aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Bühler <stbuehler@web.de>2014-06-01 11:43:20 +0000
committerStefan Bühler <stbuehler@web.de>2014-06-01 11:43:20 +0000
commit132cae5232da76ea6fc8a19bc660ef9de5f96d7f (patch)
tree1ed16ea63acfd2c498cdc908176f0e86f53f0aab
parent91081248428c55a7ced9f42868557ce6c7637d15 (diff)
downloadspawn-fcgi-132cae5232da76ea6fc8a19bc660ef9de5f96d7f.tar.gz
spawn-fcgi-132cae5232da76ea6fc8a19bc660ef9de5f96d7f.zip
Add example apparmor spawn-fcgi abstraction
From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/spawn-fcgi/trunk@60 4a9f3682-ca7b-49a8-9a55-ba4640e46f83
-rw-r--r--NEWS1
-rw-r--r--doc/Makefile.am2
-rw-r--r--doc/apparmor.d-abstractions-spawn-fcgi20
3 files changed, 22 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 048f745..852bfa6 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@ NEWS
* Use octal mode for -M (patch by dfjoerg)
* Add -b backlog option (fixes #2422, patch by aschmitz)
* Restrict Unix socket file ownership by default to ug=rw
+ * Add example apparmor spawn-fcgi abstraction
- 1.6.3 - 2009-09-23
* Fix unix socket mode change to work without specifying user/group for socket
diff --git a/doc/Makefile.am b/doc/Makefile.am
index cc39c09..a9dd97c 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1 +1 @@
-EXTRA_DIST=run-generic run-php run-rails
+EXTRA_DIST=run-generic run-php run-rails apparmor.d-abstractions-spawn-fcgi
diff --git a/doc/apparmor.d-abstractions-spawn-fcgi b/doc/apparmor.d-abstractions-spawn-fcgi
new file mode 100644
index 0000000..4e5f16a
--- /dev/null
+++ b/doc/apparmor.d-abstractions-spawn-fcgi
@@ -0,0 +1,20 @@
+# /etc/apparmor.d/abstractions/spawn-fcgi
+#
+# a spawn-fcgi profile should include this abstraction
+# and a rule to execute the FastCGI application itself
+
+#include <abstractions/base>
+#include <abstractions/nameservice>
+
+capability net_bind_service,
+capability setgid,
+capability setuid,
+capability chown,
+capability dac_override,
+
+network inet stream,
+network inet6 stream,
+network inet dgram,
+network inet6 dgram,
+
+/{,var/}run/*.sock rw,