From 532d4be05051ef32da34a01ae0f44a55f8da3c2e Mon Sep 17 00:00:00 2001
From: vyomydv <vyom.yadav@canonical.com>
Date: Mon, 27 Jan 2025 17:43:17 +0530
Subject: [PATCH] profiles/apparmor.d: add mosquitto profile

Signed-off-by: vyomydv <vyom.yadav@canonical.com>
---
 profiles/apparmor.d/mosquitto | 54 +++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 profiles/apparmor.d/mosquitto

diff --git a/profiles/apparmor.d/mosquitto b/profiles/apparmor.d/mosquitto
new file mode 100644
index 000000000..37172661a
--- /dev/null
+++ b/profiles/apparmor.d/mosquitto
@@ -0,0 +1,54 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile mosquitto /usr/sbin/mosquitto {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/hosts_access>
+
+  # If run as a root user, drop privileges to mosquitto/nobody/custom-user
+  capability setgid,
+  capability setuid,
+
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  file @{run}/.nscd_socket rw,
+  file @{run}/nscd/socket rw,
+
+  # nss can be configured to use libvirt in host resolution
+  file /var/lib/libvirt/dnsmasq/ r,
+  file /var/lib/libvirt/dnsmasq/*.status r,
+
+  file @{run}/systemd/notify w,
+  file /usr/sbin/mosquitto mr,
+  file @{run}/mosquitto/mosquitto.pid rw,
+
+  file @{etc_ro}/mosquitto/* r,
+  file @{etc_ro}/mosquitto/conf.d/ r,
+  file @{etc_ro}/mosquitto/conf.d/** r,
+  file @{etc_ro}/mosquitto/mosquitto.conf r,
+  file @{etc_ro}/mosquitto/ca_certificates/** r,
+  file @{etc_ro}/mosquitto/certs/** r,
+
+  file /var/lib/mosquitto/mosquitto.db rwk,
+  file /var/lib/mosquitto/mosquitto.db.new rwk,
+  file /var/log/mosquitto/mosquitto.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/mosquitto>
+}
+