[prosody-dev] AppArmor profile for prosody

[Luis G.F]

Hello all:

I'm wrote a small AppArmor profile for prosody that i hope to be useful
for others, With this my prosody server run now in "enforced" mode :-)

Please, be aware that the line 1 in /usr/bin/prosody should be changed
from "#!/usr/bin/env lua5.1" to "#!/usr/bin/lua5.1" in order to work.

root@excelsior:/etc/apparmor.d# aa-status
apparmor module is loaded.
15 profiles are loaded.
13 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/freshclam
*   /usr/bin/prosody*
   /usr/sbin/apache2
   /usr/sbin/clamd
   /usr/sbin/dovecot
   /usr/sbin/exim4
   /usr/sbin/mysqld
   /usr/sbin/named
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
38 processes have profiles defined.
38 processes are in enforce mode.
   /usr/bin/freshclam (2374)
*   /usr/bin/prosody (13786) *
   ...


---- > /etc/apparmor.d/usr.bin.prosody <----

root@excelsior:/etc/apparmor.d# cat usr.bin.prosody
# Last Modified: Thu Aug 28 15:44:30 2014
#include <tunables/global>

/usr/bin/prosody {
  #include <abstractions/base>

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
   
  capability dac_override,
  capability dac_read_search,
  
  /etc/resolv.conf r,
  /etc/prosody/** r,
 
  /var/log/prosody/* wr,
 
  /usr/lib/prosody/** m,
  /var/lib/prosody/** rw,
   
  /{,var/}run/prosody/* rwk, 
 
  /usr/share/lua/** r,
  /usr/share/ca-certificates/** r,
 
  /usr/bin/lua5.1 ix,
  /usr/bin/prosody r,

}

Regards, Luis.

signature.asc
Description: OpenPGP digital signature