File pihole.apparmor of Package pihole-admin-lte
42
1
# Rules for Pi-hole’s AdminLTE, a PHP control panel.2
3
/{,usr/}bin/bash Cx -> bash,4
5
@{PROC}/loadavg r, # Shown in header.6
7
/run/php-fpm/pihole.sock w, # nginx-user will delete the socket during restart.8
9
/etc/pihole/** r,10
/etc/pihole/gravity.db wk,11
/etc/pihole/pihole-FTL.db k,12
13
/srv/www/pihole/admin/index.php r,14
/srv/www/pihole/admin/**.php r,15
16
/var/log/pihole/pihole-FTL.log r, # To show FTL’s log in the web UI.17
18
/tmp/ r, # session_start() may cause this read. Still inside systemd’s private namespace.19
20
owner /run/php-fpm/pihole.sock rw,21
22
owner /var/log/pihole/adminlte-error.log rw, # Set as error log via PHP_ERROR_LOG env var, by AdminLTE code.23
owner /var/log/pihole/fpm-php.log rw, # Error log configured in php-fpm configuration.24
25
owner /tmp/sess_* rwlk, # This is necessary, even though these are saved under namespace to pihole-admin-lte.service’s private tmp dir.26
27
# Separate bash for better control.28
#29
# attach_disconnected: from30
# name="var/lib/nscd/passwd" comm="sh" requested_mask="r" denied_mask="r" fsuid=65534 ouid=031
profile bash flags=(attach_disconnected) {32
include <abstractions/base>33
include <abstractions/consoles>34
include <abstractions/nameservice>35
36
/{,usr/}bin/bash mr,37
/usr/bin/nproc ix, # Output is shown in header.38
/usr/bin/pihole rix, # Allow control of Pi-hole. # TODO: Create separate profile for pihole. This way normal commands can use the profile too.39
}40
41
# kate: syntax AppArmor; indent-width 242