Hello all:

I'm wrote a small AppArmor profile for prosody that i hope to be useful
for others, With this my prosody server run now in "enforced" mode :-)

Please, be aware that the line 1 in /usr/bin/prosody should be changed
from "#!/usr/bin/env lua5.1" to "#!/usr/bin/lua5.1" in order to work.

root@excelsior:/etc/apparmor.d# aa-status
apparmor module is loaded.
15 profiles are loaded.
13 profiles are in enforce mode.
*   /usr/bin/prosody*
38 processes have profiles defined.
38 processes are in enforce mode.
   /usr/bin/freshclam (2374)
*   /usr/bin/prosody (13786) *

---- > /etc/apparmor.d/usr.bin.prosody <----

root@excelsior:/etc/apparmor.d# cat usr.bin.prosody
# Last Modified: Thu Aug 28 15:44:30 2014
#include <tunables/global>

/usr/bin/prosody {
  #include <abstractions/base>

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
  capability dac_override,
  capability dac_read_search,
  /etc/resolv.conf r,
  /etc/prosody/** r,
  /var/log/prosody/* wr,
  /usr/lib/prosody/** m,
  /var/lib/prosody/** rw,
  /{,var/}run/prosody/* rwk, 
  /usr/share/lua/** r,
  /usr/share/ca-certificates/** r,
  /usr/bin/lua5.1 ix,
  /usr/bin/prosody r,


Regards, Luis.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to