mirror of
https://github.com/MariaDB/server.git
synced 2025-02-23 05:43:08 +01:00
8a1904d782
CapabilityBoundingSet included CAP_IPC_LOCK in MDEV-9095, however it requires that the executable has the capability marked in extended attributes also. The alternate to this is raising the RLIMIT_MEMLOCK for the service/ process to be able to complete the mlockall system call. This needs to be adjusted to whatever the MariaDB server was going to allocate. Rather than leave the non-obvious mapping of settings and tuning, add the capability so its easier for the user. We set the capability, if possible, but may never be used depending on user settings. As such in the Debian postinst script, don't complain if this fails. The CAP_IPC_LOCK also facilitates the mmaping of huge memory pages. (see man mmap), like mariadb uses with --large-pages.
152 lines
3.5 KiB
Text
152 lines
3.5 KiB
Text
# Last Modified: Fri Mar 1 18:55:47 2013
|
|
# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
|
|
# This AppArmor profile has been copied under BSD License from
|
|
# Percona XtraDB Cluster, along with some additions.
|
|
|
|
#include <tunables/global>
|
|
|
|
/usr/sbin/mariadbd flags=(complain) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/mysql>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/user-tmp>
|
|
#include <abstractions/winbind>
|
|
|
|
capability chown,
|
|
capability dac_override,
|
|
capability ipc_lock,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_rawio,
|
|
capability sys_resource,
|
|
|
|
network tcp,
|
|
|
|
/bin/dash rcx,
|
|
/dev/dm-0 r,
|
|
/etc/gai.conf r,
|
|
/etc/group r,
|
|
/etc/hosts.allow r,
|
|
/etc/hosts.deny r,
|
|
/etc/ld.so.cache r,
|
|
/etc/mtab r,
|
|
/etc/my.cnf r,
|
|
/etc/mysql/*.cnf r,
|
|
/etc/mysql/*.pem r,
|
|
/etc/mysql/conf.d/ r,
|
|
/etc/mysql/conf.d/* r,
|
|
/etc/mysql/mariadb.conf.d/ r,
|
|
/etc/mysql/mariadb.conf.d/* r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/passwd r,
|
|
/etc/services r,
|
|
/run/mysqld/mysqld.pid w,
|
|
/run/mysqld/mysqld.sock w,
|
|
/sys/devices/system/cpu/ r,
|
|
owner /tmp/** lk,
|
|
/tmp/** rw,
|
|
/usr/lib/mysql/plugin/ r,
|
|
/usr/lib/mysql/plugin/*.so* mr,
|
|
/usr/sbin/mariadbd mr,
|
|
/usr/share/mysql/** r,
|
|
/var/lib/mysql/ r,
|
|
/var/lib/mysql/** rwk,
|
|
/var/log/mysql.err rw,
|
|
/var/log/mysql.log rw,
|
|
/var/log/mysql/ r,
|
|
/var/log/mysql/* rw,
|
|
/run/mysqld/mysqld.pid w,
|
|
/run/mysqld/mysqld.sock w,
|
|
|
|
|
|
profile /bin/dash flags=(complain) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/mysql>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/perl>
|
|
|
|
|
|
|
|
/bin/cat rix,
|
|
/bin/dash rix,
|
|
/bin/date rix,
|
|
/bin/grep rix,
|
|
/bin/nc.openbsd rix,
|
|
/bin/netstat rix,
|
|
/bin/ps rix,
|
|
/bin/rm rix,
|
|
/bin/sed rix,
|
|
/bin/sleep rix,
|
|
/bin/tar rix,
|
|
/bin/which rix,
|
|
/dev/tty rw,
|
|
/etc/ld.so.cache r,
|
|
/etc/my.cnf r,
|
|
/proc/ r,
|
|
/proc/*/cmdline r,
|
|
/proc/*/fd/ r,
|
|
/proc/*/net/dev r,
|
|
/proc/*/net/if_inet6 r,
|
|
/proc/*/net/tcp r,
|
|
/proc/*/net/tcp6 r,
|
|
/proc/*/stat r,
|
|
/proc/*/status r,
|
|
/proc/sys/kernel/pid_max r,
|
|
/proc/tty/drivers r,
|
|
/proc/uptime r,
|
|
/proc/version r,
|
|
/sbin/ifconfig rix,
|
|
/sys/devices/system/cpu/ r,
|
|
/tmp/** rw,
|
|
/usr/bin/cut rix,
|
|
/usr/bin/dirname rix,
|
|
/usr/bin/gawk rix,
|
|
/usr/bin/mysql rix,
|
|
/usr/bin/perl rix,
|
|
/usr/bin/seq rix,
|
|
/usr/bin/wsrep_sst* rix,
|
|
/usr/bin/wsrep_sst_common r,
|
|
/usr/bin/mariabackup* rix,
|
|
/var/lib/mysql/ r,
|
|
/var/lib/mysql/** rw,
|
|
/var/lib/mysql/*.log w,
|
|
/var/lib/mysql/*.err w,
|
|
|
|
# MariaDB additions
|
|
ptrace peer=@{profile_name},
|
|
|
|
/bin/hostname rix,
|
|
/bin/ip rix,
|
|
/bin/mktemp rix,
|
|
/bin/ss rix,
|
|
/bin/sync rix,
|
|
/bin/touch rix,
|
|
/bin/uname rix,
|
|
/etc/mysql/*.cnf r,
|
|
/etc/mysql/conf.d/ r,
|
|
/etc/mysql/conf.d/* r,
|
|
/proc/*/attr/current r,
|
|
/proc/*/fdinfo/* r,
|
|
/proc/*/net/* r,
|
|
/proc/locks r,
|
|
/proc/sys/net/ipv4/ip_local_port_range r,
|
|
/run/mysqld/mysqld.sock rw,
|
|
/sbin/ip rix,
|
|
/usr/bin/basename rix,
|
|
/usr/bin/du rix,
|
|
/usr/bin/find rix,
|
|
/usr/bin/lsof rix,
|
|
/usr/bin/my_print_defaults rix,
|
|
/usr/bin/mysqldump rix,
|
|
/usr/bin/pv rix,
|
|
/usr/bin/rsync rix,
|
|
/usr/bin/socat rix,
|
|
/usr/bin/tail rix,
|
|
/usr/bin/timeout rix,
|
|
/usr/bin/xargs rix,
|
|
/usr/bin/xbstream rix,
|
|
}
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.sbin.mariadbd>
|
|
}
|