]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9e167fa)
Add a basic apparmour profile
authorSimon Deziel <>
Sun, 18 Jun 2017 17:49:10 +0000 (05:49 +1200)
committerAmos Jeffries <squid3@treenet.co.nz>
Sun, 18 Jun 2017 17:49:10 +0000 (05:49 +1200)
From Ubuntu, with some non-squid software references removed

configure.ac patch | blob | blame | history
tools/Makefile.am patch | blob | blame | history
tools/apparmor/Makefile.am [new file with mode: 0644] patch | blob
tools/apparmor/usr.sbin.squid [new file with mode: 0644] patch | blob

diff --git a/configure.ac b/configure.ac
index 6d513cf27ec68c6261409535cb65f05e802d5808..21dcd733324a713ff6b57d9990d3e1c523906c51 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3839,6 +3839,7 @@ AC_CONFIG_FILES([
        src/store/id_rewriters/file/Makefile
        test-suite/Makefile
        tools/Makefile
+       tools/apparmor/Makefile
        tools/helper-mux/Makefile
        tools/purge/Makefile
        tools/squidclient/Makefile
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 77739d994d87dfe531335dc2376117092ea9f70e..a445c409628477b29a6349b8f365f6ad82362016 100644 (file)
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -10,7 +10,7 @@ include $(top_srcdir)/src/Common.am
 ## we need our local files too (but avoid -I. at all costs)
 AM_CPPFLAGS += -I$(srcdir)
 
-SUBDIRS= helper-mux purge squidclient systemd sysvinit
+SUBDIRS= apparmor helper-mux purge squidclient systemd sysvinit
 EXTRA_DIST=
 man_MANS=
 DISTCLEANFILES=
diff --git a/tools/apparmor/Makefile.am b/tools/apparmor/Makefile.am
new file mode 100644 (file)
index 0000000..c84bc0b
--- /dev/null
+++ b/tools/apparmor/Makefile.am
@@ -0,0 +1,8 @@
+## Copyright (C) 1996-2017 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+EXTRA_DIST = usr.sbin.squid
diff --git a/tools/apparmor/usr.sbin.squid b/tools/apparmor/usr.sbin.squid
new file mode 100644 (file)
index 0000000..5dc945c
--- /dev/null
+++ b/tools/apparmor/usr.sbin.squid
@@ -0,0 +1,41 @@
+# Author: Simon Deziel
+#         Jamie Strandboge
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/sbin/squid {
+  #include <abstractions/base>
+  #include <abstractions/kerberosclient>
+  #include <abstractions/nameservice>
+
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability sys_chroot,
+
+  # allow child processes to run execvp(argv[0], [kidname, ...])
+  /usr/sbin/squid ix,
+
+  # pinger
+  network inet raw,
+  network inet6 raw,
+
+  /etc/mtab r,
+  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/mounts r,
+
+  # squid configuration
+  /etc/squid/** r,
+  /{,var/}run/squid.pid rwk,
+  /var/spool/squid/ r,
+  /var/spool/squid/** rwk,
+  /usr/lib/squid/* rmix,
+  /usr/share/squid/** r,
+  /var/log/squid/* rw,
+
+  # allow SMP device access for kids
+  owner /dev/shm/** rmw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.squid>
+}
Mirror of https://github.com/squid-cache/squid.git