Merge pull request #39 from mdegat01/fix-apparmor

Read on some folders and lock dbs for loki (aa)
mdegat01 · Apr 10, 2021 · e43195e · e43195e
2 parents 03a34d3 + 3fc3482
commit e43195e
Showing 1 changed file with 55 additions and 51 deletions.
diff --git a/loki/apparmor.txt b/loki/apparmor.txt
@@ -19,43 +19,47 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
   capability setgid,
 
   # S6-Overlay
-  /init                           rix,
-  /bin/**                         rix,
-  /usr/bin/**                     rix,
-  @{etc_ro}/s6/**                 rix,
-  @{etc_rw}/services.d/{,**}      rwix,
-  @{etc_rw}/cont-init.d/{,**}     rwix,
-  @{etc_rw}/cont-finish.d/{,**}   rwix,
-  @{etc_rw}/fix-attrs.d/{,**}     rw,
-  @{run}/s6/**                    rwix,
-  @{run}/**                       rwk,
-  /dev/tty                        rw,
-  @{etc_ro}/group                 r,
-  @{etc_ro}/passwd                r,
-  @{etc_ro}/hosts                 r,
-  @{etc_ro}/ssl/openssl.cnf       r,
-  /dev/null                       k,
+  /init                               rix,
+  /bin/**                             rix,
+  /usr/bin/**                         rix,
+  @{etc_ro}/s6/**                     rix,
+  @{etc_rw}/services.d/{,**}          rwix,
+  @{etc_rw}/cont-init.d/{,**}         rwix,
+  @{etc_rw}/cont-finish.d/{,**}       rwix,
+  @{etc_rw}/fix-attrs.d/{,**}         rw,
+  @{run}/s6/**                        rwix,
+  @{run}/**                           rwk,
+  /dev/tty                            rw,
+  @{etc_ro}/group                     r,
+  @{etc_ro}/passwd                    r,
+  @{etc_ro}/hosts                     r,
+  @{etc_ro}/ssl/openssl.cnf           r,
+  /dev/null                           k,
 
   # Bashio
-  /usr/lib/bashio/**              ix,
-  /tmp/**                         rw,
+  /usr/lib/bashio/**                  ix,
+  /tmp/**                             rw,
 
   # Options.json & addon data
-  /data/**                        rw,
+  /data                               r,
+  /data/**                            rw,
 
   # Needed for setup
-  @{etc_rw}/loki/**               rw,
-  @{etc_rw}/nginx/{,**}           rw,
-  @{nginx_data}/{,**}             rw,
-  /var/log/nginx/{,**}            rw,
-  /ssl/**                         r,
+  @{etc_rw}/loki/{,**}                rw,
+  @{etc_rw}/nginx/{,**}               rw,
+  @{nginx_data}/{,**}                 rw,
+  /var/log/nginx/{,**}                rw,
+  /share/{,**}                        r,
+  /ssl/{,**}                          r,
 
   # Programs
-  /usr/bin/loki                   cx,
-  /usr/sbin/nginx                 Cx,
+  /usr/bin/loki                       cx,
+  /usr/sbin/nginx                     Cx,
 
   # Shell access
-  owner @{HOME}/*                 rw,
+  owner @{HOME}/.*                    rw,
+  @{etc_ro}/inputrc                   r,
+  @{etc_ro}/terminfo/x/xterm-256color r,
 
   profile /usr/bin/loki flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
@@ -68,22 +72,22 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
     network tcp,
 
     # Executables
-    /bin/**                         rix,
-    /usr/bin/**                     rix,
+    /bin/**                           rix,
+    /usr/bin/**                       rix,
 
     # Addon data
-    /data/**                        r,
-    /data/loki/**                   rw,
+    /data/**                          r,
+    /data/loki/**                     rwk,
 
     # Config
-    @{etc_ro}loki/*                 r,
-    /share/**                       r,
+    @{etc_ro}loki/*                   r,
+    /share/**                         r,
 
     # Runtime usage
-    @{etc_ro}/hosts                 r,
-    @{etc_ro}/resolv.conf           r,
-    @{etc_ro}/nsswitch.conf         r,
-    @{PROC}/sys/net/core/somaxconn  r,
+    @{etc_ro}/hosts                   r,
+    @{etc_ro}/resolv.conf             r,
+    @{etc_ro}/nsswitch.conf           r,
+    @{PROC}/sys/net/core/somaxconn    r,
     @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   }
 
@@ -105,24 +109,24 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
     ptrace (read) peer=*_loki,
 
     # Executables
-    /bin/**                     rix,
-    /usr/bin/**                 rix,
+    /bin/**                           rix,
+    /usr/bin/**                       rix,
 
     # Config files
-    @{etc_ro}/nginx/**          r,
-    /ssl/**                     r,
+    @{etc_ro}/nginx/**                r,
+    /ssl/**                           r,
 
     # Service data
-    @{nginx_data}/**            r,
-    /var/lib/nginx/tmp/**       rw,
-    /var/log/nginx/*            w,
+    @{nginx_data}/**                  r,
+    /var/lib/nginx/tmp/**             rw,
+    /var/log/nginx/*                  w,
 
     # Runtime usage
-    /usr/sbin/nginx             rm,
-    @{etc_ro}/group             r,
-    @{etc_ro}/passwd            r,
-    @{etc_ro}/ssl/openssl.cnf   r,
-    @{run}/nginx.pid            rw,
-    @{PROC}/1/fd/1              w,
+    /usr/sbin/nginx                   rm,
+    @{etc_ro}/group                   r,
+    @{etc_ro}/passwd                  r,
+    @{etc_ro}/ssl/openssl.cnf         r,
+    @{run}/nginx.pid                  rw,
+    @{PROC}/1/fd/1                    w,
   }
-}
+}