From e0529ef82f6c950675d306c5b2202aa6aedbd6c5 Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Sun, 11 Feb 2018 23:28:32 +0100
Subject: [PATCH] apparmor for lighttpd

---
 .../etc/apparmor-cosmos/usr.sbin.lighttpd     | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 global/overlay/etc/apparmor-cosmos/usr.sbin.lighttpd

diff --git a/global/overlay/etc/apparmor-cosmos/usr.sbin.lighttpd b/global/overlay/etc/apparmor-cosmos/usr.sbin.lighttpd
new file mode 100644
index 00000000..143f82ce
--- /dev/null
+++ b/global/overlay/etc/apparmor-cosmos/usr.sbin.lighttpd
@@ -0,0 +1,70 @@
+# Last Modified: Sun Jan 14 17:49:13 2018
+#include <tunables/global>
+
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2005 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+#
+# ------------------------------------------------------------------
+# Modified and locked down by john@sunet.se - 2017-05-23
+# ------------------------------------------------------------------
+#
+# vim:syntax=apparmor
+
+
+/usr/sbin/lighttpd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/web-data>
+
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  /bin/dash Cx,
+  /etc/lighttpd r,
+  /etc/lighttpd/*.conf r,
+  /etc/lighttpd/auth.d/* r,
+  /etc/lighttpd/conf-available/ r,
+  /etc/lighttpd/conf-available/*.conf r,
+  /etc/lighttpd/conf-enabled/ r,
+  /etc/lighttpd/conf-enabled/*.conf r,
+  /etc/lighttpd/conf.d/*.conf r,
+  /etc/lighttpd/vhosts.d r,
+  /etc/lighttpd/vhosts.d/* r,
+  /etc/mime.types r,
+  /etc/ssl/private/*.pem r,
+  /usr/lib/lighttpd/*.so mr,
+  /usr/lib64/lighttpd/*.so mr,
+  /usr/sbin/lighttpd mix,
+  /usr/share/lighttpd/ r,
+  /var/cache/lighttpd/ r,
+  /var/cache/lighttpd/** rwl,
+  /var/lib/lighttpd/ r,
+  /var/lib/lighttpd/** rwl,
+  /var/log/lighttpd/*.log rw,
+  /var/www/dehydrated/* r,
+  /{,var/}run/lighttpd.pid rwl,
+
+
+  profile /bin/dash {
+    #include <abstractions/base>
+    #include <abstractions/perl>
+
+    network inet6 stream,
+
+    /bin/dash mr,
+    /etc/lighttpd/conf-enabled/ r,
+    /etc/mime.types r,
+    /usr/bin/perl ix,
+    /usr/share/lighttpd/*.pl mrix,
+
+  }
+}