avm/hassio-addons
1
0
Fork 0
mirror of https://github.com/alexbelgium/hassio-addons.git synced 2026-06-24 16:26:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/fix-jellyfin-empty-dir-issue
hassio-addons/nginx_webserver_proxy/apparmor.txt
ToledoEM 526d66b88f NGINX webserver and Proxy Manager
2026-05-01 11:52:03 +01:00

105 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

#include <tunables/global>
profile nginx-proxy-manager flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
# Core capabilities
capability chown,
capability dac_override,
capability net_bind_service,
capability setfcap,
capability setgid,
capability setuid,
capability sys_chroot,
capability kill,
# Process and memory management
capability sys_resource,
# Deny dangerous capabilities
deny capability dac_read_search,
deny capability linux_immutable,
deny capability mac_admin,
deny capability mac_override,
deny capability sys_admin,
deny capability sys_boot,
deny capability sys_module,
deny capability sys_rawio,
deny capability syslog,
# Network
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network unix stream,
network unix dgram,
# /data - addon config (read/write)
/data/ r,
/data/** rwk,
# /share - Home Assistant storage (read/write)
/share/ r,
/share/** rwk,
# /media - Home Assistant media (read/write)
/media/ r,
/media/** rwk,
# /config - Home Assistant config (read/write)
/config/ r,
/config/** rwk,
# /addon_configs - addon instance config
/addon_configs/ r,
/addon_configs/** rwk,
# /etc/letsencrypt - SSL certs
/etc/letsencrypt/ r,
/etc/letsencrypt/** rwk,
# /proc and /sys
@{PROC}/ r,
@{PROC}/** rw,
@{sys}/ r,
@{sys}/** rw,
# Temporary files
/tmp/ r,
/tmp/** rwk,
/var/tmp/ r,
/var/tmp/** rwk,
# Basic system access
/bin/bash ix,
/bin/sh ix,
/bin/ls ix,
/bin/cat ix,
/bin/sed ix,
/usr/bin/jq ix,
# Nginx binary and libraries
/usr/sbin/nginx ix,
/usr/local/sbin/nginx ix,
/usr/lib/** rm,
/lib/** rm,
/usr/local/lib/** rm,
# Allow reading app-specific configs (read-only)
/etc/nginx/ r,
/etc/nginx/** r,
/var/log/ r,
/var/log/** w,
# Deny sensitive system areas
deny /root/** rwkl,
deny /home/** rwkl,
deny /proc/sysrq-trigger rwkl,
deny /sys/firmware/** rwkl,
deny /sys/kernel/security/** rwkl,
deny /sys/kernel/debug/** rwkl,
}
Reference in New Issue View Git Blame Copy Permalink