1  # SPDX-License-Identifier: AGPL-3.0-or-later
 2  # SPDX-FileCopyrightText: 2025 Chris Barry <chris@barry.im>
 3  # AppArmor profile for nginx
 4  
 5  #include <tunables/global>
 6  
 7  profile nginx /usr/sbin/nginx {
 8    #include <abstractions/base>
 9    #include <abstractions/nameservice>
10    #include <abstractions/openssl>
11    #include <abstractions/private-files-strict>
12  
13    # Capabilities
14    capability dac_override,
15    capability dac_read_search,
16    capability net_bind_service,
17    capability setgid,
18    capability setuid,
19  
20    # Nginx binary
21    /usr/sbin/nginx mr,
22  
23    # Configuration files
24    /etc/nginx/   r,
25    /etc/nginx/** rl,
26  
27    # SSL certificates
28    /etc/letsencrypt/ssl-dhparams.pem r,
29    /etc/letsencrypt/live/**          rl,
30    /etc/letsencrypt/archive/**       rl,
31  
32    # Log files
33    /var/log/nginx/** w,
34  
35    # Web content
36    /usr/share/nginx/** r,
37    /var/www/html/*     r,
38  
39    # Runtime files
40    /run/nginx.pid      rw,
41    /var/cache/nginx/** rw,
42    /var/lib/nginx/**   rw,
43  
44    # Temp files
45    /tmp/**     rw,
46    /var/tmp/** rw,
47  
48    # Deny some dangerous operations
49    deny /home/** rwklx,
50    deny /root/** rwklx,
51  
52    #include if exists <local/usr.sbin.nginx>
53  }