runtime usage - /usr/bin/loki rm, - @{fs_root}/@{etc_ro}/hosts r, - @{fs_root}/@{etc_ro}/resolv.conf r, - @{fs_root}/@{etc_ro}/nsswitch.conf r, - @{PROC}/sys/net/core/somaxconn r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - } - - profile /usr/sbin/nginx flags=(attach_disconnected,mediate_deleted) { - include - - # Receive signals from S6-Overlay & ourselves - signal receive peer=*_loki, - signal peer=@{profile_name}, - - # Send & receive tcp traffic - network tcp, - - # Capabilities - capability dac_override, - capability mknod, - capability setuid, - capability setgid, - ptrace (read) peer=*_loki, - - # Config files - @{fs_root}/@{etc_ro}/nginx/** r, - /ssl/** r, - - # Service data - @{nginx_data}/** r, - /var/lib/nginx/tmp/** rw, - /var/log/nginx/* w, - - # Runtime usage - /usr/sbin/nginx rm, - @{fs_root}/@{etc_ro}/group r, - @{fs_root}/@{etc_ro}/passwd r, - @{fs_root}/@{etc_ro}/ssl/openssl.cnf r, - @{fs_root}/@{run}/nginx.pid rw, - @{PROC}/1/fd/1 w, - } -}