Hello all: I'm wrote a small AppArmor profile for prosody that i hope to be useful for others, With this my prosody server run now in "enforced" mode :-)
Please, be aware that the line 1 in /usr/bin/prosody should be changed from "#!/usr/bin/env lua5.1" to "#!/usr/bin/lua5.1" in order to work. root@excelsior:/etc/apparmor.d# aa-status apparmor module is loaded. 15 profiles are loaded. 13 profiles are in enforce mode. /sbin/dhclient /usr/bin/freshclam * /usr/bin/prosody* /usr/sbin/apache2 /usr/sbin/clamd /usr/sbin/dovecot /usr/sbin/exim4 /usr/sbin/mysqld /usr/sbin/named /usr/sbin/ntpd /usr/sbin/tcpdump 38 processes have profiles defined. 38 processes are in enforce mode. /usr/bin/freshclam (2374) * /usr/bin/prosody (13786) * ... ---- > /etc/apparmor.d/usr.bin.prosody <---- root@excelsior:/etc/apparmor.d# cat usr.bin.prosody # Last Modified: Thu Aug 28 15:44:30 2014 #include <tunables/global> /usr/bin/prosody { #include <abstractions/base> network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, capability dac_override, capability dac_read_search, /etc/resolv.conf r, /etc/prosody/** r, /var/log/prosody/* wr, /usr/lib/prosody/** m, /var/lib/prosody/** rw, /{,var/}run/prosody/* rwk, /usr/share/lua/** r, /usr/share/ca-certificates/** r, /usr/bin/lua5.1 ix, /usr/bin/prosody r, } Regards, Luis.
signature.asc
Description: OpenPGP digital signature