initial import

2024-03-17 12:53:54 -05:00 · 2024-03-17 12:53:54 -05:00 · 4b70c0023c
commit 4b70c0023c
parent 3ed58b0021
48 changed files with 1540 additions and 0 deletions
--- a/etc/apparmor.d/usr.sbin.nginx
+++ b/etc/apparmor.d/usr.sbin.nginx
@ -0,0 +1,35 @@
+#include <tunables/global>
+
+/usr/sbin/nginx flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  # privilege drop
+  capability dac_override,
+  capability dac_read_search,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
+  # abstractions/apache2-common
+  @{PROC}/@{pid}/attr/current rw,
+
+  # nginx operational
+  /etc/letsencrypt/options-ssl-nginx.conf r,
+  /etc/letsencrypt/ssl-dhparams.pem r,
+  /etc/nginx/** r,
+  /run/nginx.pid rw,
+  /usr/lib/nginx/** r,
+  /usr/sbin/nginx mr,
+  /usr/share/nginx/** r,
+  /var/lib/nginx/** rw,
+  /var/log/nginx/error.log w,
+  /var/log/nginx/access.log w,
+
+  # data
+  /var/xyzzy/html/** r,
+
+}