apparmor/profiles/apparmor.d/tinyproxy

# -*- mode: apparmor; -*-
# ------------------------------------------------------------------
#
#    Copyright (C) 2024 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor

abi <abi/4.0>,

include <tunables/global>

profile tinyproxy /usr/bin/tinyproxy {
  include <abstractions/base>
  include <abstractions/nameservice>

  # to provide flexibility, when run as a root tinyproxy may need to run files
  # owned by other users and similarly when run as an unprivileged user allow
  # tinyproxy to bind to privileged ports
  capability dac_override,
  capability dac_read_search,
  capability net_bind_service,

  file mr /usr/bin/tinyproxy,

  file r @{etc_ro}/tinyproxy/tinyproxy.conf,
  # tinyproxy.conf allows to configure the locations of various files that will
  # be written to by tinyproxy including ErrorFile, DefaultErrorFile, LogFile,
  # and StatFile as well as PidFile. This profile allows tinyproxy to write to
  # the default locations but if these are changed in the configuration file,
  # additional rules should be added to the /etc/apparmor.d/local/tinyproxy file
  # to allow this access
  file rw /run/tinyproxy/tinyproxy.pid,  # PidFile
  file rw /var/log/tinyproxy/tinyproxy.log, # LogFile

  file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc

  network inet stream,
  network inet6 stream,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/tinyproxy>
}
profiles/apparmor.d: add profile for tinyproxy This was tested using the test-tinyproxy.py script from qa-regression-testing as well as by running the upstream test suite with a brief hack to ensure it invokes tinyproxy with aa-exec -p tinyproxy first. Signed-off-by: Alex Murray <alex.murray@canonical.com> 2025-01-09 14:49:40 +10:30			`# -- mode: apparmor; --`
			`# ------------------------------------------------------------------`
			`#`
			`# Copyright (C) 2024 Canonical Ltd.`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`
			`# vim: ft=apparmor`

			`abi <abi/4.0>,`

			`include <tunables/global>`

			`profile tinyproxy /usr/bin/tinyproxy {`
			`include <abstractions/base>`
			`include <abstractions/nameservice>`

profiles/apparmor.d/tinyproxy: allow flexibility in deployment Add rules to allow tinyproxy to bind to privileged ports and access files even when run as unprivileged/privileged users when using non-standard configurations. As suggested by @rlee287. Signed-off-by: Alex Murray <alex.murray@canonical.com> 2025-01-22 15:00:27 +10:30			`# to provide flexibility, when run as a root tinyproxy may need to run files`
			`# owned by other users and similarly when run as an unprivileged user allow`
			`# tinyproxy to bind to privileged ports`
			`capability dac_override,`
			`capability dac_read_search,`
			`capability net_bind_service,`

profiles/apparmor.d: add profile for tinyproxy This was tested using the test-tinyproxy.py script from qa-regression-testing as well as by running the upstream test suite with a brief hack to ensure it invokes tinyproxy with aa-exec -p tinyproxy first. Signed-off-by: Alex Murray <alex.murray@canonical.com> 2025-01-09 14:49:40 +10:30			`file mr /usr/bin/tinyproxy,`

			`file r @{etc_ro}/tinyproxy/tinyproxy.conf,`
profiles/apparmor.d/tinyproxy: clarify use of local override Add comments to the profile to explain the use of the local override if the default configuration is changed. As suggested by @rlee287. Signed-off-by: Alex Murray <alex.murray@canonical.com> 2025-01-22 15:01:36 +10:30			`# tinyproxy.conf allows to configure the locations of various files that will`
			`# be written to by tinyproxy including ErrorFile, DefaultErrorFile, LogFile,`
			`# and StatFile as well as PidFile. This profile allows tinyproxy to write to`
			`# the default locations but if these are changed in the configuration file,`
			`# additional rules should be added to the /etc/apparmor.d/local/tinyproxy file`
			`# to allow this access`
			`file rw /run/tinyproxy/tinyproxy.pid, # PidFile`
			`file rw /var/log/tinyproxy/tinyproxy.log, # LogFile`

			`file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc`
profiles/apparmor.d: add profile for tinyproxy This was tested using the test-tinyproxy.py script from qa-regression-testing as well as by running the upstream test suite with a brief hack to ensure it invokes tinyproxy with aa-exec -p tinyproxy first. Signed-off-by: Alex Murray <alex.murray@canonical.com> 2025-01-09 14:49:40 +10:30
			`network inet stream,`
			`network inet6 stream,`

			`# Site-specific additions and overrides. See local/README for details.`
			`include if exists <local/tinyproxy>`
			`}`