rspamd/usr.bin.rspamd

# Last Modified: Mon Oct  5 10:19:40 2020
#include <tunables/global>

# based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd

profile rspamd /usr/bin/rspamd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>

  /usr/bin/rspamd mr,

  /etc/rspamd/** r,

  /srv/www/webapps/rspamd/ r,
  /srv/www/webapps/rspamd/** r,
  /usr/share/rspamd/ r,
  /usr/share/rspamd/** r,

  /var/lib/rspamd/ r,
  /var/lib/rspamd/** rwk,

  /var/log/rspamd/rspamd.log* rwk,
  /{var/,}run/rspamd/* rwk,

  /dev/shm/rhm.* rw,
  /etc/magic r,
  /proc/sys/kernel/random/uuid r,

  /usr/share/icu/*/icu*.dat r,

  #include if exists <local/usr.bin.rspamd>
  #include if exists <local/rspamd>
}
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00			`# Last Modified: Mon Oct 5 10:19:40 2020`
			`#include <tunables/global>`

			`# based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd`

- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00			`profile rspamd /usr/bin/rspamd {`
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00			`#include <abstractions/base>`
			`#include <abstractions/nameservice>`
			`#include <abstractions/openssl>`
- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00			`#include <abstractions/ssl_certs>`
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00
			`/usr/bin/rspamd mr,`
- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00
			`/etc/rspamd/** r,`

			`/srv/www/webapps/rspamd/ r,`
			`/srv/www/webapps/rspamd/** r,`
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00			`/usr/share/rspamd/ r,`
			`/usr/share/rspamd/** r,`
- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00			`/var/lib/rspamd/ r,`
			`/var/lib/rspamd/** rwk,`
- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00
Add usr.bin.rspamd apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=46 2020-10-05 11:06:34 +00:00			`/var/log/rspamd/rspamd.log* rwk,`
			`/{var/,}run/rspamd/* rwk,`

- fix apparmor profile - allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49 2020-10-09 18:01:48 +00:00			`/dev/shm/rhm.* rw,`
			`/etc/magic r,`
			`/proc/sys/kernel/random/uuid r,`

			`/usr/share/icu//icu.dat r,`

			`#include if exists <local/usr.bin.rspamd>`
			`#include if exists <local/rspamd>`
			`}`