Bug#1121688: luanti-server: Add Apparmor Profile

Chris Barry chris at barry.im
Sun Nov 30 15:43:59 GMT 2025 

Package: luanti-server
Version: 5.10.0+dfsg-5
Severity: wishlist
Tags: patch
X-Debbugs-Cc: chris at barry.im

Dear Maintainer,

In order to help secure running instances of luanti Debian should provide a default apparmor profile. I considered applying this upstream however it seems upstream does not even provide their own starter systemd service files.

I've attached the apparmor profile I've been using for a few months. It assumes Bug#1121644 is completed (it supports /usr/local).

In my opinion this should be enabled by default to help secure systems but I am unsure what Debian's policy is on that.

```
# AppArmor profile for luantiserver

#include <tunables/global>

profile luantiserver /usr/libexec/luanti/luantiserver {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>

  # Network access
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Capabilities
  capability setuid,
  capability setgid,
  capability net_bind_service,

  # Configuration files (read-only)
  /etc/luanti/** r,

  # Luanti data directories
  /usr/{,local/}share/luanti/** r,

  # Server data directories
  /var/lib/{,private/}luanti/** rwk,

  # Log files
  /var/log/{,private/}luanti/** rw,

  # read-only system metadata paths
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile            r,

  # User-specific paths
  owner @{HOME}/.luanti/** rw,

  #include if exists <local/usr.libexec.luanti.luantiserver>
}
```


-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages luanti-server depends on:
ii  libc6                      2.41-12
ii  libcurl4t64                8.14.1-2+deb13u2
ii  libgcc-s1                  14.2.0-19
ii  libgmp10                   2:6.3.0+dfsg-3
ii  libjsoncpp26               1.9.6-3
ii  libleveldb1d               1.23-5+b2
ii  libluajit-5.1-2            2.1.0+openresty20250117-2
ii  libpq5                     17.6-0+deb13u1
ii  libprometheus-cpp-core1.0  1.0.2-2+b3
ii  libprometheus-cpp-pull1.0  1.0.2-2+b3
ii  libspatialindex8           2.1.0-1
ii  libsqlite3-0               3.46.1-7
ii  libstdc++6                 14.2.0-19
ii  libzstd1                   1.5.7+dfsg-1
ii  luanti-data                5.10.0+dfsg-5
ii  luanti-game-minetest       5.8.0.40.gc7be7c1-3
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1+b1

luanti-server recommends no packages.

luanti-server suggests no packages.

-- Configuration Files:
/etc/luanti/default.conf changed [not included]

-- no debconf information

More information about the Pkg-games-devel mailing list