From: Simon Deziel <> Date: Sun, 18 Jun 2017 17:49:10 +0000 (+1200) Subject: Add a basic apparmour profile X-Git-Tag: M-staged-PR71~108 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3d276e1d5826e67ea4caa9fc5e9c767020048330;p=thirdparty%2Fsquid.git Add a basic apparmour profile From Ubuntu, with some non-squid software references removed --- diff --git a/configure.ac b/configure.ac index 6d513cf27e..21dcd73332 100644 --- a/configure.ac +++ b/configure.ac @@ -3839,6 +3839,7 @@ AC_CONFIG_FILES([ src/store/id_rewriters/file/Makefile test-suite/Makefile tools/Makefile + tools/apparmor/Makefile tools/helper-mux/Makefile tools/purge/Makefile tools/squidclient/Makefile diff --git a/tools/Makefile.am b/tools/Makefile.am index 77739d994d..a445c40962 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -10,7 +10,7 @@ include $(top_srcdir)/src/Common.am ## we need our local files too (but avoid -I. at all costs) AM_CPPFLAGS += -I$(srcdir) -SUBDIRS= helper-mux purge squidclient systemd sysvinit +SUBDIRS= apparmor helper-mux purge squidclient systemd sysvinit EXTRA_DIST= man_MANS= DISTCLEANFILES= diff --git a/tools/apparmor/Makefile.am b/tools/apparmor/Makefile.am new file mode 100644 index 0000000000..c84bc0b6c0 --- /dev/null +++ b/tools/apparmor/Makefile.am @@ -0,0 +1,8 @@ +## Copyright (C) 1996-2017 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +EXTRA_DIST = usr.sbin.squid diff --git a/tools/apparmor/usr.sbin.squid b/tools/apparmor/usr.sbin.squid new file mode 100644 index 0000000000..5dc945c19f --- /dev/null +++ b/tools/apparmor/usr.sbin.squid @@ -0,0 +1,41 @@ +# Author: Simon Deziel +# Jamie Strandboge +# vim:syntax=apparmor +#include + +/usr/sbin/squid { + #include + #include + #include + + capability net_raw, + capability setuid, + capability setgid, + capability sys_chroot, + + # allow child processes to run execvp(argv[0], [kidname, ...]) + /usr/sbin/squid ix, + + # pinger + network inet raw, + network inet6 raw, + + /etc/mtab r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/mounts r, + + # squid configuration + /etc/squid/** r, + /{,var/}run/squid.pid rwk, + /var/spool/squid/ r, + /var/spool/squid/** rwk, + /usr/lib/squid/* rmix, + /usr/share/squid/** r, + /var/log/squid/* rw, + + # allow SMP device access for kids + owner /dev/shm/** rmw, + + # Site-specific additions and overrides. See local/README for details. + #include +}