I put together an Apparmor profile for Subsonic, and thought I'd share. I'm running it on Ubuntu, which ships with apparmor installed and enabled.
Here it is - just replace "<<root music folder>>" with the root file path to your music. FYI it is in "complain" mode, you can switch it to enforce mode by commenting out the "complain" line & uncommenting the one below it:
(UPDATED 3/18 - needed some extra additions)
- Code: Select all
#include <tunables/global>
/usr/share/subsonic/subsonic.sh flags=(complain) {
# /usr/share/subsonic/subsonic.sh {
#include <abstractions/base>
#include <abstractions/fonts>
capability setgid,
capability setuid,
capability dac_override,
capability net_bind_service,
network inet,
network inet6,
owner /dev/random a,
owner /dev/random rw,
owner /etc/fonts/** r,
owner /etc/gai.conf r,
owner /home/nas/music/** rw,
owner /var/subsonic/** rw,
/bin/dash rix,
/bin/mkdir rix,
/bin/readlink rix,
/bin/rm rix,
/dev/random r,
/dev/urandom r,
/etc/host* r,
/etc/java-6-sun/** r,
/etc/resolv.conf r,
/etc/nsswitch.conf r,
/etc/passwd mr,
/lib/lib*.so rix,
/proc/** r,
/sys/devices/system/cpu/ r,
/tmp/ r,
/tmp/** mrw,
/tmp/subsonic/** rw,
/usr/bin/dirname rix,
/usr/bin/ffmpeg rix,
/usr/bin/lame rix,
/usr/lib/jvm/java-6-sun-*/jre/bin/java rix,
/usr/lib/jvm/java-6-sun-*/jre/lib/** mr,
/usr/share/subsonic/** mr,
/usr/share/zoneinfo/ r,
/var/run/subsonic.pid rw,
/var/subsonic/** r,
/var/subsonic/db/** mrwk,
/var/subsonic/jetty/*/ w,
/var/subsonic/jetty/*/** mrw,
/var/subsonic/subsonic*.log rw,
/var/subsonic/subsonic.properties rw,
/var/subsonic/thumbs/** rw,
<<root music folder>>/ r,
<<root music folder>>/** r,
<<root music folder>>/*/*/ w,
<<root music folder>>/*/*/*.j* w,
}
...and here is a link to a short apparmor tutorial for ubuntu.
