From a4012b594b8660a49acb3c0e636ffc9b3c6f5705 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz@debian.org>
Date: Sat, 7 Nov 2015 12:45:57 +0100
Subject: [PATCH] added apparmor profile

---
 contrib/usr.sbin.nghttpx | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 contrib/usr.sbin.nghttpx

diff --git a/contrib/usr.sbin.nghttpx b/contrib/usr.sbin.nghttpx
new file mode 100644
index 00000000..891ff52c
--- /dev/null
+++ b/contrib/usr.sbin.nghttpx
@@ -0,0 +1,16 @@
+#include <tunables/global>
+
+/usr/sbin/nghttpx {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /usr/sbin/nghttpx rmix,      # allow to run itself
+  /etc/nghttpx/nghttpx.conf r, # allow to read the config file
+  /etc/ssl/** r,               # give access to ssl keys
+
+  /{,var/}run/nghttpx.pid lw,  # allow to store a pid file
+}