File pihole.apparmor of Package pihole-admin-lte
# Rules for Pi-hole’s AdminLTE, a PHP control panel.
/{,usr/}bin/bash Cx -> bash,
@{PROC}/loadavg r, # Shown in header.
/run/php-fpm/pihole.sock w, # nginx-user will delete the socket during restart.
/etc/pihole/** r,
/etc/pihole/gravity.db wk,
/etc/pihole/pihole-FTL.db k,
/srv/www/pihole/admin/index.php r,
/srv/www/pihole/admin/**.php r,
/var/log/pihole/pihole-FTL.log r, # To show FTL’s log in the web UI.
/tmp/ r, # session_start() may cause this read. Still inside systemd’s private namespace.
owner /run/php-fpm/pihole.sock rw,
owner /var/log/pihole/adminlte-error.log rw, # Set as error log via PHP_ERROR_LOG env var, by AdminLTE code.
owner /var/log/pihole/fpm-php.log rw, # Error log configured in php-fpm configuration.
owner /tmp/sess_* rwlk, # This is necessary, even though these are saved under namespace to pihole-admin-lte.service’s private tmp dir.
# Separate bash for better control.
#
# attach_disconnected: from
# name="var/lib/nscd/passwd" comm="sh" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
profile bash flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
/{,usr/}bin/bash mr,
/usr/bin/nproc ix, # Output is shown in header.
/usr/bin/pihole rix, # Allow control of Pi-hole. # TODO: Create separate profile for pihole. This way normal commands can use the profile too.
}
# kate: syntax AppArmor; indent-width 2
