cloudflared enabled apparmor

fabio-garavini · Jan 19, 2025 · ade58ac · ade58ac
1 parent f247575
commit ade58ac
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/cloudflared/apparmor.txt b/cloudflared/apparmor.txt
@@ -0,0 +1,34 @@
+#include <tunables/global>
+
+profile cloudflared flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+  /config/** rw,
+  /root/** rw,
+
+  # Service
+  /usr/local/bin/cloudflared ix,
+}
diff --git a/cloudflared/config.yaml b/cloudflared/config.yaml
@@ -1,8 +1,9 @@
 name: Cloudflared
-version: "2025.1.0-v0"
+version: "2025.1.0-v1"
 slug: cloudflared
 codenotary: [email protected]
 description: Cloudflare tunneling and Zero Trust service
+apparmor: true
 arch:
   - aarch64
   - amd64

diff --git a/cloudflared/entrypoint.sh → cloudflared/rootfs/entrypoint.sh b/cloudflared/entrypoint.sh → cloudflared/rootfs/entrypoint.sh