mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
9fc8e43c67
This matches what we use in the profiles for local abstractions. Also adjust the check in the Makefile to expect the variant without '#'.
39 lines
979 B
Text
39 lines
979 B
Text
# vim:syntax=apparmor
|
|
|
|
# This file contains basic permissions for Apache and every vHost
|
|
|
|
abi <abi/3.0>,
|
|
|
|
#include <abstractions/nameservice>
|
|
|
|
# Allow unconfined processes to send us signals by default
|
|
signal (receive) peer=unconfined,
|
|
# Allow apache to send us signals by default
|
|
signal (receive) peer=apache2,
|
|
# Allow other hats to signal by default
|
|
signal peer=apache2//*,
|
|
# Allow us to signal ourselves
|
|
signal peer=@{profile_name},
|
|
|
|
# Apache
|
|
network inet stream,
|
|
network inet6 stream,
|
|
# apache manual, error pages and icons
|
|
/usr/share/apache2/** r,
|
|
|
|
# changehat itself
|
|
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
|
|
|
|
# htaccess files - for what ever it is worth
|
|
/**/.htaccess r,
|
|
|
|
/dev/urandom r,
|
|
|
|
# sasl-auth
|
|
@{run}/saslauthd/mux rw,
|
|
|
|
# OCSP stapling
|
|
@{run}/lock/apache2/stapling-cache* rw,
|
|
|
|
# Include additions to the abstraction
|
|
include if exists <abstractions/apache2-common.d>
|