Skip to content

Instantly share code, notes, and snippets.

@y-trudeau

y-trudeau/usr.bin.mysqld_safe

Created July 26, 2018 20:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save y-trudeau/dc62a324817df643eae0ccb39d719c91 to your computer and use it in GitHub Desktop.
Save y-trudeau/dc62a324817df643eae0ccb39d719c91 to your computer and use it in GitHub Desktop.
Download ZIP
PXC AppArmor profile
Raw
usr.bin.mysqld_safe
# Last Modified: Thu Jul 26 20:36:39 2018
#include <tunables/global>
/usr/bin/mysqld_safe {
#include <abstractions/base>
#include <abstractions/bash>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability net_admin,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
network inet dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace trace peer=/usr/bin/mysqld_safe,
ptrace trace peer=unconfined,
/bin/bash ix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/dash ix,
/bin/echo mrix,
/bin/grep mrix,
/bin/hostname mrix,
/bin/ls mrix,
/bin/mkdir mrix,
/bin/mktemp mrix,
/bin/ps mrix,
/bin/rm mrix,
/bin/sed mrix,
/bin/sleep mrix,
/bin/touch mrix,
/bin/which mrix,
/bin/which r,
/dev/tty rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mysql/** r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/services r,
/lib/x86_64-linux-gnu/ld-*.so mr,
/proc/ r,
/proc/cpuinfo r,
/proc/*/stat r,
/proc/sys/kernel/osrelease r,
/proc/sys/kernel/pid_max r,
/proc/uptime r,
/usr/bin/cut mrix,
/usr/bin/diff mrix,
/usr/bin/dirname mrix,
/usr/bin/expr mrix,
/usr/bin/find mrix,
/usr/bin/gawk mrix,
/usr/bin/head mrix,
/usr/bin/id mrix,
/usr/bin/innobackupex mrix,
/usr/bin/install mrix,
/usr/bin/logger mrix,
/usr/bin/my_print_defaults mrix,
/usr/bin/nc mrix,
/usr/bin/nice mrix,
/usr/bin/nohup mrix,
/usr/bin/openssl mrix,
/usr/bin/printf mrix,
/usr/bin/qpress mrix,
/usr/bin/socat mrix,
/usr/bin/tail mrix,
/usr/bin/timeout mrix,
/usr/bin/tr mrix,
/usr/bin/wc mrix,
/usr/bin/wsrep_sst_common r,
/usr/bin/wsrep_sst_xtrabackup-v2 mrix,
/usr/bin/xargs mrix,
/usr/bin/xbstream mrix,
/usr/bin/xtrabackup mrix,
/usr/lib/galera3/* r,
/usr/lib/mysql/plugin/* r,
/usr/sbin/mysqld mrix,
/var/lib/mysql/** rw,
/run/mysqld/mysqld.sock w,
/tmp/ r,
/usr/bin/cut mrix,
/usr/bin/diff mrix,
/usr/bin/dirname mrix,
/usr/bin/expr mrix,
/usr/bin/find mrix,
/usr/bin/gawk mrix,
/usr/bin/head mrix,
/usr/bin/id mrix,
/usr/bin/innobackupex mrix,
/usr/bin/install mrix,
/usr/bin/logger mrix,
/usr/bin/my_print_defaults mrix,
/usr/bin/nc mrix,
/usr/bin/nice mrix,
/usr/bin/nohup mrix,
/usr/bin/openssl mrix,
/usr/bin/printf mrix,
/usr/bin/qpress mrix,
/usr/bin/socat mrix,
/usr/bin/tail mrix,
/usr/bin/timeout mrix,
/usr/bin/tr mrix,
/usr/bin/wc mrix,
/usr/bin/wsrep_sst_common r,
/usr/bin/wsrep_sst_xtrabackup-v2 mrix,
/usr/bin/xargs mrix,
/usr/bin/xbstream mrix,
/usr/bin/xtrabackup mrix,
/usr/lib/galera3/* r,
/usr/lib/mysql/plugin/* r,
/usr/sbin/mysqld mrix,
/var/lib/mysql/** rw,
/var/log/mysqld.log w,
owner / r,
owner /lib/x86_64-linux-gnu/ld-*.so mr,
owner /proc/*/cmdline r,
owner /proc/*/fd/ r,
owner /proc/*/net/tcp r,
owner /proc/*/stat r,
owner /proc/tty/drivers r,
owner /run/mysqld/* w,
owner /sys/devices/system/node/ r,
owner /sys/devices/system/node/node0/meminfo r,
owner /tmp/** rw,
owner /usr/bin/mysqld_safe r,
owner /usr/share/mysql/** r,
owner /var/lib/mysql/ r,
owner /var/lib/mysql/** rwk,
owner /var/log/mysqld.log.err w,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment