haproxy/usr.sbin.haproxy.apparmor

#include <tunables/global>

profile haproxy /usr/sbin/haproxy {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability kill,
  capability sys_resource,
  capability sys_chroot,
  capability net_admin,

  # those are needed for the stats socket creation
  capability chown,
  capability fowner,
  capability fsetid,

  network inet,
  network inet6,

  /etc/haproxy/* r, 

  /usr/sbin/haproxy rmix,

  /dev/shm/haproxy_startup_logs_* rwlk,

  # old stats socket location, for compatibility
  /var/lib/haproxy/stats rwl,
  /var/lib/haproxy/stats.*.bak rwl,
  /var/lib/haproxy/stats.*.tmp rwl,
  # new stats socket location
  /run/haproxy/stats*.sock{,*.{bak,tmp}} rwl,

  /{,var/}run/haproxy/pid rw,
  /{,var/}run/haproxy/master.sock* rwlk,

  # This is for the additional debug output in haproxy >= 2.9
  # can be accessed with "p post_mortem" in gdb
  /sys/devices/system/node/ r,
  /sys/devices/system/node/*/cpumap r,
  /sys/devices/system/cpu/online r,
  /sys/class/dmi/id/sys_vendor r,
  /sys/class/dmi/id/product_family r,
  /sys/class/dmi/id/product_name r,
  /sys/class/dmi/id/board_vendor r,
  /sys/firmware/devicetree/base/model r,
  /sys/class/dmi/id/board_name r,
  /proc/2/status r,
  /proc/cpuinfo r,
  # end of debug.c files

  # Site-specific additions and overrides. See local/README for details.
  #include if exists <local/haproxy>
  #include if exists <local/usr.sbin.haproxy>
}
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`#include <tunables/global>`

- use the "profile profilename /path/to/binary" syntax to make "ps aufxZ" more readable OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=216 2020-04-16 01:11:37 +02:00			`profile haproxy /usr/sbin/haproxy {`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`#include <abstractions/base>`
- apparmor profile fixes: - include abstractions that give access to the openssl config, ssl certs and ssl keys - include local configs only with "if exists" so they do not have to exist. - move local files to %ghost OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=226 2020-10-24 03:23:11 +02:00			`#include <abstractions/openssl>`
			`#include <abstractions/ssl_certs>`
			`#include <abstractions/ssl_keys>`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`#include <abstractions/nameservice>`
			`capability net_bind_service,`
			`capability setgid,`
			`capability setuid,`
			`capability kill,`
			`capability sys_resource,`
			`capability sys_chroot,`
- apparmor profile: - we need net_admin capability for non local bind and setting "source" for server entries. OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=227 2020-11-02 14:16:23 +01:00			`capability net_admin,`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00
			`# those are needed for the stats socket creation`
			`capability chown,`
			`capability fowner,`
			`capability fsetid,`

- apparmor: do not limit to tcp sockets. haproxy can do udp as well. OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=230 2020-11-05 19:56:32 +01:00			`network inet,`
			`network inet6,`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00
			`/etc/haproxy/* r,`

Accepting request 546033 from home:darix:branches:server:http - [apparmor]: allow haproxy to restart itself. needed for seamless restart. also reload the apparmor profile on update. - enable network namespaces on 42.3 - Enabled systemd notify mode: new BR: pkgconfig(libsystemd) This fixes problems with starting 1.8 on 42.3. - apply build option changes as adviced by upstream - Update to version 1.8.0: https://www.mail-archive.com/haproxy@formilux.org/msg28004.html OBS-URL: https://build.opensuse.org/request/show/546033 OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=150 2017-11-27 16:03:06 +01:00			`/usr/sbin/haproxy rmix,`

- Add handling for the new startup logs in /dev/shm in the apparmor profile OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=282 2023-05-02 12:44:53 +02:00			`/dev/shm/haproxy_startup_logs_* rwlk,`

Accepting request 1144067 from home:crameleon:branches:server:http - Set /run/haproxy as the default PID file and socket location (more canonical location for transient files) - Allow custom stats socket names (allows users to define multiple sockets with different access levels as /run/haproxy/stats-*.sock) OBS-URL: https://build.opensuse.org/request/show/1144067 OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=299 2024-02-16 10:26:49 +01:00			`# old stats socket location, for compatibility`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`/var/lib/haproxy/stats rwl,`
			`/var/lib/haproxy/stats.*.bak rwl,`
			`/var/lib/haproxy/stats.*.tmp rwl,`
Accepting request 1144067 from home:crameleon:branches:server:http - Set /run/haproxy as the default PID file and socket location (more canonical location for transient files) - Allow custom stats socket names (allows users to define multiple sockets with different access levels as /run/haproxy/stats-*.sock) OBS-URL: https://build.opensuse.org/request/show/1144067 OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=299 2024-02-16 10:26:49 +01:00			`# new stats socket location`
			`/run/haproxy/stats.sock{,.{bak,tmp}} rwl,`

			`/{,var/}run/haproxy/pid rw,`
			`/{,var/}run/haproxy/master.sock* rwlk,`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00
- AppArmor: allow haprox to read the files needed for the "p post_mortem" support OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=303 2024-05-31 14:09:35 +02:00			`# This is for the additional debug output in haproxy >= 2.9`
			`# can be accessed with "p post_mortem" in gdb`
- apparmor: profile now needs access to /sys/devices/system/node/ OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=260 2022-02-24 19:16:38 +01:00			`/sys/devices/system/node/ r,`
- AppArmor: allow haprox to read the files needed for the "p post_mortem" support OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=303 2024-05-31 14:09:35 +02:00			`/sys/devices/system/node/*/cpumap r,`
			`/sys/devices/system/cpu/online r,`
			`/sys/class/dmi/id/sys_vendor r,`
			`/sys/class/dmi/id/product_family r,`
			`/sys/class/dmi/id/product_name r,`
			`/sys/class/dmi/id/board_vendor r,`
			`/sys/firmware/devicetree/base/model r,`
			`/sys/class/dmi/id/board_name r,`
			`/proc/2/status r,`
			`/proc/cpuinfo r,`
			`# end of debug.c files`
- apparmor: profile now needs access to /sys/devices/system/node/ OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=260 2022-02-24 19:16:38 +01:00
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`# Site-specific additions and overrides. See local/README for details.`
- apparmor profile fixes: - include abstractions that give access to the openssl config, ssl certs and ssl keys - include local configs only with "if exists" so they do not have to exist. - move local files to %ghost OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=226 2020-10-24 03:23:11 +02:00			`#include if exists <local/haproxy>`
			`#include if exists <local/usr.sbin.haproxy>`
Accepting request 238588 from network:ha-clustering:Factory 1 OBS-URL: https://build.opensuse.org/request/show/238588 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=6 2014-06-25 15:24:23 +02:00			`}`