yumechi-no-kuni-proxy-worker/mac/apparmor/yumechi-no-kuni-proxy-worker

92 lines
2.6 KiB
Text
Raw Permalink Normal View History

abi <abi/4.0>,
include <tunables/global>
@{prog} = yumechi-no-kuni-proxy-worker
@{prog_path} = /{,usr/}{,local/}{,s}bin/@{prog} /var/lib/@{prog}/{,bin}/@{prog}
profile yumechi-no-kuni-proxy-worker @{prog_path} {
include <abstractions/base>
include <abstractions/ssl_certs>
include <abstractions/apparmor_api/is_enabled>
include <abstractions/apparmor_api/introspect>
include <abstractions/apparmor_api/change_profile>
include <abstractions/openssl>
deny capability,
/{,usr/}lib/**.so.* mr,
/{,usr/}{,local/}{,s}bin/@{prog} ixr,
owner /var/lib/@{prog}/{,bin}/@{prog} ixr,
# Configuration file
owner /var/lib/@{prog}/config.toml r,
/etc/@{prog}/config.toml r,
network tcp,
network udp,
network netlink raw,
deny network (bind) udp,
change_profile -> yumechi-no-kuni-proxy-worker//serve,
profile serve {
include <abstractions/base>
include <abstractions/ssl_certs>
include <abstractions/apparmor_api/is_enabled>
include <abstractions/apparmor_api/introspect>
include <abstractions/apparmor_api/change_profile>
include <abstractions/openssl>
deny capability,
# DNS related
@{etc_ro}/default/nss r,
@{etc_ro}/protocols r,
@{etc_ro}/resolv.conf r,
@{etc_ro}/services r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
@{run}/nscd/db* r,
@{run}/resolvconf/resolv.conf r,
@{run}/systemd/resolve/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
@{run}/resolvconf/resolv.conf r,
@{run}/systemd/resolve/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
# cgroup
owner @{PROC}/@{pid}/cgroup r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-*.scope/cpu.max r,
network tcp,
network udp,
network netlink raw,
deny network (bind) tcp,
deny network (bind) udp,
/{,usr/}{,local/}{,s}bin/@{prog} ixr,
owner /var/lib/@{prog}/{,bin/}@{prog} ixr,
signal (send, receive) set=(int, term, kill) peer=yume-proxy-workers//serve,
signal (send) set=(int, term, kill, usr1) peer=yume-proxy-workers//serve//image,
^image {
include <abstractions/base>
include <abstractions/apparmor_api/change_profile>
deny capability,
deny network,
signal (receive) peer=yume-proxy-worker//serve,
}
}
}