1# Last Modified: Fri Mar 1 18:55:47 2013 2# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. 3# This AppArmor profile has been copied under BSD License from 4# Percona XtraDB Cluster, along with some additions. 5 6#include <tunables/global> 7 8/usr/sbin/mariadbd flags=(complain) { 9 #include <abstractions/base> 10 #include <abstractions/mysql> 11 #include <abstractions/nameservice> 12 #include <abstractions/user-tmp> 13 #include <abstractions/winbind> 14 15 capability chown, 16 capability dac_override, 17 capability setgid, 18 capability setuid, 19 capability sys_rawio, 20 capability sys_resource, 21 22 network tcp, 23 24 /bin/dash rcx, 25 /dev/dm-0 r, 26 /etc/gai.conf r, 27 /etc/group r, 28 /etc/hosts.allow r, 29 /etc/hosts.deny r, 30 /etc/ld.so.cache r, 31 /etc/mtab r, 32 /etc/my.cnf r, 33 /etc/mysql/*.cnf r, 34 /etc/mysql/*.pem r, 35 /etc/mysql/conf.d/ r, 36 /etc/mysql/conf.d/* r, 37 /etc/mysql/mariadb.conf.d/ r, 38 /etc/mysql/mariadb.conf.d/* r, 39 /etc/nsswitch.conf r, 40 /etc/passwd r, 41 /etc/services r, 42 /run/mysqld/mysqld.pid w, 43 /run/mysqld/mysqld.sock w, 44 /sys/devices/system/cpu/ r, 45 owner /tmp/** lk, 46 /tmp/** rw, 47 /usr/lib/mysql/plugin/ r, 48 /usr/lib/mysql/plugin/*.so* mr, 49 /usr/sbin/mariadbd mr, 50 /usr/share/mysql/** r, 51 /var/lib/mysql/ r, 52 /var/lib/mysql/** rwk, 53 /var/log/mysql.err rw, 54 /var/log/mysql.log rw, 55 /var/log/mysql/ r, 56 /var/log/mysql/* rw, 57 /run/mysqld/mysqld.pid w, 58 /run/mysqld/mysqld.sock w, 59 60 61 profile /bin/dash flags=(complain) { 62 #include <abstractions/base> 63 #include <abstractions/bash> 64 #include <abstractions/mysql> 65 #include <abstractions/nameservice> 66 #include <abstractions/perl> 67 68 69 70 /bin/cat rix, 71 /bin/dash rix, 72 /bin/date rix, 73 /bin/grep rix, 74 /bin/nc.openbsd rix, 75 /bin/netstat rix, 76 /bin/ps rix, 77 /bin/rm rix, 78 /bin/sed rix, 79 /bin/sleep rix, 80 /bin/tar rix, 81 /bin/which rix, 82 /dev/tty rw, 83 /etc/ld.so.cache r, 84 /etc/my.cnf r, 85 /proc/ r, 86 /proc/*/cmdline r, 87 /proc/*/fd/ r, 88 /proc/*/net/dev r, 89 /proc/*/net/if_inet6 r, 90 /proc/*/net/tcp r, 91 /proc/*/net/tcp6 r, 92 /proc/*/stat r, 93 /proc/*/status r, 94 /proc/sys/kernel/pid_max r, 95 /proc/tty/drivers r, 96 /proc/uptime r, 97 /proc/version r, 98 /sbin/ifconfig rix, 99 /sys/devices/system/cpu/ r, 100 /tmp/** rw, 101 /usr/bin/cut rix, 102 /usr/bin/dirname rix, 103 /usr/bin/gawk rix, 104 /usr/bin/mysql rix, 105 /usr/bin/perl rix, 106 /usr/bin/seq rix, 107 /usr/bin/wsrep_sst* rix, 108 /usr/bin/wsrep_sst_common r, 109 /usr/bin/mariabackup* rix, 110 /var/lib/mysql/ r, 111 /var/lib/mysql/** rw, 112 /var/lib/mysql/*.log w, 113 /var/lib/mysql/*.err w, 114 115# MariaDB additions 116 ptrace peer=@{profile_name}, 117 118 /bin/hostname rix, 119 /bin/ip rix, 120 /bin/mktemp rix, 121 /bin/ss rix, 122 /bin/sync rix, 123 /bin/touch rix, 124 /bin/uname rix, 125 /etc/mysql/*.cnf r, 126 /etc/mysql/conf.d/ r, 127 /etc/mysql/conf.d/* r, 128 /proc/*/attr/current r, 129 /proc/*/fdinfo/* r, 130 /proc/*/net/* r, 131 /proc/locks r, 132 /proc/sys/net/ipv4/ip_local_port_range r, 133 /run/mysqld/mysqld.sock rw, 134 /sbin/ip rix, 135 /usr/bin/basename rix, 136 /usr/bin/du rix, 137 /usr/bin/find rix, 138 /usr/bin/lsof rix, 139 /usr/bin/my_print_defaults rix, 140 /usr/bin/mysqldump rix, 141 /usr/bin/pv rix, 142 /usr/bin/rsync rix, 143 /usr/bin/socat rix, 144 /usr/bin/tail rix, 145 /usr/bin/timeout rix, 146 /usr/bin/xargs rix, 147 /usr/bin/xbstream rix, 148 } 149 # Site-specific additions and overrides. See local/README for details. 150 #include <local/usr.sbin.mariadbd> 151} 152