From a15939a7c69c0adb241a8e709bc245039195fada Mon Sep 17 00:00:00 2001
From: jack <jack@pc.lan>
Date: Thu, 4 Aug 2016 20:31:34 +0300
Subject: [PATCH] AppArmor policy for Privoxy #40

---
 features.yml                  | 19 ++++++++++++++++---
 templates/usr.sbin.privoxy.j2 | 15 +++++++++++++++
 2 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 templates/usr.sbin.privoxy.j2

diff --git a/features.yml b/features.yml
index 4ac7580..03e4afe 100644
--- a/features.yml
+++ b/features.yml
@@ -27,6 +27,14 @@
     notify:
       - restart privoxy
       
+  - name: Privoxy profile for apparmor configured
+    template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600
+    notify:
+    - restart privoxy
+    
+  - name: Enforce the privoxy AppArmor policy
+    shell: aa-enforce usr.sbin.privoxy     
+      
   - name: Privoxy enabled and started
     service: name=privoxy state=started enabled=yes
     
@@ -36,15 +44,17 @@
     apt: name=dnsmasq state=latest    
     
   - name: Dnsmasq profile for apparmor configured
-    template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq
+    template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600
+    notify:
+    - restart dnsmasq
     
   - name: Enforce the dnsmasq AppArmor policy
     shell: aa-enforce usr.sbin.dnsmasq
-    notify:
-    - restart apparmor
         
   - name: Dnsmasq configured
     template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
+    notify:
+    - restart dnsmasq
     
   - name: Adblock script created
     copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
@@ -95,6 +105,9 @@
     - name: restart privoxy
       service: name=privoxy state=restarted
       
+    - name: restart dnsmasq
+      service: name=dnsmasq state=restarted      
+      
     - name: restart apparmor
       service: name=apparmor state=restarted      
       
diff --git a/templates/usr.sbin.privoxy.j2 b/templates/usr.sbin.privoxy.j2
new file mode 100644
index 0000000..5f8d9dd
--- /dev/null
+++ b/templates/usr.sbin.privoxy.j2
@@ -0,0 +1,15 @@
+#include <tunables/global>
+
+/usr/sbin/privoxy {
+  #include <abstractions/apache2-common>
+  #include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/privoxy/* r,
+  /etc/privoxy/templates/* r,
+  /run/privoxy.pid w,
+  /var/log/privoxy/logfile w,
+
+}