From 766cd2d8a595d76cad8dec42338bcec67d9c2432 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair@canonical.com>
Date: Thu, 13 Feb 2025 13:28:32 +0100
Subject: [PATCH] Initial profile for nginx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Initial profile for nginx, tested on Ubuntu 24.04 manually and with
nginx testsuite.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
 profiles/apparmor.d/nginx | 67 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 profiles/apparmor.d/nginx

diff --git a/profiles/apparmor.d/nginx b/profiles/apparmor.d/nginx
new file mode 100644
index 000000000..fdccfdfde
--- /dev/null
+++ b/profiles/apparmor.d/nginx
@@ -0,0 +1,67 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    Author: Maxime Bélair <maxime.belair@canonical.com>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+# Standard config for webservers. This assumes that the server uses one of these directories.
+# If it has been modified, change accordingly.
+# Web directory location is available at /etc/nginx/sites-available/default
+@{srv}=/var/www/html/** /srv/**
+
+profile nginx /usr/{s,}bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_keys>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  # Configuration
+  file /etc/nginx/** r,
+
+  # Server directory
+  file @{srv} r,
+
+  # Support for modules, perl and lua
+  file /usr/share/nginx/** r,
+  file /usr/share/perl/*/**.pm r,
+  file /usr/share/lua/*/**.lua r,
+
+
+  # Temporary files
+  owner file /tmp/** rw,
+
+  # nginx libs
+  owner file /var/lib/nginx/** rw,
+
+  # logs
+  file /var/log/nginx/* w,
+
+  # Binaries
+  file @{exec_path} mr,
+  owner file /run/nginx.pid rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/nginx>
+}
+