AppArmor policy for Privoxy #40

features.yml

@@ -27,6 +27,14 @@
     notify:
       - restart privoxy
       
+  - name: Privoxy profile for apparmor configured
+    template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600
+    notify:
+    - restart privoxy
+    
+  - name: Enforce the privoxy AppArmor policy
+    shell: aa-enforce usr.sbin.privoxy     
+      
   - name: Privoxy enabled and started
     service: name=privoxy state=started enabled=yes
     
@@ -36,15 +44,17 @@
     apt: name=dnsmasq state=latest    
     
   - name: Dnsmasq profile for apparmor configured
-    template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq
+    template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600
+    notify:
+    - restart dnsmasq
     
   - name: Enforce the dnsmasq AppArmor policy
     shell: aa-enforce usr.sbin.dnsmasq
-    notify:
-    - restart apparmor
         
   - name: Dnsmasq configured
     template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
+    notify:
+    - restart dnsmasq
     
   - name: Adblock script created
     copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
@@ -95,6 +105,9 @@
     - name: restart privoxy
       service: name=privoxy state=restarted
       
+    - name: restart dnsmasq
+      service: name=dnsmasq state=restarted      
+      
     - name: restart apparmor
       service: name=apparmor state=restarted      
       

templates/usr.sbin.privoxy.j2

@@ -0,0 +1,15 @@
+#include <tunables/global>
+
+/usr/sbin/privoxy {
+  #include <abstractions/apache2-common>
+  #include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/privoxy/* r,
+  /etc/privoxy/templates/* r,
+  /run/privoxy.pid w,
+  /var/log/privoxy/logfile w,
+
+}