apparmor for all

bitwarden/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile bitwarden_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

cloudcommander/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile cloudcommander_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

code-server/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile code_server_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

joal/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile joal_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

nextcloud/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile nextcloud_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

papermerge/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile papermerge_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

piwigo/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile piwigo_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

radarr/apparmor.txt

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+profile radarr_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+  
+  capability,
+  file,
+  mount,
+  umount,
+  remount,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin, 
+  capability dac_read_search, 
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl, 
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  
+  # Data access
+  /data/** rw, 
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+ 
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}