diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
commit | 3f619478f796eddbba6e39502fe941b285dd97b1 (patch) | |
tree | e2c7b5777f728320e5b5542b6213fd3591ba51e2 /support-files/policy/apparmor | |
parent | Initial commit. (diff) | |
download | mariadb-3f619478f796eddbba6e39502fe941b285dd97b1.tar.xz mariadb-3f619478f796eddbba6e39502fe941b285dd97b1.zip |
Adding upstream version 1:10.11.6.upstream/1%10.11.6upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'support-files/policy/apparmor')
-rw-r--r-- | support-files/policy/apparmor/README | 5 | ||||
-rw-r--r-- | support-files/policy/apparmor/usr.sbin.mysqld | 151 | ||||
-rw-r--r-- | support-files/policy/apparmor/usr.sbin.mysqld.local | 4 |
3 files changed, 160 insertions, 0 deletions
diff --git a/support-files/policy/apparmor/README b/support-files/policy/apparmor/README new file mode 100644 index 00000000..271655f1 --- /dev/null +++ b/support-files/policy/apparmor/README @@ -0,0 +1,5 @@ +Note: The included AppArmor profiles can be used for MariaDB Galera cluster. +However, since these profiles had been tested for a limited set of scenarios, +it is highly recommended to run them in "complain" mode and report any denials +on mariadb.org/jira. + diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld new file mode 100644 index 00000000..c60ecd28 --- /dev/null +++ b/support-files/policy/apparmor/usr.sbin.mysqld @@ -0,0 +1,151 @@ +# Last Modified: Fri Mar 1 18:55:47 2013 +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. + +#include <tunables/global> + +/usr/sbin/mariadbd flags=(complain) { + #include <abstractions/base> + #include <abstractions/mysql> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + #include <abstractions/winbind> + + capability chown, + capability dac_override, + capability setgid, + capability setuid, + capability sys_rawio, + capability sys_resource, + + network tcp, + + /bin/dash rcx, + /dev/dm-0 r, + /etc/gai.conf r, + /etc/group r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ld.so.cache r, + /etc/mtab r, + /etc/my.cnf r, + /etc/mysql/*.cnf r, + /etc/mysql/*.pem r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /etc/mysql/mariadb.conf.d/ r, + /etc/mysql/mariadb.conf.d/* r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/services r, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + /sys/devices/system/cpu/ r, + owner /tmp/** lk, + /tmp/** rw, + /usr/lib/mysql/plugin/ r, + /usr/lib/mysql/plugin/*.so* mr, + /usr/sbin/mariadbd mr, + /usr/share/mysql/** r, + /var/lib/mysql/ r, + /var/lib/mysql/** rwk, + /var/log/mysql.err rw, + /var/log/mysql.log rw, + /var/log/mysql/ r, + /var/log/mysql/* rw, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + + + profile /bin/dash flags=(complain) { + #include <abstractions/base> + #include <abstractions/bash> + #include <abstractions/mysql> + #include <abstractions/nameservice> + #include <abstractions/perl> + + + + /bin/cat rix, + /bin/dash rix, + /bin/date rix, + /bin/grep rix, + /bin/nc.openbsd rix, + /bin/netstat rix, + /bin/ps rix, + /bin/rm rix, + /bin/sed rix, + /bin/sleep rix, + /bin/tar rix, + /bin/which rix, + /dev/tty rw, + /etc/ld.so.cache r, + /etc/my.cnf r, + /proc/ r, + /proc/*/cmdline r, + /proc/*/fd/ r, + /proc/*/net/dev r, + /proc/*/net/if_inet6 r, + /proc/*/net/tcp r, + /proc/*/net/tcp6 r, + /proc/*/stat r, + /proc/*/status r, + /proc/sys/kernel/pid_max r, + /proc/tty/drivers r, + /proc/uptime r, + /proc/version r, + /sbin/ifconfig rix, + /sys/devices/system/cpu/ r, + /tmp/** rw, + /usr/bin/cut rix, + /usr/bin/dirname rix, + /usr/bin/gawk rix, + /usr/bin/mysql rix, + /usr/bin/perl rix, + /usr/bin/seq rix, + /usr/bin/wsrep_sst* rix, + /usr/bin/wsrep_sst_common r, + /usr/bin/mariabackup* rix, + /var/lib/mysql/ r, + /var/lib/mysql/** rw, + /var/lib/mysql/*.log w, + /var/lib/mysql/*.err w, + +# MariaDB additions + ptrace peer=@{profile_name}, + + /bin/hostname rix, + /bin/ip rix, + /bin/mktemp rix, + /bin/ss rix, + /bin/sync rix, + /bin/touch rix, + /bin/uname rix, + /etc/mysql/*.cnf r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /proc/*/attr/current r, + /proc/*/fdinfo/* r, + /proc/*/net/* r, + /proc/locks r, + /proc/sys/net/ipv4/ip_local_port_range r, + /run/mysqld/mysqld.sock rw, + /sbin/ip rix, + /usr/bin/basename rix, + /usr/bin/du rix, + /usr/bin/find rix, + /usr/bin/lsof rix, + /usr/bin/my_print_defaults rix, + /usr/bin/mysqldump rix, + /usr/bin/pv rix, + /usr/bin/rsync rix, + /usr/bin/socat rix, + /usr/bin/tail rix, + /usr/bin/timeout rix, + /usr/bin/xargs rix, + /usr/bin/xbstream rix, + } + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.mariadbd> +} diff --git a/support-files/policy/apparmor/usr.sbin.mysqld.local b/support-files/policy/apparmor/usr.sbin.mysqld.local new file mode 100644 index 00000000..a0b8a027 --- /dev/null +++ b/support-files/policy/apparmor/usr.sbin.mysqld.local @@ -0,0 +1,4 @@ +# Site-specific additions and overrides for usr.sbin.mysqld.. +# For more details, please see /etc/apparmor.d/local/README. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. |