# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}{s,}bin/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability setgid, capability setuid, audit deny capability net_admin, signal (send) set=(hup), signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, /{usr/,}{s,}bin/ r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, /{usr/,}bin/grep rix, /{usr/,}bin/shred rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}bin/fail2ban-client rPx, /{usr/,}bin/systemd-tty-ask-password-agent rPx, /{usr/,}bin/my_print_defaults rPUx, /{usr/,}bin/mysqladmin rPUx, /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, /{usr/,}bin/systemctl rix, /{usr/,}{s,}bin/runlevel rix, include ptrace (read), capability sys_ptrace, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{run}/systemd/private rw, /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, /etc/logrotate.d/* rk, /var/lib/logrotate/status rwk, /var/lib/logrotate/status.tmp rw, /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, / r, /var/log{,.hdd}/ r, /var/log{,.hdd}/** rw, @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, profile systemctl flags=(attach_disconnected) { include include capability sys_ptrace, ptrace (read), /{usr/,}bin/systemctl mr, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, /dev/kmsg rw, include if exists } include if exists }