Securing Shepherd with AppArmor

Note: Please update the profile below if you find ways to improve it! There will no doubt be extra lines required for different Linux distributions.

 AppArmor is an application that allows you to limit what programs that run on your system can do. Shepherd is an ideal candidate for AppArmor, because it auto-updates: armoring allows you to protect against the chance that in the future it (or one of its components) will do Something Bad.

The following profile can be loaded in /etc/apparmor.d/ as usr.bin.tv_grab_au. You will need to modify the second line to match your Shepherd executable if it is not in /home/mythtv.

#include <tunables/global>
/home/mythtv/.shepherd/applications/shepherd/shepherd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/mysql>
  #include <abstractions/nameservice>
  #include <abstractions/perl>

  /home/*/.shepherd/ r,
  /home/*/.shepherd/** krwlix,
  /tmp/myth* rw,
  /bin/dash ixr,
  /bin/date ixr,
  /etc/mythtv/mysql.txt r,
  /home/*/.mythtv/mysql.txt r,
  /etc/timezone r,
  /usr/lib/perl** mr,
  /usr/share/perl** r,

Note: This profile does not allow Shepherd to perform some system operations necessary to auto-configure with MythTV (see Installation). If you want to (re-)run MythTV auto-configuration, halt AppArmor before running --configure-mythtv, then start it again.