# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability net_admin, capability setgid, capability setuid, signal (send) set=(hup), signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, @{bin}/gzip rix, @{bin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @{bin}/shred rix, @{bin}/xz rix, @{bin}/zstd rix, @{lib}/rsyslog/rsyslog-rotate rix, @{bin}/fail2ban-client rPx, @{bin}/my_print_defaults rPUx, @{bin}/mysqladmin rPUx, @{bin}/systemd-tty-ask-password-agent rPx, @{lib}/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, /etc/init.d/nginx rPUx, @{bin}/squid rPUx, @{bin}/pgrep rCx -> pgrep, # no new privs #@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rix, @{bin}/runlevel rix, include ptrace (read), capability sys_ptrace, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, /etc/ r, @{etc_ro}/logrotate.conf rk, @{etc_ro}/logrotate.d/ r, @{etc_ro}/rc*.d/ r, @{etc_ro}/logrotate.d/* rk, / r, /var/log{,.hdd}/ r, /var/log{,.hdd}/** rw, /var/lib/{,misc/}logrotate/status rwk, /var/lib/{,misc/}logrotate/status.tmp rw, /var/lib/{,misc/}logrotate.status rwk, /var/lib/{,misc/}logrotate.status.tmp rw, @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, owner /dev/tty rw, profile systemctl flags=(attach_disconnected) { include include capability net_admin, capability sys_ptrace, include if exists } profile pgrep { include include include if exists } include if exists } # vim:syntax=apparmor