|
@@ -0,0 +1,34 @@
|
|
1
|
+include <tunables/global>
|
|
2
|
+
|
|
3
|
+# Georg Pfuetzenreuter <georg+ergo@lysergic.dev>
|
|
4
|
+# AppArmor confinement for ergo and ergo-ldap
|
|
5
|
+
|
|
6
|
+profile ergo /usr/bin/ergo {
|
|
7
|
+ include <abstractions/base>
|
|
8
|
+ include <abstractions/consoles>
|
|
9
|
+ include <abstractions/nameservice>
|
|
10
|
+
|
|
11
|
+ /etc/ergo/ircd.{motd,yaml} r,
|
|
12
|
+ /etc/ssl/irc/{crt,key} r,
|
|
13
|
+ /etc/ssl/ergo/{crt,key} r,
|
|
14
|
+ /usr/bin/ergo mr,
|
|
15
|
+ /proc/sys/net/core/somaxconn r,
|
|
16
|
+ /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
|
17
|
+ /usr/share/ergo/languages/{,*.lang.json,*.yaml} r,
|
|
18
|
+ owner /run/ergo/ircd.lock rwk,
|
|
19
|
+ owner /var/lib/ergo/ircd.db rw,
|
|
20
|
+
|
|
21
|
+ include if exists <local/ergo>
|
|
22
|
+
|
|
23
|
+}
|
|
24
|
+
|
|
25
|
+profile ergo-ldap /usr/bin/ergo-ldap {
|
|
26
|
+ include <abstractions/openssl>
|
|
27
|
+ include <abstractions/ssl_certs>
|
|
28
|
+
|
|
29
|
+ /usr/bin/ergo-ldap rm,
|
|
30
|
+ /etc/ergo/ldap.yaml r,
|
|
31
|
+
|
|
32
|
+ include if exists <local/ergo-ldap>
|
|
33
|
+
|
|
34
|
+}
|