# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}sbin/logrotate profile logrotate @{exec_path} flags=(attach_disconnected, complain) { include include # Needed for logfiles owned by other users than root, for instance exim. capability dac_read_search, capability dac_override, capability chown, capability setgid, capability setuid, capability fsetid, capability fowner, # Needed? audit deny capability net_admin, @{exec_path} mr, /{usr/,}sbin/ r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, /{usr/,}sbin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, /{usr/,}bin/systemctl rix, /{usr/,}sbin/runlevel rix, include ptrace (read), capability sys_ptrace, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, /etc/logrotate.d/* rk, /var/lib/logrotate/status rwk, /var/lib/logrotate/status.tmp rw, /var/log/** rw, # Needed to remove the following error: # logrotate[]: error: could not change directory to '.' / r, @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, profile systemctl flags=(attach_disconnected, complain) { include include capability sys_ptrace, ptrace (read), /{usr/,}bin/systemctl mr, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, /dev/kmsg rw, } include if exists }