From 3f619478f796eddbba6e39502fe941b285dd97b1 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 4 May 2024 20:00:34 +0200 Subject: Adding upstream version 1:10.11.6. Signed-off-by: Daniel Baumann --- support-files/policy/apparmor/README | 5 + support-files/policy/apparmor/usr.sbin.mysqld | 151 +++++++++++++++++++++ .../policy/apparmor/usr.sbin.mysqld.local | 4 + 3 files changed, 160 insertions(+) create mode 100644 support-files/policy/apparmor/README create mode 100644 support-files/policy/apparmor/usr.sbin.mysqld create mode 100644 support-files/policy/apparmor/usr.sbin.mysqld.local (limited to 'support-files/policy/apparmor') diff --git a/support-files/policy/apparmor/README b/support-files/policy/apparmor/README new file mode 100644 index 00000000..271655f1 --- /dev/null +++ b/support-files/policy/apparmor/README @@ -0,0 +1,5 @@ +Note: The included AppArmor profiles can be used for MariaDB Galera cluster. +However, since these profiles had been tested for a limited set of scenarios, +it is highly recommended to run them in "complain" mode and report any denials +on mariadb.org/jira. + diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld new file mode 100644 index 00000000..c60ecd28 --- /dev/null +++ b/support-files/policy/apparmor/usr.sbin.mysqld @@ -0,0 +1,151 @@ +# Last Modified: Fri Mar 1 18:55:47 2013 +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. + +#include + +/usr/sbin/mariadbd flags=(complain) { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability setgid, + capability setuid, + capability sys_rawio, + capability sys_resource, + + network tcp, + + /bin/dash rcx, + /dev/dm-0 r, + /etc/gai.conf r, + /etc/group r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ld.so.cache r, + /etc/mtab r, + /etc/my.cnf r, + /etc/mysql/*.cnf r, + /etc/mysql/*.pem r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /etc/mysql/mariadb.conf.d/ r, + /etc/mysql/mariadb.conf.d/* r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/services r, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + /sys/devices/system/cpu/ r, + owner /tmp/** lk, + /tmp/** rw, + /usr/lib/mysql/plugin/ r, + /usr/lib/mysql/plugin/*.so* mr, + /usr/sbin/mariadbd mr, + /usr/share/mysql/** r, + /var/lib/mysql/ r, + /var/lib/mysql/** rwk, + /var/log/mysql.err rw, + /var/log/mysql.log rw, + /var/log/mysql/ r, + /var/log/mysql/* rw, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + + + profile /bin/dash flags=(complain) { + #include + #include + #include + #include + #include + + + + /bin/cat rix, + /bin/dash rix, + /bin/date rix, + /bin/grep rix, + /bin/nc.openbsd rix, + /bin/netstat rix, + /bin/ps rix, + /bin/rm rix, + /bin/sed rix, + /bin/sleep rix, + /bin/tar rix, + /bin/which rix, + /dev/tty rw, + /etc/ld.so.cache r, + /etc/my.cnf r, + /proc/ r, + /proc/*/cmdline r, + /proc/*/fd/ r, + /proc/*/net/dev r, + /proc/*/net/if_inet6 r, + /proc/*/net/tcp r, + /proc/*/net/tcp6 r, + /proc/*/stat r, + /proc/*/status r, + /proc/sys/kernel/pid_max r, + /proc/tty/drivers r, + /proc/uptime r, + /proc/version r, + /sbin/ifconfig rix, + /sys/devices/system/cpu/ r, + /tmp/** rw, + /usr/bin/cut rix, + /usr/bin/dirname rix, + /usr/bin/gawk rix, + /usr/bin/mysql rix, + /usr/bin/perl rix, + /usr/bin/seq rix, + /usr/bin/wsrep_sst* rix, + /usr/bin/wsrep_sst_common r, + /usr/bin/mariabackup* rix, + /var/lib/mysql/ r, + /var/lib/mysql/** rw, + /var/lib/mysql/*.log w, + /var/lib/mysql/*.err w, + +# MariaDB additions + ptrace peer=@{profile_name}, + + /bin/hostname rix, + /bin/ip rix, + /bin/mktemp rix, + /bin/ss rix, + /bin/sync rix, + /bin/touch rix, + /bin/uname rix, + /etc/mysql/*.cnf r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /proc/*/attr/current r, + /proc/*/fdinfo/* r, + /proc/*/net/* r, + /proc/locks r, + /proc/sys/net/ipv4/ip_local_port_range r, + /run/mysqld/mysqld.sock rw, + /sbin/ip rix, + /usr/bin/basename rix, + /usr/bin/du rix, + /usr/bin/find rix, + /usr/bin/lsof rix, + /usr/bin/my_print_defaults rix, + /usr/bin/mysqldump rix, + /usr/bin/pv rix, + /usr/bin/rsync rix, + /usr/bin/socat rix, + /usr/bin/tail rix, + /usr/bin/timeout rix, + /usr/bin/xargs rix, + /usr/bin/xbstream rix, + } + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/support-files/policy/apparmor/usr.sbin.mysqld.local b/support-files/policy/apparmor/usr.sbin.mysqld.local new file mode 100644 index 00000000..a0b8a027 --- /dev/null +++ b/support-files/policy/apparmor/usr.sbin.mysqld.local @@ -0,0 +1,4 @@ +# Site-specific additions and overrides for usr.sbin.mysqld.. +# For more details, please see /etc/apparmor.d/local/README. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. -- cgit v1.2.3