mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

Merge profiles/apparmor.d: add mosquitto profile

Browse Source 
Adds apparmor profile for https://mosquitto.org/ `plucky 2.0.20-2`.

In a production and customized environment, this profile would need overriding as many configuration options in `mosquitto.conf` are file paths which can point anywhere. This profile adds all sensible defaults required for mosquitto to work out of the box with TLS.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1506
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
This commit is contained in:
Maxime Bélair 2025-06-23 13:28:55 +00:00
commit a431a6e80b
1 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
profiles/apparmor.d/mosquitto Normal file
View File

@ -0,0 +1,54 @@
#------------------------------------------------------------------
# Copyright (C) 2025 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor
#
abi <abi/4.0>,
include <tunables/global>
profile mosquitto /usr/sbin/mosquitto {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/hosts_access>
# If run as a root user, drop privileges to mosquitto/nobody/custom-user
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
file @{run}/.nscd_socket rw,
file @{run}/nscd/socket rw,
# nss can be configured to use libvirt in host resolution
file /var/lib/libvirt/dnsmasq/ r,
file /var/lib/libvirt/dnsmasq/*.status r,
file @{run}/systemd/notify w,
file /usr/sbin/mosquitto mr,
file @{run}/mosquitto/mosquitto.pid rw,
file @{etc_ro}/mosquitto/* r,
file @{etc_ro}/mosquitto/conf.d/ r,
file @{etc_ro}/mosquitto/conf.d/** r,
file @{etc_ro}/mosquitto/mosquitto.conf r,
file @{etc_ro}/mosquitto/ca_certificates/** r,
file @{etc_ro}/mosquitto/certs/** r,
file /var/lib/mosquitto/mosquitto.db rwk,
file /var/lib/mosquitto/mosquitto.db.new rwk,
file /var/log/mosquitto/mosquitto.log w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/mosquitto>
}