mirror of
https://github.com/foxcpp/maddy.git
synced 2025-04-04 05:37:34 +03:00
dist: Include AppArmor profiles
Not installed by default since they are more or less experimental and systemd sandboxing provides roughly the same level of isolation.
This commit is contained in:
parent
1b2b101f8e
commit
a0d5605337
3 changed files with 94 additions and 0 deletions
38
dist/apparmor/dev.foxcpp.maddy
vendored
Normal file
38
dist/apparmor/dev.foxcpp.maddy
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
# AppArmor profile for maddy daemon.
|
||||
# vim:syntax=apparmor:ts=2:sw=2:et
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile dev.foxcpp.maddy /usr{/local,}/bin/maddy {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/ssl_keys>
|
||||
/etc/ca-certificates/** r,
|
||||
|
||||
/etc/resolv.conf r,
|
||||
/proc/sys/net/core/somaxconn r,
|
||||
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
deny ptrace,
|
||||
capability net_bind_service,
|
||||
network tcp,
|
||||
network unix,
|
||||
|
||||
# systemd process management and Type=notify
|
||||
signal (receive) peer=unconfined,
|
||||
signal (receive) peer=/usr/bin/systemd,
|
||||
unix (create, connect, send, setopt) type=dgram addr=@*,
|
||||
/run/systemd/notify w,
|
||||
|
||||
/etc/maddy/** r,
|
||||
owner /run/maddy/ rw,
|
||||
owner /run/maddy/** rwkl,
|
||||
owner /var/lib/maddy/ rw,
|
||||
owner /var/lib/maddy/** rwk,
|
||||
owner /var/lib/maddy/**.db-{wal,shm} rmk,
|
||||
|
||||
/usr{/local,}/lib/maddy/* PUx,
|
||||
|
||||
/usr{/local,}/bin/maddy{,ctl} rmix,
|
||||
|
||||
#include if exists <local/dev.foxcpp.maddy>
|
||||
}
|
32
dist/apparmor/dev.foxcpp.maddy.rspamd-hook
vendored
Normal file
32
dist/apparmor/dev.foxcpp.maddy.rspamd-hook
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
# AppArmor profile for maddy's rspamd-hook script.
|
||||
# vim:syntax=apparmor:ts=2:sw=2:et
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile dev.foxcpp.maddy.rspamd-hook /usr{/local,}/lib/maddy/rspamd-hook {
|
||||
#include <abstractions/base>
|
||||
|
||||
/usr/bin/rspamc-* Cx -> rspamc,
|
||||
/usr/bin/cut rmix,
|
||||
/usr/bin/grep rmix,
|
||||
|
||||
/usr{/local,}/lib/maddy/rspamd-hook r,
|
||||
|
||||
owner /dev/pts/* rw,
|
||||
/dev/tty rw,
|
||||
/bin/sh rmix,
|
||||
|
||||
profile rspamc {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
/sys/kernel/mm/transparent_hugepage/enabled r,
|
||||
|
||||
/usr/bin/rspamc-* rmix,
|
||||
|
||||
#include if exists <local/dev.foxcpp.maddy.rspamd-hook.rspamc>
|
||||
}
|
||||
|
||||
#include if exists <local/dev.foxcpp.maddy.rspamd-hook>
|
||||
}
|
||||
|
24
dist/apparmor/dev.foxcpp.maddyctl
vendored
Normal file
24
dist/apparmor/dev.foxcpp.maddyctl
vendored
Normal file
|
@ -0,0 +1,24 @@
|
|||
# AppArmor profile for maddyctl management utility.
|
||||
# vim:syntax=apparmor:ts=2:sw=2:et
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile dev.foxcpp.maddyctl /usr{/local,}/bin/maddyctl {
|
||||
#include <abstractions/base>
|
||||
|
||||
/etc/resolv.conf r,
|
||||
/proc/sys/net/core/somaxconn r,
|
||||
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
deny ptrace,
|
||||
network unix,
|
||||
deny unix,
|
||||
|
||||
/etc/maddy/** r,
|
||||
owner /run/maddy/ rw,
|
||||
owner /run/maddy/** rwkl,
|
||||
owner /var/lib/maddy/ rw,
|
||||
owner /var/lib/maddy/** rwk,
|
||||
owner /var/lib/maddy/**.db-{wal,shm} rmk,
|
||||
|
||||
#include if exists <local/dev.foxcpp.maddyctl>
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue