Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
@dmitrii-fediuk
dmitrii-fediuk committed Jun 15, 2024
1 parent c392210 commit f6d79c3
Showing 1 changed file with 84 additions and 0 deletions.
84 changes: 84 additions & 0 deletions etc/apparmor.d/usr.sbin.mysqld
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# vim:syntax=apparmor
# Last Modified: Tue Feb 09 15:28:30 2016
#include <tunables/global>

/usr/sbin/mysqld {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/mysql>
#include <abstractions/winbind>

# Allow system resource access
/proc/*/status r,
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
capability sys_resource,
capability dac_override,
capability dac_read_search,
capability setuid,
capability setgid,

# Allow network access
network tcp,

/etc/hosts.allow r,
/etc/hosts.deny r,

# Allow config access
/etc/mysql/** r,

# Allow pid, socket, socket lock file access
/var/run/mysqld/mysqld.pid rw,
/var/run/mysqld/mysqld.sock rw,
/var/run/mysqld/mysqld.sock.lock rw,
/var/run/mysqld/mysqlx.sock rw,
/var/run/mysqld/mysqlx.sock.lock rw,
/run/mysqld/mysqld.pid rw,
/run/mysqld/mysqld.sock rw,
/run/mysqld/mysqld.sock.lock rw,
/run/mysqld/mysqlx.sock rw,
/run/mysqld/mysqlx.sock.lock rw,

# Allow systemd notify messages
/{,var/}run/systemd/notify w,

# Allow execution of server binary
/usr/sbin/mysqld mr,
/usr/sbin/mysqld-debug mr,

# Allow plugin access
/usr/lib/mysql/plugin/ r,
/usr/lib/mysql/plugin/*.so* mr,

# Allow error msg and charset access
/usr/share/mysql/ r,
/usr/share/mysql/** r,

# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,

# Allow data files dir access
/var/lib/mysql-files/ r,
/var/lib/mysql-files/** rwk,

# Allow keyring dir access
/var/lib/mysql-keyring/ r,
/var/lib/mysql-keyring/** rwk,

# Allow log file access
/var/log/mysql.err rw,
/var/log/mysql.log rw,
/var/log/mysql/ r,
/var/log/mysql/** rw,

# Allow read access to mecab files
/var/lib/mecab/dic/ipadic-utf8/** r,

# Allow read access to OpenSSL config
/etc/ssl/openssl.cnf r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.mysqld>
}

0 comments on commit f6d79c3

Please sign in to comment.