summaryrefslogtreecommitdiff
path: root/snappy/meta/walinuxagent.apparmor
blob: 83157134fa0492bb984b05e4f5dd9503f5187e66 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# AppArmor confinement for waagent

#include <tunables/global>

# Specified profile variables
###VAR###

###PROFILEATTACH### flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/ssl_certs>  
  #include <abstractions/openssl>
  #include <abstractions/python>

  # Executable binaries
  /usr/{,s}bin/*                                ixr,
  /{,s}bin/*                                    ixr,

  # Capabilities
  capability net_bind_service,
  capability net_raw,
  capability net_admin,
  capability dac_override,
  capability sys_module,
  capability sys_admin,
  capability sys_ptrace,

  ptrace (read),
  ptrace (trace),

  mount,
  umount,
  network, 

  # Log path
  /var/log/waagent.log                          rw,
  /var/log/azure/                               rw,
  /var/log/azure/**                             rw,

  # Lib path
  /var/lib/waagent/                             rw,
  /var/lib/waagent/**                           mrwlk,
  # Enable VM extensions to execute unconfined
  /var/lib/waagent/**                           PUx,
  /{,usr/}lib/                                  r,
  /{,usr/}lib/**                                r,

  /etc/                                         r,
  /etc/**                                       r,
  /etc/udev/rules.d/**                          w,

  /usr/share/                                   r,
  /usr/share/**                                 r,
  /usr/local/{,s}bin/                           r,
  /usr/{,s}bin/                                 r,
  /{,s}bin/                                     r,

  /dev/                                         r,
  /dev/sr0                                      r,
  /dev/null                                     w,
  /dev/console                                  rw,
  /dev/tty                                      rw,

  /run/                                         r,
  /run/**                                       r,
  /run/mount/utab                               w,
  /run/waagent.pid                              w,

  @{PROC}/                                      r,
  @{PROC}/**                                    r,

  /sys/module/                                  r,
  /sys/module/**                                r,
  /sys/firmware/acpi/tables/**                  r,
  /sys/block/                                   r,
  /sys/block/sd*/device/timeout                 rw,
  /sys/devices/**                               rw,

  /mnt/cdrom/                                   rw,
  /mnt/cdrom/secure/                            rw,

  # Writable for the install directory
  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrwklix,
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-24 03:51:28 +0000