initial import
This commit is contained in:
parent
3ed58b0021
commit
4b70c0023c
48 changed files with 1540 additions and 0 deletions
35
etc/apparmor.d/usr.sbin.nginx
Normal file
35
etc/apparmor.d/usr.sbin.nginx
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/nginx flags=(complain) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/ssl_keys>
|
||||
|
||||
# privilege drop
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
# abstractions/apache2-common
|
||||
@{PROC}/@{pid}/attr/current rw,
|
||||
|
||||
# nginx operational
|
||||
/etc/letsencrypt/options-ssl-nginx.conf r,
|
||||
/etc/letsencrypt/ssl-dhparams.pem r,
|
||||
/etc/nginx/** r,
|
||||
/run/nginx.pid rw,
|
||||
/usr/lib/nginx/** r,
|
||||
/usr/sbin/nginx mr,
|
||||
/usr/share/nginx/** r,
|
||||
/var/lib/nginx/** rw,
|
||||
/var/log/nginx/error.log w,
|
||||
/var/log/nginx/access.log w,
|
||||
|
||||
# data
|
||||
/var/xyzzy/html/** r,
|
||||
|
||||
}
|
||||
41
etc/apparmor.d/var.xyzzy.bin.gitea
Normal file
41
etc/apparmor.d/var.xyzzy.bin.gitea
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
#include <tunables/global>
|
||||
|
||||
/var/xyzzy/bin/gitea* flags=(complain) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
|
||||
/dev/tty rw,
|
||||
/etc/gitconfig r,
|
||||
/etc/machine-id r,
|
||||
/etc/mime.types r,
|
||||
/proc/sys/net/core/somaxconn r,
|
||||
/proc/version r,
|
||||
/sys/devices/system/cpu/online r,
|
||||
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
/usr/bin/basename mrix,
|
||||
/usr/bin/bash mrix,
|
||||
/usr/bin/cat mrix,
|
||||
/usr/bin/dash mrix,
|
||||
/usr/bin/env rix,
|
||||
/usr/bin/git mrix,
|
||||
/usr/bin/gzip mrix,
|
||||
/usr/lib/git-core/git mrix,
|
||||
/usr/share/git-core/templates r,
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
/var/xyzzy/backup/* rw,
|
||||
/var/xyzzy/bin/gitea* mrix,
|
||||
/var/xyzzy/etc/gitea/app.ini r,
|
||||
/var/xyzzy/gitea/** r,
|
||||
/var/xyzzy/gitea/data/gitea-repositories/*/*.git/hooks/* mrix,
|
||||
/var/xyzzy/gitea/data/gitea-repositories/*/*.git/hooks/*.d/* mrix,
|
||||
|
||||
owner /proc/*/cpuset r,
|
||||
owner /var/xyzzy/git/.gitconfig rw,
|
||||
owner /var/xyzzy/git/.gitconfig.lock rw,
|
||||
owner /var/xyzzy/git/.ssh/* rw,
|
||||
owner /var/xyzzy/gitea/data/** rwkl,
|
||||
owner /var/xyzzy/gitea/log/* rw,
|
||||
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue