squid-ssl/usr.sbin.squid at main · RustyHearth/squid-ssl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Author: Simon Deziel
#         Jamie Strandboge
# vim:syntax=apparmor
#include <tunables/global>

/usr/sbin/squid flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>

  # If you are using squid with the default snakeoil certificates, you will
  # probably have to uncomment the line below so that squid can read the
  # private key:
  #/etc/ssl/private/ssl-cert-snakeoil.key r,

  # For a more generous permission, but also less secure, you could
  # alternatively include the <abstractions/ssl_keys> abstraction, which
  # gives read access to the entire contents of /etc/ssl

  capability net_admin,
  capability net_raw,
  capability setuid,
  capability setgid,
  capability sys_chroot,

  # allow child processes to run execvp(argv[0], [kidname, ...])
  /usr/sbin/squid rix,

  # pinger
  network inet raw,
  network inet6 raw,

  /etc/mtab r,
  @{PROC}/[0-9]*/mounts r,
  @{PROC}/mounts r,

  # squid configuration
  /etc/squid/** r,
  /{,var/}run/squid.pid rwk,
  /{,var/}run/squid/** rwk,
  /{,var/}run/systemd/notify rwk,
  /var/spool/squid{,3}/ r,
  /var/spool/squid{,3}/** rwk,
  /usr/lib/squid{,3}/* rmix,
  /usr/share/squid/** r,
  /var/log/squid{,3}/* rw,
  owner /dev/shm/** rmw,

  # squid-langpack
  /usr/share/squid-langpack/** r,

  # squid-deb-proxy
  /etc/squid-deb-proxy/** r,
  /{,var/}run/squid-deb-proxy.pid rwk,
  /var/cache/squid-deb-proxy/ r,
  /var/cache/squid-deb-proxy/** rwk,
  /var/log/squid-deb-proxy/* rw,

  # squidguard
  /usr/bin/squidGuard Cx -> squidguard,
  profile squidguard {
    #include <abstractions/base>

    /etc/squid/squidGuard.conf r,
    /var/log/squid{,3}/squidGuard.log w,
    /var/lib/squidguard/** rw,

    # squidguard by default uses /var/log/squid as its logdir, however, we
    # don't want it to access squid's logs, only its own. Explicitly deny
    # access to squid's files but allow all others since the user may specify
    # anything for the squidGurad 'log' directive.
    /var/log/squid{,3}/* rw,
    audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,

    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.squid>
  }

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.squid>
}