apparmor/profiles/apparmor.d/mosquitto

#------------------------------------------------------------------
#    Copyright (C) 2025 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor
#
abi <abi/4.0>,

include <tunables/global>

profile mosquitto /usr/sbin/mosquitto {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/hosts_access>

  # If run as a root user, drop privileges to mosquitto/nobody/custom-user
  capability setgid,
  capability setuid,

  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  network netlink raw,

  file @{run}/.nscd_socket rw,
  file @{run}/nscd/socket rw,

  # nss can be configured to use libvirt in host resolution
  file /var/lib/libvirt/dnsmasq/ r,
  file /var/lib/libvirt/dnsmasq/*.status r,

  file @{run}/systemd/notify w,
  file /usr/sbin/mosquitto mr,
  file @{run}/mosquitto/mosquitto.pid rw,

  file @{etc_ro}/mosquitto/* r,
  file @{etc_ro}/mosquitto/conf.d/ r,
  file @{etc_ro}/mosquitto/conf.d/** r,
  file @{etc_ro}/mosquitto/mosquitto.conf r,
  file @{etc_ro}/mosquitto/ca_certificates/** r,
  file @{etc_ro}/mosquitto/certs/** r,

  file /var/lib/mosquitto/mosquitto.db rwk,
  file /var/lib/mosquitto/mosquitto.db.new rwk,
  file /var/log/mosquitto/mosquitto.log w,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/mosquitto>
}
profiles/apparmor.d: add mosquitto profile Signed-off-by: vyomydv <vyom.yadav@canonical.com> 2025-01-27 17:43:17 +05:30			`#------------------------------------------------------------------`
			`# Copyright (C) 2025 Canonical Ltd.`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#------------------------------------------------------------------`
			`# vim: ft=apparmor`
			`#`
			`abi <abi/4.0>,`

			`include <tunables/global>`

			`profile mosquitto /usr/sbin/mosquitto {`
			`include <abstractions/base>`
			`include <abstractions/nameservice-strict>`
			`include <abstractions/hosts_access>`

			`# If run as a root user, drop privileges to mosquitto/nobody/custom-user`
			`capability setgid,`
			`capability setuid,`

			`network inet stream,`
			`network inet6 stream,`
			`network inet dgram,`
			`network inet6 dgram,`
			`network netlink raw,`

			`file @{run}/.nscd_socket rw,`
			`file @{run}/nscd/socket rw,`

			`# nss can be configured to use libvirt in host resolution`
			`file /var/lib/libvirt/dnsmasq/ r,`
			`file /var/lib/libvirt/dnsmasq/*.status r,`

			`file @{run}/systemd/notify w,`
			`file /usr/sbin/mosquitto mr,`
			`file @{run}/mosquitto/mosquitto.pid rw,`

			`file @{etc_ro}/mosquitto/* r,`
			`file @{etc_ro}/mosquitto/conf.d/ r,`
			`file @{etc_ro}/mosquitto/conf.d/** r,`
			`file @{etc_ro}/mosquitto/mosquitto.conf r,`
			`file @{etc_ro}/mosquitto/ca_certificates/** r,`
			`file @{etc_ro}/mosquitto/certs/** r,`

			`file /var/lib/mosquitto/mosquitto.db rwk,`
			`file /var/lib/mosquitto/mosquitto.db.new rwk,`
			`file /var/log/mosquitto/mosquitto.log w,`

			`# Site-specific additions and overrides. See local/README for details.`
			`include if exists <local/mosquitto>`
			`}`