forked from ginhom/dnscrypt-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
apparmor.profile.dnscrypt-proxy
49 lines (38 loc) · 1.17 KB
/
apparmor.profile.dnscrypt-proxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Last Modified: Fri Oct 25 15:33:29 2013
# WARNING: this profile is known to block system shutdown in Ubuntu 14.04!
# See https://github.com/jedisct1/dnscrypt-proxy/issues/104 for more info
#include <tunables/global>
/usr/sbin/dnscrypt-proxy {
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
/bin/false r,
/dev/null rw,
/dev/urandom r,
/etc/ld.so.cache r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/lib/@{multiarch}/libc-*.so mr,
/lib/@{multiarch}/libm-*.so mr,
/lib/@{multiarch}/libnsl-*.so mr,
/lib/@{multiarch}/libnss_compat-*.so mr,
/lib/@{multiarch}/libnss_files-*.so mr,
/lib/@{multiarch}/libnss_nis-*.so mr,
/lib/@{multiarch}/libpthread-*.so mr,
/lib/@{multiarch}/librt-*.so mr,
/lib/@{multiarch}/libsodium-*.so mr,
# In case of custom libsodium installation
/usr/lib/libsodium.so* mr,
/usr/local/lib/libsodium.so* mr,
# Plugins
/usr/lib/libdns.so* mr,
# Reasonable pidfile location - tweak this if you prefer a different one
/run/dnscrypt-proxy.pid rw,
}