apparmor: Add policy file for pesto

It needs to connect to passt and pasta, whether they're started as
root or not, and the control socket can be anywhere.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/contrib/apparmor/usr.bin.pesto b/contrib/apparmor/usr.bin.pesto
new file mode 100644
index 0000000..0c072c7
--- /dev/null
+++ b/contrib/apparmor/usr.bin.pesto
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PESTO - Programmable Extensible Socket Translation Orchestrator
+#  front-end for passt(1) and pasta(1) forwarding configuration
+#
+# contrib/apparmor/usr.bin.pesto - AppArmor profile for pesto(1)
+#
+# Copyright (c) 2026 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+abi <abi/4.0>,
+
+#include <tunables/global>
+
+profile pesto /usr/bin/pesto {
+  #include <abstractions/base>
+  /** rw,			# control socket might be anywhere
+  unix (connect, receive, send) type=stream,
+
+  capability dac_override,	# connect to passt's socket as root
+
+  network unix stream,		# connect and use UNIX domain socket
+}