diff options
Diffstat (limited to 'snappy/meta/walinuxagent.apparmor')
| -rw-r--r-- | snappy/meta/walinuxagent.apparmor | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/snappy/meta/walinuxagent.apparmor b/snappy/meta/walinuxagent.apparmor new file mode 100644 index 0000000..8315713 --- /dev/null +++ b/snappy/meta/walinuxagent.apparmor @@ -0,0 +1,85 @@ +# AppArmor confinement for waagent + +#include <tunables/global> + +# Specified profile variables +###VAR### + +###PROFILEATTACH### flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/ssl_certs> + #include <abstractions/openssl> + #include <abstractions/python> + + # Executable binaries + /usr/{,s}bin/* ixr, + /{,s}bin/* ixr, + + # Capabilities + capability net_bind_service, + capability net_raw, + capability net_admin, + capability dac_override, + capability sys_module, + capability sys_admin, + capability sys_ptrace, + + ptrace (read), + ptrace (trace), + + mount, + umount, + network, + + # Log path + /var/log/waagent.log rw, + /var/log/azure/ rw, + /var/log/azure/** rw, + + # Lib path + /var/lib/waagent/ rw, + /var/lib/waagent/** mrwlk, + # Enable VM extensions to execute unconfined + /var/lib/waagent/** PUx, + /{,usr/}lib/ r, + /{,usr/}lib/** r, + + /etc/ r, + /etc/** r, + /etc/udev/rules.d/** w, + + /usr/share/ r, + /usr/share/** r, + /usr/local/{,s}bin/ r, + /usr/{,s}bin/ r, + /{,s}bin/ r, + + /dev/ r, + /dev/sr0 r, + /dev/null w, + /dev/console rw, + /dev/tty rw, + + /run/ r, + /run/** r, + /run/mount/utab w, + /run/waagent.pid w, + + @{PROC}/ r, + @{PROC}/** r, + + /sys/module/ r, + /sys/module/** r, + /sys/firmware/acpi/tables/** r, + /sys/block/ r, + /sys/block/sd*/device/timeout rw, + /sys/devices/** rw, + + /mnt/cdrom/ rw, + /mnt/cdrom/secure/ rw, + + # Writable for the install directory + @{CLICK_DIR}/@{APP_PKGNAME}/ r, + @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, + @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrwklix, +} |