[debian-mysql] [PATCH 4/8] Add AppArmor profile (closes: #736087)

Robie Basak robie.basak at canonical.com
Mon Feb 10 13:50:17 UTC 2014 

---
 debian/apparmor-profile       | 45 +++++++++++++++++++++++++++++++++++++++++++
 debian/control                |  1 +
 debian/mysql-server-5.5.files |  1 +
 debian/rules                  |  4 ++++
 4 files changed, 51 insertions(+)
 create mode 100644 debian/apparmor-profile

diff --git a/debian/apparmor-profile b/debian/apparmor-profile
new file mode 100644
index 0000000..3e1f1b0
--- /dev/null
+++ b/debian/apparmor-profile
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+# Last Modified: Tue Jun 19 17:37:30 2007
+#include <tunables/global>
+
+/usr/sbin/mysqld {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+  #include <abstractions/winbind>
+
+  capability dac_override,
+  capability sys_resource,
+  capability setgid,
+  capability setuid,
+
+  network tcp,
+
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+
+  /etc/mysql/*.pem r,
+  /etc/mysql/conf.d/ r,
+  /etc/mysql/conf.d/* r,
+  /etc/mysql/*.cnf r,
+  /usr/lib/mysql/plugin/ r,
+  /usr/lib/mysql/plugin/*.so* mr,
+  /usr/sbin/mysqld mr,
+  /usr/share/mysql/** r,
+  /var/log/mysql.log rw,
+  /var/log/mysql.err rw,
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwk,
+  /var/log/mysql/ r,
+  /var/log/mysql/* rw,
+  /var/run/mysqld/mysqld.pid rw,
+  /var/run/mysqld/mysqld.sock w,
+  /run/mysqld/mysqld.pid rw,
+  /run/mysqld/mysqld.sock w,
+
+  /sys/devices/system/cpu/ r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mysqld>
+}
diff --git a/debian/control b/debian/control
index 641e895..626dd68 100644
--- a/debian/control
+++ b/debian/control
@@ -12,6 +12,7 @@ Build-Depends:
  chrpath,
  cmake,
  debhelper (>= 8.1.3~),
+ dh-apparmor,
  doxygen-latex,
  gawk,
  ghostscript,
diff --git a/debian/mysql-server-5.5.files b/debian/mysql-server-5.5.files
index 626f78d..2754605 100644
--- a/debian/mysql-server-5.5.files
+++ b/debian/mysql-server-5.5.files
@@ -55,3 +55,4 @@ usr/share/mysql/echo_stderr
 usr/share/mysql/errmsg-utf8.txt
 usr/share/mysql/mysqld_multi.server
 usr/share/mysql/mysql_test_data_timezone.sql
+etc/apparmor.d/usr.sbin.mysqld
diff --git a/debian/rules b/debian/rules
index 25f7e82..74cf629 100755
--- a/debian/rules
+++ b/debian/rules
@@ -198,6 +198,10 @@ auto_install-stamp:
 	install -m 0755 debian/additions/echo_stderr $(TMP)/usr/share/mysql/
 	install -m 0755 debian/additions/debian-start $(TMP)/etc/mysql/
 	install -m 0755 debian/additions/debian-start.inc.sh $(TMP)/usr/share/mysql/
+
+	# install AppArmor profile
+	install -D -m 644 debian/apparmor-profile $(TMP)/etc/apparmor.d/usr.sbin.mysqld
+
 	touch $@
 
 override_dh_install:
-- 
1.8.3.2

More information about the pkg-mysql-maint mailing list