]>
Commit | Line | Data |
---|---|---|
b8ae064d | 1 | ## Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
1769f24e AJ |
2 | ## |
3 | ## Squid software is distributed under GPLv2+ license and includes | |
4 | ## contributions from numerous individuals and organizations. | |
5 | ## Please see the COPYING and CONTRIBUTORS files for details. | |
6 | ||
3d276e1d SD |
7 | # Author: Simon Deziel |
8 | # Jamie Strandboge | |
9 | # vim:syntax=apparmor | |
10 | #include <tunables/global> | |
11 | ||
12 | /usr/sbin/squid { | |
13 | #include <abstractions/base> | |
14 | #include <abstractions/kerberosclient> | |
15 | #include <abstractions/nameservice> | |
16 | ||
17 | capability net_raw, | |
18 | capability setuid, | |
19 | capability setgid, | |
20 | capability sys_chroot, | |
21 | ||
22 | # allow child processes to run execvp(argv[0], [kidname, ...]) | |
23 | /usr/sbin/squid ix, | |
24 | ||
25 | # pinger | |
26 | network inet raw, | |
27 | network inet6 raw, | |
28 | ||
29 | /etc/mtab r, | |
30 | @{PROC}/[0-9]*/mounts r, | |
31 | @{PROC}/mounts r, | |
32 | ||
33 | # squid configuration | |
34 | /etc/squid/** r, | |
35 | /{,var/}run/squid.pid rwk, | |
36 | /var/spool/squid/ r, | |
37 | /var/spool/squid/** rwk, | |
38 | /usr/lib/squid/* rmix, | |
39 | /usr/share/squid/** r, | |
40 | /var/log/squid/* rw, | |
41 | ||
42 | # allow SMP device access for kids | |
43 | owner /dev/shm/** rmw, | |
44 | ||
45 | # Site-specific additions and overrides. See local/README for details. | |
46 | #include <local/usr.sbin.squid> | |
47 | } |