dist: Include AppArmor profiles

Not installed by default since they are more or less experimental and systemd sandboxing provides roughly the same level of isolation.
2025-04-04 05:37:34 +03:00 · 2020-01-04 18:29:58 +03:00 · 2020-01-04 18:29:58 +03:00 · a0d5605337
commit a0d5605337
parent 1b2b101f8e
3 changed files with 94 additions and 0 deletions
--- a/dist/apparmor/dev.foxcpp.maddy
+++ b/dist/apparmor/dev.foxcpp.maddy
@ -0,0 +1,38 @@
+# AppArmor profile for maddy daemon.
+# vim:syntax=apparmor:ts=2:sw=2:et
+
+#include <tunables/global>
+
+profile dev.foxcpp.maddy /usr{/local,}/bin/maddy {
+  #include <abstractions/base>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+  /etc/ca-certificates/** r,
+
+  /etc/resolv.conf r,
+  /proc/sys/net/core/somaxconn r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  deny ptrace,
+  capability net_bind_service,
+  network tcp,
+  network unix,
+
+  # systemd process management and Type=notify
+  signal (receive) peer=unconfined,
+  signal (receive) peer=/usr/bin/systemd,
+  unix (create, connect, send, setopt) type=dgram addr=@*,
+  /run/systemd/notify w,
+
+  /etc/maddy/** r,
+  owner /run/maddy/ rw,
+  owner /run/maddy/** rwkl,
+  owner /var/lib/maddy/ rw,
+  owner /var/lib/maddy/** rwk,
+  owner /var/lib/maddy/**.db-{wal,shm} rmk,
+
+  /usr{/local,}/lib/maddy/* PUx,
+
+  /usr{/local,}/bin/maddy{,ctl} rmix,
+
+  #include if exists <local/dev.foxcpp.maddy>
+}
--- a/dist/apparmor/dev.foxcpp.maddy.rspamd-hook
+++ b/dist/apparmor/dev.foxcpp.maddy.rspamd-hook
@ -0,0 +1,32 @@
+# AppArmor profile for maddy's rspamd-hook script.
+# vim:syntax=apparmor:ts=2:sw=2:et
+
+#include <tunables/global>
+
+profile dev.foxcpp.maddy.rspamd-hook /usr{/local,}/lib/maddy/rspamd-hook {
+  #include <abstractions/base>
+
+  /usr/bin/rspamc-* Cx -> rspamc,
+  /usr/bin/cut rmix,
+  /usr/bin/grep rmix,
+
+  /usr{/local,}/lib/maddy/rspamd-hook r,
+
+  owner /dev/pts/* rw,
+  /dev/tty rw,
+  /bin/sh rmix,
+
+  profile rspamc {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/openssl>
+    /sys/kernel/mm/transparent_hugepage/enabled r,
+
+    /usr/bin/rspamc-* rmix,
+
+    #include if exists <local/dev.foxcpp.maddy.rspamd-hook.rspamc>
+  }
+
+  #include if exists <local/dev.foxcpp.maddy.rspamd-hook>
+}
+
--- a/dist/apparmor/dev.foxcpp.maddyctl
+++ b/dist/apparmor/dev.foxcpp.maddyctl
@ -0,0 +1,24 @@
+# AppArmor profile for maddyctl management utility.
+# vim:syntax=apparmor:ts=2:sw=2:et
+
+#include <tunables/global>
+
+profile dev.foxcpp.maddyctl /usr{/local,}/bin/maddyctl {
+  #include <abstractions/base>
+
+  /etc/resolv.conf r,
+  /proc/sys/net/core/somaxconn r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  deny ptrace,
+  network unix,
+  deny unix,
+
+  /etc/maddy/** r,
+  owner /run/maddy/ rw,
+  owner /run/maddy/** rwkl,
+  owner /var/lib/maddy/ rw,
+  owner /var/lib/maddy/** rwk,
+  owner /var/lib/maddy/**.db-{wal,shm} rmk,
+
+  #include if exists <local/dev.foxcpp.maddyctl>
+}