summaryrefslogtreecommitdiffstats
path: root/support-files/policy/apparmor/usr.sbin.mysqld
blob: c60ecd2853133e8438f3ec38130b653178e54c28 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Last Modified: Fri Mar  1 18:55:47 2013
# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
# This AppArmor profile has been copied under BSD License from
# Percona XtraDB Cluster, along with some additions.

#include <tunables/global>

/usr/sbin/mariadbd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/winbind>

  capability chown,
  capability dac_override,
  capability setgid,
  capability setuid,
  capability sys_rawio,
  capability sys_resource,

  network tcp,

  /bin/dash rcx,
  /dev/dm-0 r,
  /etc/gai.conf r,
  /etc/group r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/ld.so.cache r,
  /etc/mtab r,
  /etc/my.cnf r,
  /etc/mysql/*.cnf r,
  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/mariadb.conf.d/ r,
  /etc/mysql/mariadb.conf.d/* r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/services r,
  /run/mysqld/mysqld.pid w,
  /run/mysqld/mysqld.sock w,
  /sys/devices/system/cpu/ r,
  owner /tmp/** lk,
  /tmp/** rw,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mariadbd mr,
  /usr/share/mysql/** r,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql.err rw,
  /var/log/mysql.log rw,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /run/mysqld/mysqld.pid w,
  /run/mysqld/mysqld.sock w,


  profile /bin/dash flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/bash>
    #include <abstractions/mysql>
    #include <abstractions/nameservice>
    #include <abstractions/perl>



    /bin/cat rix,
    /bin/dash rix,
    /bin/date rix,
    /bin/grep rix,
    /bin/nc.openbsd rix,
    /bin/netstat rix,
    /bin/ps rix,
    /bin/rm rix,
    /bin/sed rix,
    /bin/sleep rix,
    /bin/tar rix,
    /bin/which rix,
    /dev/tty rw,
    /etc/ld.so.cache r,
    /etc/my.cnf r,
    /proc/ r,
    /proc/*/cmdline r,
    /proc/*/fd/ r,
    /proc/*/net/dev r,
    /proc/*/net/if_inet6 r,
    /proc/*/net/tcp r,
    /proc/*/net/tcp6 r,
    /proc/*/stat r,
    /proc/*/status r,
    /proc/sys/kernel/pid_max r,
    /proc/tty/drivers r,
    /proc/uptime r,
    /proc/version r,
    /sbin/ifconfig rix,
    /sys/devices/system/cpu/ r,
    /tmp/** rw,
    /usr/bin/cut rix,
    /usr/bin/dirname rix,
    /usr/bin/gawk rix,
    /usr/bin/mysql rix,
    /usr/bin/perl rix,
    /usr/bin/seq rix,
    /usr/bin/wsrep_sst* rix,
    /usr/bin/wsrep_sst_common r,
    /usr/bin/mariabackup* rix,
    /var/lib/mysql/ r,
    /var/lib/mysql/** rw,
    /var/lib/mysql/*.log w,
    /var/lib/mysql/*.err w,

# MariaDB additions
    ptrace peer=@{profile_name},

    /bin/hostname rix,
    /bin/ip rix,
    /bin/mktemp rix,
    /bin/ss rix,
    /bin/sync rix,
    /bin/touch rix,
    /bin/uname rix,
    /etc/mysql/*.cnf r,
    /etc/mysql/conf.d/ r,
    /etc/mysql/conf.d/* r,
    /proc/*/attr/current r,
    /proc/*/fdinfo/* r,
    /proc/*/net/* r,
    /proc/locks r,
    /proc/sys/net/ipv4/ip_local_port_range r,
    /run/mysqld/mysqld.sock rw,
    /sbin/ip rix,
    /usr/bin/basename rix,
    /usr/bin/du rix,
    /usr/bin/find rix,
    /usr/bin/lsof rix,
    /usr/bin/my_print_defaults rix,
    /usr/bin/mysqldump rix,
    /usr/bin/pv rix,
    /usr/bin/rsync rix,
    /usr/bin/socat rix,
    /usr/bin/tail rix,
    /usr/bin/timeout rix,
    /usr/bin/xargs rix,
    /usr/bin/xbstream rix,
  }
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mariadbd>
}