From d6118d8e929dd6a3dfe17c58e5c4c9cedf190e17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franc=CC=A7ois=20Bonelle?= <francois.bonelle@gmail.com>
Date: Fri, 25 Aug 2023 12:17:15 +0200
Subject: [PATCH] fix

---
 promtail/apparmor.txt | 102 ++++++++++++++++++++++++++----------------
 1 file changed, 64 insertions(+), 38 deletions(-)

diff --git a/promtail/apparmor.txt b/promtail/apparmor.txt
index ff31d45..8970ec2 100644
--- a/promtail/apparmor.txt
+++ b/promtail/apparmor.txt
@@ -1,14 +1,23 @@
-#include <tunables/global>
+include <tunables/global>
+
+# Docker overlay
+@{docker_root}=/docker/ /var/lib/docker/
+@{fs_root}=/ @{docker_root}/overlay2/*/diff/
+@{do_etc}=@{fs_root}/etc/
+@{do_opt}=@{fs_root}/opt/
+@{do_run}=@{fs_root}/{run,var/run}/
+@{do_usr}=@{fs_root}/usr/
+@{do_var}=@{fs_root}/var/
 
 # Systemd Journal location
 @{journald}=/{run,var}/log/journal/{,**}
 
 profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/bash>
 
-  # Capabilities
-  file,
-  signal (send) set=(kill,term,int,hup,cont),
+  # Send signals to child services
+  signal (send) peer=@{profile_name}//*,
 
   # Network access
   network tcp,
@@ -21,18 +30,21 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
   /run/{s6,s6-rc*,service}/** ix,
   /package/** ix,
   /command/** ix,
+  /etc/** rwix,
   /etc/services.d/** rwix,
   /etc/cont-init.d/** rwix,
   /etc/cont-finish.d/** rwix,
   /run/{,**} rwk,
   /dev/tty rw,
+  /dev/null k,
+  /usr/share/zoneinfo/{,**} r,
 
   # Bashio
   /usr/lib/bashio/** ix,
   /tmp/** rwk,
 
-  # Access to options.json and other files within your addon
-  /data/** rw,
+  # Options.json & addon data
+  /data/**                                rw,
 
   # Files needed for setup
   @{do_etc}/promtail/{,**}                rw,
@@ -40,42 +52,56 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
   /{share,ssl}/{,**}                      r,
   @{journald}                             r,
 
-  # Start new profile for service
-  /usr/bin/promtail cx -> promtail_profile,
+  # Programs
+  /usr/bin/promtail                       cx -> promtail,
+  /usr/bin/yq                             Cx,
 
-  profile promtail_profile flags=(attach_disconnected,mediate_deleted) {
-      include <abstractions/base>
+  profile promtail flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
 
-      # Receive signals from s6
-      signal (receive) peer=*_promtail,
+    # Receive signals from s6
+    signal (receive) peer=*_promtail,
 
-      # Network access
-      network tcp,
-      network udp,
-      network netlink raw,
-      network unix dgram,
+    # Network access
+    network tcp,
+    network udp,
+    network netlink raw,
+    network unix dgram,
 
-      # Temp files
-      /tmp/.positions.yaml*                 rw,
+    # Temp files
+    /tmp/.positions.yaml*                 rw,
 
-      # Addon data
-      /data/**                              r,
-      /data/promtail/**                     rwk,
+    # Addon data
+    /data/**                              r,
+    /data/promtail/**                     rwk,
 
-      # Config & log data
-      @{do_etc}/promtail/*                  rw,
-      /config/promtail/{,**}                r,
-      /{share,ssl}/**                       r,
-      @{journald}                           r,
+    # Config & log data
+    @{do_etc}/promtail/config.yaml        r,
+    /config/promtail/{,**}                r,
+    /{share,ssl}/**                       r,
+    @{journald}                           r,
 
-      # Runtime usage
-      /usr/bin/promtail                     rm,
-      /usr/bin/yq                           rm,
-      @{do_etc}/{hosts,passwd}              r,
-      @{do_etc}/{resolv,nsswitch}.conf      r,
-      @{PROC}/sys/net/core/somaxconn        r,
-      @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-      /dev/null                             k,
-      @{do_etc}/ssl/certs/**    r,
-    }
+    # Runtime usage
+    /usr/bin/promtail                     rm,
+    @{do_etc}/{hosts,passwd}              r,
+    @{do_etc}/{resolv,nsswitch}.conf      r,
+    @{PROC}/sys/net/core/somaxconn        r,
+    @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+    /dev/null                             k,
+    @{do_etc}/ssl/certs/**    r,
+  }
+
+  profile /usr/bin/yq flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+
+    # Config files
+    @{do_etc}/promtail/*                  rw,
+    /config/promtail/{,**}                r,
+    /share/**                             r,
+
+    # Runtime usage
+    /usr/bin/yq                           rm,
+    @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+    /dev/null                             k,
+  }
 }
\ No newline at end of file