Skip to content

Commit

Permalink
Merge pull request #30 from fatalbanana/apparmor
Browse files Browse the repository at this point in the history 
Add an example AppArmor profile
  • Loading branch information
@vstakhov
vstakhov authored Apr 1, 2024
2 parents 56ee246 + 2af9e8e commit c08508d
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
11 changes: 11 additions & 0 deletions examples/security/apparmor/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
## Example AppArmor profile for Rspamd Docker container

This is an example AppArmor profile for restricting the Rspamd Docker container. It might not be feature-complete: you should be prepared to deal with possible fallout by reviewing logs & making necessary changes. The profile is aimed merely at running Rspamd and doesn't support use-cases such as logging in to the container.

### Usage

```
sudo cp rspamd-docker.profile /etc/apparmor.d/
sudo systemctl reload apparmor
docker run -v rspamd_dbdir:/var/lib/rspamd --security-opt apparmor=rspamd-docker -ti rspamd/rspamd
```
18 changes: 18 additions & 0 deletions examples/security/apparmor/rspamd-docker.profile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#include <tunables/global>

profile rspamd-docker {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>

owner /dev/shm/* rw,
/etc/magic r,
/etc/magic.mime r,
/etc/rspamd/** r,
/sys/kernel/mm/transparent_hugepage/enabled r,
/usr/bin/rspamd mr,
/usr/share/rspamd/** r,
/var/lib/rspamd/ r,
/var/lib/rspamd/** rwk,
}

0 comments on commit c08508d

Please sign in to comment.