Mini Shell
# Last Modified: Fri Mar 1 18:55:47 2013
# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
# This AppArmor profile has been copied under BSD License from
# Percona XtraDB Cluster, along with some additions.
#include <tunables/global>
/usr/sbin/mariadbd flags=(complain) {
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/winbind>
capability chown,
capability dac_override,
capability ipc_lock,
capability setgid,
capability setuid,
capability sys_rawio,
capability sys_resource,
network tcp,
/bin/dash rcx,
/dev/dm-0 r,
/etc/gai.conf r,
/etc/group r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ld.so.cache r,
/etc/mtab r,
/etc/my.cnf r,
/etc/mysql/*.cnf r,
/etc/mysql/*.pem r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/mariadb.conf.d/ r,
/etc/mysql/mariadb.conf.d/* r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/services r,
/run/mysqld/mysqld.pid w,
/run/mysqld/mysqld.sock w,
/sys/devices/system/cpu/ r,
owner /tmp/** lk,
/tmp/** rw,
/usr/lib/mysql/plugin/ r,
/usr/lib/mysql/plugin/*.so* mr,
/usr/sbin/mariadbd mr,
/usr/share/mysql/** r,
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
/var/log/mysql.err rw,
/var/log/mysql.log rw,
/var/log/mysql/ r,
/var/log/mysql/* rw,
/run/mysqld/mysqld.pid w,
/run/mysqld/mysqld.sock w,
profile /bin/dash flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/perl>
/bin/cat rix,
/bin/dash rix,
/bin/date rix,
/bin/grep rix,
/bin/nc.openbsd rix,
/bin/netstat rix,
/bin/ps rix,
/bin/rm rix,
/bin/sed rix,
/bin/sleep rix,
/bin/tar rix,
/bin/which rix,
/dev/tty rw,
/etc/ld.so.cache r,
/etc/my.cnf r,
/proc/ r,
/proc/*/cmdline r,
/proc/*/fd/ r,
/proc/*/net/dev r,
/proc/*/net/if_inet6 r,
/proc/*/net/tcp r,
/proc/*/net/tcp6 r,
/proc/*/stat r,
/proc/*/status r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
/sbin/ifconfig rix,
/sys/devices/system/cpu/ r,
/tmp/** rw,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/gawk rix,
/usr/bin/mysql rix,
/usr/bin/perl rix,
/usr/bin/seq rix,
/usr/bin/wsrep_sst* rix,
/usr/bin/wsrep_sst_common r,
/usr/bin/mariabackup* rix,
/var/lib/mysql/ r,
/var/lib/mysql/** rw,
/var/lib/mysql/*.log w,
/var/lib/mysql/*.err w,
# MariaDB additions
ptrace peer=@{profile_name},
/bin/hostname rix,
/bin/ip rix,
/bin/mktemp rix,
/bin/ss rix,
/bin/sync rix,
/bin/touch rix,
/bin/uname rix,
/etc/mysql/*.cnf r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/proc/*/attr/current r,
/proc/*/fdinfo/* r,
/proc/*/net/* r,
/proc/locks r,
/proc/sys/net/ipv4/ip_local_port_range r,
/run/mysqld/mysqld.sock rw,
/sbin/ip rix,
/usr/bin/basename rix,
/usr/bin/du rix,
/usr/bin/find rix,
/usr/bin/lsof rix,
/usr/bin/my_print_defaults rix,
/usr/bin/mysqldump rix,
/usr/bin/pv rix,
/usr/bin/rsync rix,
/usr/bin/socat rix,
/usr/bin/tail rix,
/usr/bin/timeout rix,
/usr/bin/xargs rix,
/usr/bin/xbstream rix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.mariadbd>
}
Zerion Mini Shell 1.0