yumechi-no-kuni-proxy-worker/mac/apparmor/yumechi-no-kuni-proxy-worker

abi <abi/4.0>,

include <tunables/global>

@{prog} = yumechi-no-kuni-proxy-worker
@{prog_path} = /{,usr/}{,local/}{,s}bin/@{prog} /var/lib/@{prog}/{,bin}/@{prog}

profile yumechi-no-kuni-proxy-worker @{prog_path} {
    include <abstractions/base>
    include <abstractions/ssl_certs>
    include <abstractions/apparmor_api/is_enabled>
    include <abstractions/apparmor_api/introspect>
    include <abstractions/apparmor_api/change_profile>
    include <abstractions/openssl>

    deny capability,

    /{,usr/}lib/**.so.* mr,
    
    /{,usr/}{,local/}{,s}bin/@{prog} ixr,
    owner /var/lib/@{prog}/{,bin}/@{prog} ixr,

    # Configuration file
    owner /var/lib/@{prog}/config.toml r,
    /etc/@{prog}/config.toml r,

    network tcp,
    network udp,
    network netlink raw,
    deny network (bind) udp,

    change_profile -> yumechi-no-kuni-proxy-worker//serve,

    profile serve {
        include <abstractions/base>
        include <abstractions/ssl_certs>
        include <abstractions/apparmor_api/is_enabled>
        include <abstractions/apparmor_api/introspect>
        include <abstractions/apparmor_api/change_profile>
        include <abstractions/openssl>

        deny capability,

        # DNS related
        @{etc_ro}/default/nss r,
        @{etc_ro}/protocols r,
        @{etc_ro}/resolv.conf r,
        @{etc_ro}/services r,
        @{etc_ro}/host.conf r,
        @{etc_ro}/hosts r,
        /var/lib/nscd/group r,
        /var/lib/nscd/passwd r,
        @{run}/nscd/db* r,
        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/resolve/resolv.conf r,
        @{run}/systemd/resolve/stub-resolv.conf r,

        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/resolve/resolv.conf r,
        @{run}/systemd/resolve/stub-resolv.conf r,

        # cgroup
        owner @{PROC}/@{pid}/cgroup r,
        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-*.scope/cpu.max r,

        network tcp,
        network udp,
        network netlink raw,
        deny network (bind) tcp,
        deny network (bind) udp,

        /{,usr/}{,local/}{,s}bin/@{prog} ixr,
        owner /var/lib/@{prog}/{,bin/}@{prog} ixr,

        signal (send, receive) set=(int, term, kill) peer=yume-proxy-workers//serve,
        signal (send) set=(int, term, kill, usr1) peer=yume-proxy-workers//serve//image,


        ^image {
            include <abstractions/base>
            include <abstractions/apparmor_api/change_profile>

            deny capability,
            deny network,

            signal (receive) peer=yume-proxy-worker//serve,
        }
    }

}