Merge profiles/apparmor.d: add mosquitto profile

Adds apparmor profile for https://mosquitto.org/ `plucky 2.0.20-2`. In a production and customized environment, this profile would need overriding as many configuration options in `mosquitto.conf` are file paths which can point anywhere. This profile adds all sensible defaults required for mosquitto to work out of the box with TLS. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1506 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-06-23 13:28:55 +00:00 · 2025-06-23 13:28:55 +00:00 · a431a6e80b
commit a431a6e80b
parent 61a3a4862e 532d4be050
1 changed files with 54 additions and 0 deletions
--- a/profiles/apparmor.d/mosquitto
+++ b/profiles/apparmor.d/mosquitto
@ -0,0 +1,54 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile mosquitto /usr/sbin/mosquitto {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/hosts_access>
+
+  # If run as a root user, drop privileges to mosquitto/nobody/custom-user
+  capability setgid,
+  capability setuid,
+
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  file @{run}/.nscd_socket rw,
+  file @{run}/nscd/socket rw,
+
+  # nss can be configured to use libvirt in host resolution
+  file /var/lib/libvirt/dnsmasq/ r,
+  file /var/lib/libvirt/dnsmasq/*.status r,
+
+  file @{run}/systemd/notify w,
+  file /usr/sbin/mosquitto mr,
+  file @{run}/mosquitto/mosquitto.pid rw,
+
+  file @{etc_ro}/mosquitto/* r,
+  file @{etc_ro}/mosquitto/conf.d/ r,
+  file @{etc_ro}/mosquitto/conf.d/** r,
+  file @{etc_ro}/mosquitto/mosquitto.conf r,
+  file @{etc_ro}/mosquitto/ca_certificates/** r,
+  file @{etc_ro}/mosquitto/certs/** r,
+
+  file /var/lib/mosquitto/mosquitto.db rwk,
+  file /var/lib/mosquitto/mosquitto.db.new rwk,
+  file /var/log/mosquitto/mosquitto.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/mosquitto>
+}
+