[thirdparty/squid.git] / tools / apparmor / usr.sbin.squid

## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.

# Author: Simon Deziel
#         Jamie Strandboge
# vim:syntax=apparmor
#include <tunables/global>

/usr/sbin/squid {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  capability setgid,
  capability sys_chroot,

  # allow child processes to run execvp(argv[0], [kidname, ...])
  /usr/sbin/squid ix,

  # pinger
  network inet raw,
  network inet6 raw,

  /etc/mtab r,
  @{PROC}/[0-9]*/mounts r,
  @{PROC}/mounts r,

  # squid configuration
  /etc/squid/** r,
  /{,var/}run/squid.pid rwk,
  /var/spool/squid/ r,
  /var/spool/squid/** rwk,
  /usr/lib/squid/* rmix,
  /usr/share/squid/** r,
  /var/log/squid/* rw,

  # allow SMP device access for kids
  owner /dev/shm/** rmw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.squid>
}
Commit	Line	Data
77b1029d	1	## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
1769f24e AJ	2	##
	3	## Squid software is distributed under GPLv2+ license and includes
	4	## contributions from numerous individuals and organizations.
	5	## Please see the COPYING and CONTRIBUTORS files for details.
	6
3d276e1d SD	7	# Author: Simon Deziel
	8	# Jamie Strandboge
	9	# vim:syntax=apparmor
	10	#include <tunables/global>
	11
	12	/usr/sbin/squid {
	13	#include <abstractions/base>
	14	#include <abstractions/kerberosclient>
	15	#include <abstractions/nameservice>
	16
	17	capability net_raw,
	18	capability setuid,
	19	capability setgid,
	20	capability sys_chroot,
	21
	22	# allow child processes to run execvp(argv[0], [kidname, ...])
	23	/usr/sbin/squid ix,
	24
	25	# pinger
	26	network inet raw,
	27	network inet6 raw,
	28
	29	/etc/mtab r,
	30	@{PROC}/[0-9]*/mounts r,
	31	@{PROC}/mounts r,
	32
	33	# squid configuration
	34	/etc/squid/** r,
	35	/{,var/}run/squid.pid rwk,
	36	/var/spool/squid/ r,
	37	/var/spool/squid/** rwk,
	38	/usr/lib/squid/* rmix,
	39	/usr/share/squid/** r,
	40	/var/log/squid/* rw,
	41
	42	# allow SMP device access for kids
	43	owner /dev/shm/** rmw,
	44
	45	# Site-specific additions and overrides. See local/README for details.
	46	#include <local/usr.sbin.squid>
	47	}