mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-23 21:46:44 +01:00
move apparmor profiles to a seperate repo
This commit is contained in:
commit
244b2c88a2
779 changed files with 43157 additions and 0 deletions
63
apparmor.d/abstractions/X
Normal file
63
apparmor.d/abstractions/X
Normal file
|
@ -0,0 +1,63 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/dri-common>
|
||||
|
||||
|
||||
# .ICEauthority files required for X authentication, per user
|
||||
owner @{HOME}/.ICEauthority r,
|
||||
|
||||
# .Xauthority files required for X connections, per user
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{HOME}/.local/share/sddm/.Xauthority r,
|
||||
owner /{,var/}run/gdm{,3}/*/database r,
|
||||
owner /{,var/}run/lightdm/authority/[0-9]* r,
|
||||
owner /{,var/}run/lightdm/*/xauthority r,
|
||||
owner /{,var/}run/user/*/gdm/Xauthority r,
|
||||
owner /{,var/}run/user/*/X11/Xauthority r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
/tmp/.X11-unix/* rw,
|
||||
unix (connect, receive, send)
|
||||
type=stream
|
||||
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (connect, receive, send)
|
||||
type=stream
|
||||
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
||||
|
||||
/usr/include/X11/ r,
|
||||
/usr/include/X11/** r,
|
||||
|
||||
# The X tree changes and is large -- grant read access to the whole thing
|
||||
/usr/X11R6/** r,
|
||||
/usr/share/X11/ r,
|
||||
/usr/share/X11/** r,
|
||||
/usr/X11R6/**.so* mr,
|
||||
|
||||
# EGL
|
||||
/usr/lib/@{multiarch}/egl/*.so* mr,
|
||||
|
||||
# Xcompose
|
||||
owner @{HOME}/.XCompose r,
|
||||
|
||||
# mouse themes
|
||||
/etc/X11/cursors/ r,
|
||||
/etc/X11/cursors/** r,
|
||||
|
||||
# Xwayland
|
||||
owner /run/user/*/.mutter-Xwaylandauth.* r,
|
||||
|
||||
# Available Xsessions
|
||||
/usr/share/xsessions/{,*.desktop} r,
|
34
apparmor.d/abstractions/apache2-common
Normal file
34
apparmor.d/abstractions/apache2-common
Normal file
|
@ -0,0 +1,34 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This file contains basic permissions for Apache and every vHost
|
||||
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
# Allow unconfined processes to send us signals by default
|
||||
signal (receive) peer=unconfined,
|
||||
# Allow apache to send us signals by default
|
||||
signal (receive) peer=apache2,
|
||||
# Allow other hats to signal by default
|
||||
signal peer=apache2//*,
|
||||
# Allow us to signal ourselves
|
||||
signal peer=@{profile_name},
|
||||
|
||||
# Apache
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
# apache manual, error pages and icons
|
||||
/usr/share/apache2/** r,
|
||||
|
||||
# changehat itself
|
||||
@{PROC}/@{pid}/attr/current rw,
|
||||
|
||||
# htaccess files - for what ever it is worth
|
||||
/**/.htaccess r,
|
||||
|
||||
/dev/urandom r,
|
||||
|
||||
# sasl-auth
|
||||
/run/saslauthd/mux rw,
|
||||
|
||||
# OCSP stapling
|
||||
/var/log/apache2/stapling-cache rw,
|
18
apparmor.d/abstractions/app-launcher-root
Normal file
18
apparmor.d/abstractions/app-launcher-root
Normal file
|
@ -0,0 +1,18 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# Root app location
|
||||
/ r,
|
||||
/usr/ r,
|
||||
/{usr/,}sbin/ r,
|
||||
/{usr/,}sbin/[a-z0-9]* rPUx,
|
45
apparmor.d/abstractions/app-launcher-user
Normal file
45
apparmor.d/abstractions/app-launcher-user
Normal file
|
@ -0,0 +1,45 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# User app location
|
||||
/ r,
|
||||
/usr/ r,
|
||||
/{usr/,}bin/ r,
|
||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||
|
||||
# Firefox
|
||||
/{usr/,}lib/ r,
|
||||
/{usr/,}lib/firefox/ r,
|
||||
/{usr/,}lib/firefox/firefox* rPx,
|
||||
|
||||
# Google Chrome
|
||||
/opt/ r,
|
||||
/opt/google/ r,
|
||||
/opt/google/chrome{,-beta,-unstable}/ r,
|
||||
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} rPx,
|
||||
|
||||
# Brave
|
||||
/opt/brave.com/ r,
|
||||
/opt/brave.com/brave{,-beta,-dev}/ r,
|
||||
/opt/brave.com/brave{,-beta,-dev}/brave-browser{,-beta,-dev} rPx,
|
||||
|
||||
# Discord
|
||||
/usr/share/ r,
|
||||
/usr/share/discord/ r,
|
||||
/usr/share/discord/Discord rPx,
|
||||
|
||||
# FreeTube
|
||||
/opt/FreeTube/ r,
|
||||
/opt/FreeTube/freetube rPx,
|
||||
/opt/FreeTube-Vue/ r,
|
||||
/opt/FreeTube-Vue/freetube-vue rPx,
|
11
apparmor.d/abstractions/apparmor_api/change_profile
Normal file
11
apparmor.d/abstractions/apparmor_api/change_profile
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <abstractions/apparmor_api/introspect>
|
||||
|
||||
@{PROC}/@{tid}/attr/{current,exec} w,
|
12
apparmor.d/abstractions/apparmor_api/examine
Normal file
12
apparmor.d/abstractions/apparmor_api/examine
Normal file
|
@ -0,0 +1,12 @@
|
|||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||
# when using this abstraction, if not tunables/global.
|
||||
|
||||
@{PROC}/@{pids}/attr/{current,prev,exec} r,
|
14
apparmor.d/abstractions/apparmor_api/find_mountpoint
Normal file
14
apparmor.d/abstractions/apparmor_api/find_mountpoint
Normal file
|
@ -0,0 +1,14 @@
|
|||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#permissions needed for aa_find_mountpoint
|
||||
|
||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||
# when using this abstraction, if not tunables/global.
|
||||
|
||||
@{PROC}/@{pids}/mounts r,
|
12
apparmor.d/abstractions/apparmor_api/introspect
Normal file
12
apparmor.d/abstractions/apparmor_api/introspect
Normal file
|
@ -0,0 +1,12 @@
|
|||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||
# when using this abstraction, if not tunables/global.
|
||||
|
||||
@{PROC}/@{tid}/attr/{current,prev,exec} r,
|
17
apparmor.d/abstractions/apparmor_api/is_enabled
Normal file
17
apparmor.d/abstractions/apparmor_api/is_enabled
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# permissions needed for aa_is_enabled
|
||||
|
||||
# Make sure to include tunables/apparmorfs and tunables/global
|
||||
# when using this abstraction
|
||||
|
||||
#include <abstractions/apparmor_api/find_mountpoint>
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
# TODO: add alternate apparmorfs interface for enabled
|
35
apparmor.d/abstractions/apt-common
Normal file
35
apparmor.d/abstractions/apt-common
Normal file
|
@ -0,0 +1,35 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
/etc/apt/apt.conf r,
|
||||
/etc/apt/apt.conf.d/{,*} r,
|
||||
|
||||
/etc/apt/preferences r,
|
||||
/etc/apt/preferences.d/{,*} r,
|
||||
|
||||
/etc/apt/sources.list r,
|
||||
/etc/apt/sources.list.d/{,*.list} r,
|
||||
|
||||
/var/lib/apt/lists/{,**} r,
|
||||
/var/lib/apt/extended_states r,
|
||||
|
||||
/var/cache/apt/pkgcache.bin r,
|
||||
/var/cache/apt/srcpkgcache.bin r,
|
||||
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
|
||||
/var/lib/dpkg/status r,
|
||||
|
||||
owner /tmp/clearsigned.message.* rw,
|
||||
owner /tmp/#[0-9]*[0-9] rw,
|
13
apparmor.d/abstractions/aspell
Normal file
13
apparmor.d/abstractions/aspell
Normal file
|
@ -0,0 +1,13 @@
|
|||
# vim:syntax=apparmor
|
||||
# aspell permissions
|
||||
|
||||
# per-user settings and dictionaries
|
||||
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
|
||||
|
||||
# system libraries and dictionaries
|
||||
/usr/lib/aspell/ r,
|
||||
/usr/lib/aspell/* r,
|
||||
/usr/lib/aspell/*.so m,
|
||||
/usr/share/aspell/ r,
|
||||
/usr/share/aspell/* r,
|
||||
/var/lib/aspell/* r,
|
88
apparmor.d/abstractions/audio
Normal file
88
apparmor.d/abstractions/audio
Normal file
|
@ -0,0 +1,88 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
/dev/admmidi* rw,
|
||||
/dev/adsp* rw,
|
||||
/dev/aload* rw,
|
||||
/dev/amidi* rw,
|
||||
/dev/audio* rw,
|
||||
/dev/dmfm* rw,
|
||||
/dev/dmmidi* rw,
|
||||
/dev/dsp* rw,
|
||||
/dev/midi* rw,
|
||||
/dev/mixer* rw,
|
||||
/dev/mpu401data rw,
|
||||
/dev/mpu401stat rw,
|
||||
/dev/patmgr* rw,
|
||||
/dev/phone* rw,
|
||||
/dev/radio* rw,
|
||||
/dev/rmidi* rw,
|
||||
/dev/sequencer rw,
|
||||
/dev/sequencer2 rw,
|
||||
/dev/smpte* rw,
|
||||
|
||||
/dev/snd/* rw,
|
||||
/dev/sound/* rw,
|
||||
|
||||
@{PROC}/asound/** rw,
|
||||
|
||||
/usr/share/alsa/** r,
|
||||
/usr/share/sounds/ r,
|
||||
/usr/share/sounds/** r,
|
||||
|
||||
owner @{HOME}/.esd_auth r,
|
||||
/etc/asound.conf r,
|
||||
owner @{HOME}/.asoundrc r,
|
||||
/etc/esound/esd.conf r,
|
||||
|
||||
# libao
|
||||
/etc/libao.conf r,
|
||||
owner @{HOME}/.libao r,
|
||||
|
||||
# libcanberra
|
||||
owner @{HOME}/.cache/event-sound-cache.* rwk,
|
||||
|
||||
# pulse
|
||||
/etc/pulse/ r,
|
||||
/etc/pulse/** r,
|
||||
/{run,dev}/shm/ r,
|
||||
owner /{run,dev}/shm/pulse-shm* rwk,
|
||||
owner @{HOME}/.pulse-cookie rwk,
|
||||
owner @{HOME}/.pulse/ rw,
|
||||
owner @{HOME}/.pulse/* rwk,
|
||||
owner /{,var/}run/user/*/pulse/ rw,
|
||||
owner /{,var/}run/user/*/pulse/{native,pid} rwk,
|
||||
owner @{HOME}/.config/pulse/*.conf r,
|
||||
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
|
||||
owner @{HOME}/.config/pulse/cookie rwk,
|
||||
owner /tmp/pulse-*/ rw,
|
||||
owner /tmp/pulse-*/* rw,
|
||||
|
||||
# PulseAudio module-ladspa-sink (plugin sc4m_1916)
|
||||
/usr/lib/ladspa/ r,
|
||||
/usr/lib/ladspa/*.so mr,
|
||||
|
||||
# libgnome2
|
||||
/etc/sound/ r,
|
||||
/etc/sound/** r,
|
||||
|
||||
# openal
|
||||
/etc/alsa/conf.d/{,*} r,
|
||||
/etc/openal/alsoft.conf r,
|
||||
owner @{HOME}/.alsoftrc r,
|
||||
/usr/{,local/}share/openal/hrtf/{,**} r,
|
||||
owner @{HOME}/.local/share/openal/hrtf/{,**} r,
|
||||
|
||||
# wildmidi
|
||||
/etc/wildmidi/wildmidi.cfg r,
|
52
apparmor.d/abstractions/authentication
Normal file
52
apparmor.d/abstractions/authentication
Normal file
|
@ -0,0 +1,52 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2012 Canonical Ltd
|
||||
# Copyright (C) 2019 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
# Some services need to perform authentication of users
|
||||
# Such authentication almost certainly needs access to the local users
|
||||
# databases containing passwords, PAM configuration files, PAM libraries
|
||||
/{usr/,}etc/nologin r,
|
||||
/{usr/,}etc/pam.d/* r,
|
||||
/{usr/,}etc/securetty r,
|
||||
/{usr/,}etc/security/* r,
|
||||
/{usr/,}etc/shadow r,
|
||||
/{usr/,}etc/gshadow r,
|
||||
/{usr/,}etc/pwdb.conf r,
|
||||
|
||||
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
|
||||
/{usr/,}lib{,32,64}/security/pam_*.so mr,
|
||||
/{usr/,}lib{,32,64}/security/ r,
|
||||
/{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
|
||||
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
|
||||
/{usr/,}lib/@{multiarch}/security/ r,
|
||||
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
# SuSE's pwdutils are different:
|
||||
/{usr/,}etc/default/passwd r,
|
||||
/{usr/,}etc/login.defs r,
|
||||
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
|
||||
# winbind
|
||||
#include <abstractions/winbind>
|
||||
|
||||
# likewise
|
||||
#include <abstractions/likewise>
|
||||
|
||||
# smbpass
|
||||
#include <abstractions/smbpass>
|
||||
|
||||
# p11-kit (PKCS#11 modules configuration)
|
||||
#include <abstractions/p11-kit>
|
182
apparmor.d/abstractions/base
Normal file
182
apparmor.d/abstractions/base
Normal file
|
@ -0,0 +1,182 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
# (Note that the ldd profile has inlined this file; if you make
|
||||
# modifications here, please consider including them in the ldd
|
||||
# profile as well.)
|
||||
|
||||
# The __canary_death_handler function writes a time-stamped log
|
||||
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
|
||||
# and localisations of date should be available EVERYWHERE, so
|
||||
# StackGuard, FormatGuard, etc., alerts can be properly logged.
|
||||
/dev/log w,
|
||||
/dev/random r,
|
||||
/dev/urandom r,
|
||||
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
||||
# time and getrandom()/{,u}random and, when available, runs under an
|
||||
# unprivilged, dedicated user).
|
||||
/run/uuidd/request r,
|
||||
/etc/locale/** r,
|
||||
/etc/locale.alias r,
|
||||
/etc/localtime r,
|
||||
/etc/writable/localtime r,
|
||||
/usr/share/locale-bundle/** r,
|
||||
/usr/share/locale-langpack/** r,
|
||||
/usr/share/locale/ r,
|
||||
/usr/share/locale/** r,
|
||||
/usr/share/**/locale/** r,
|
||||
/usr/share/zoneinfo/ r,
|
||||
/usr/share/zoneinfo/** r,
|
||||
/usr/share/X11/locale/** r,
|
||||
/run/systemd/journal/dev-log w,
|
||||
# systemd native journal API (see sd_journal_print(4))
|
||||
/run/systemd/journal/socket w,
|
||||
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
|
||||
# be required but applications fail without it. journald doesn't leak
|
||||
# anything when reading so this is ok.
|
||||
/run/systemd/journal/stdout rw,
|
||||
|
||||
/usr/lib{,32,64}/locale/** mr,
|
||||
/usr/lib{,32,64}/gconv/*.so mr,
|
||||
/usr/lib{,32,64}/gconv/gconv-modules* mr,
|
||||
/usr/lib/@{multiarch}/gconv/*.so mr,
|
||||
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
|
||||
|
||||
# used by glibc when binding to ephemeral ports
|
||||
/etc/bindresvport.blacklist r,
|
||||
|
||||
# ld.so.cache and ld are used to load shared libraries; they are best
|
||||
# available everywhere
|
||||
/etc/ld.so.cache mr,
|
||||
/etc/ld.so.conf r,
|
||||
/etc/ld.so.conf.d/{,*.conf} r,
|
||||
/etc/ld.so.preload r,
|
||||
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
|
||||
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
|
||||
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
||||
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
||||
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
|
||||
|
||||
# we might as well allow everything to use common libraries
|
||||
/{usr/,}lib{,32,64}/** r,
|
||||
/{usr/,}lib{,32,64}/**.so* mr,
|
||||
/{usr/,}lib/@{multiarch}/** r,
|
||||
/{usr/,}lib/@{multiarch}/**.so* mr,
|
||||
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
|
||||
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
|
||||
|
||||
# /dev/null is pretty harmless and frequently used
|
||||
/dev/null rw,
|
||||
# as is /dev/zero
|
||||
/dev/zero rw,
|
||||
# recent glibc uses /dev/full in preference to /dev/null for programs
|
||||
# that don't have open fds at exec()
|
||||
/dev/full rw,
|
||||
|
||||
# Sometimes used to determine kernel/user interfaces to use
|
||||
@{PROC}/sys/kernel/version r,
|
||||
# Depending on which glibc routine uses this file, base may not be the
|
||||
# best place -- but many profiles require it, and it is quite harmless.
|
||||
@{PROC}/sys/kernel/ngroups_max r,
|
||||
|
||||
# glibc's sysconf(3) routine to determine free memory, etc
|
||||
@{PROC}/meminfo r,
|
||||
@{PROC}/stat r,
|
||||
@{PROC}/cpuinfo r,
|
||||
@{sys}/devices/system/cpu/ r,
|
||||
@{sys}/devices/system/cpu/online r,
|
||||
|
||||
# glibc's *printf protections read the maps file
|
||||
@{PROC}/@{pid}/{maps,auxv,status} r,
|
||||
|
||||
# libgcrypt reads some flags from /proc
|
||||
@{PROC}/sys/crypto/* r,
|
||||
|
||||
# some applications will display license information
|
||||
/usr/share/common-licenses/** r,
|
||||
|
||||
# glibc statvfs
|
||||
@{PROC}/filesystems r,
|
||||
|
||||
# glibc malloc (man 5 proc)
|
||||
@{PROC}/sys/vm/overcommit_memory r,
|
||||
|
||||
# Allow determining the highest valid capability of the running kernel
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
# Allow other processes to read our /proc entries, futexes, perf tracing and
|
||||
# kcmp for now (they will need 'read' in the first place). Administrators can
|
||||
# override with:
|
||||
# deny ptrace (readby) ...
|
||||
ptrace (readby),
|
||||
|
||||
# Allow other processes to trace us by default (they will need 'trace' in
|
||||
# the first place). Administrators can override with:
|
||||
# deny ptrace (tracedby) ...
|
||||
ptrace (tracedby),
|
||||
|
||||
# Allow us to ptrace read ourselves
|
||||
ptrace (read) peer=@{profile_name},
|
||||
|
||||
# Allow unconfined processes to send us signals by default
|
||||
signal (receive) peer=unconfined,
|
||||
|
||||
# Allow to receive some signals
|
||||
signal (receive) peer=top,
|
||||
signal (receive) peer=htop,
|
||||
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
|
||||
signal (receive) set=(term,kill) peer=openbox,
|
||||
signal (receive) set=(hup) peer=xinit,
|
||||
signal (receive) set=(term,kill) peer=su,
|
||||
signal (receive) peer=sudo,
|
||||
|
||||
# Allow to write a user defined fifo log devices
|
||||
owner /dev/log-xsession w,
|
||||
owner /dev/log-gnupg w,
|
||||
|
||||
# Allow us to signal ourselves
|
||||
signal peer=@{profile_name},
|
||||
|
||||
# Checking for PID existence is quite common so add it by default for now
|
||||
signal (receive, send) set=("exists"),
|
||||
|
||||
# Allow us to create and use abstract and anonymous sockets
|
||||
unix peer=(label=@{profile_name}),
|
||||
|
||||
# Allow unconfined processes to us via unix sockets
|
||||
unix (receive) peer=(label=unconfined),
|
||||
|
||||
# Allow us to create abstract and anonymous sockets
|
||||
unix (create),
|
||||
|
||||
# Allow us to getattr, getopt, setop and shutdown on unix sockets
|
||||
unix (getattr, getopt, setopt, shutdown),
|
||||
|
||||
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
|
||||
# filesystems generally. This does not appreciably decrease security with
|
||||
# Ubuntu profiles because the user is expected to have access to files owned
|
||||
# by him/her. Exceptions to this are explicit in the profiles. While this rule
|
||||
# grants access to those exceptions, the intended privacy is maintained due to
|
||||
# the encrypted contents of the files in this directory. Files in this
|
||||
# directory will also use filename encryption by default, so the files are
|
||||
# further protected. Also, with the use of 'owner', this rule properly
|
||||
# prevents access to the files from processes running under a different uid.
|
||||
|
||||
# encrypted ~/.Private and old-style encrypted $HOME
|
||||
#owner @{HOME}/.Private/ r,
|
||||
#owner @{HOME}/.Private/** mrixwlk,
|
||||
# new-style encrypted $HOME
|
||||
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
|
||||
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
|
||||
|
44
apparmor.d/abstractions/bash
Normal file
44
apparmor.d/abstractions/bash
Normal file
|
@ -0,0 +1,44 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# user-specific bash files
|
||||
@{HOMEDIRS} r,
|
||||
@{HOME}/.bashrc r,
|
||||
@{HOME}/.profile r,
|
||||
@{HOME}/.bash_profile r,
|
||||
@{HOME}/.bash_history rw,
|
||||
|
||||
# system-wide bash configuration
|
||||
/etc/profile.dos r,
|
||||
/etc/profile r,
|
||||
/etc/profile.d/ r,
|
||||
/etc/profile.d/* r,
|
||||
/etc/bashrc r,
|
||||
/etc/bash.bashrc r,
|
||||
/etc/bash.bashrc.local r,
|
||||
/etc/bash_completion r,
|
||||
/etc/bash_completion.d/ r,
|
||||
/etc/bash_completion.d/* r,
|
||||
|
||||
# bash relies on system-wide readline configuration
|
||||
/etc/inputrc r,
|
||||
|
||||
# bash inspects filesystems at startup
|
||||
/etc/mtab r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/filesystems r,
|
||||
|
||||
# probably readline wants to know terminal capabilities
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
# run out of /etc/bash.bashrc
|
||||
/etc/DIR_COLORS r,
|
||||
/{usr/,}bin/ls mix,
|
||||
/usr/bin/dircolors mix,
|
24
apparmor.d/abstractions/consoles
Normal file
24
apparmor.d/abstractions/consoles
Normal file
|
@ -0,0 +1,24 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
# there are three common ways to refer to consoles
|
||||
/dev/console rw,
|
||||
/dev/tty rw,
|
||||
# this next entry is a tad unfortunate; /dev/tty will always be
|
||||
# associated with the controlling terminal by the kernel, but if a
|
||||
# program uses the /dev/pts/ interface, it actually has access to
|
||||
# -all- xterm, sshd, etc, terminals on the system.
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/pts/ r,
|
||||
|
||||
/dev/ptmx rw,
|
18
apparmor.d/abstractions/cups-client
Normal file
18
apparmor.d/abstractions/cups-client
Normal file
|
@ -0,0 +1,18 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009-2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# discoverable system configuration for non-local cupsd
|
||||
/etc/cups/client.conf r,
|
||||
# client should be able to talk the local cupsd
|
||||
/{,var/}run/cups/cups.sock rw,
|
||||
# client should be able to read user-specified cups configuration
|
||||
owner @{HOME}/.cups/client.conf r,
|
||||
owner @{HOME}/.cups/lpoptions r,
|
16
apparmor.d/abstractions/dbus
Normal file
16
apparmor.d/abstractions/dbus
Normal file
|
@ -0,0 +1,16 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009-2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# This abstraction grants full system bus access. Consider using the
|
||||
# dbus-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-strict>
|
||||
dbus bus=system,
|
16
apparmor.d/abstractions/dbus-accessibility
Normal file
16
apparmor.d/abstractions/dbus-accessibility
Normal file
|
@ -0,0 +1,16 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# This abstraction grants full accessibility bus access. Consider using the
|
||||
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
dbus bus=accessibility,
|
17
apparmor.d/abstractions/dbus-accessibility-strict
Normal file
17
apparmor.d/abstractions/dbus-accessibility-strict
Normal file
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
dbus send
|
||||
bus=accessibility
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
17
apparmor.d/abstractions/dbus-session
Normal file
17
apparmor.d/abstractions/dbus-session
Normal file
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2011-2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# This abstraction grants full session bus access. Consider using the
|
||||
# dbus-session-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
/usr/bin/dbus-launch ix,
|
||||
dbus bus=session,
|
29
apparmor.d/abstractions/dbus-session-strict
Normal file
29
apparmor.d/abstractions/dbus-session-strict
Normal file
|
@ -0,0 +1,29 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2011-2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# unique per-machine identifier
|
||||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
owner /run/user/*/bus rw,
|
||||
|
||||
unix (connect, receive, send)
|
||||
type=stream
|
||||
peer=(addr="@/tmp/dbus-*"),
|
||||
|
||||
# dbus with systemd and --enable-user-session
|
||||
owner /run/user/[0-9]*/bus rw,
|
||||
|
||||
dbus send
|
||||
bus=session
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
19
apparmor.d/abstractions/dbus-strict
Normal file
19
apparmor.d/abstractions/dbus-strict
Normal file
|
@ -0,0 +1,19 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009-2013 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/{,var/}run/dbus/system_bus_socket rw,
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
8
apparmor.d/abstractions/dconf
Normal file
8
apparmor.d/abstractions/dconf
Normal file
|
@ -0,0 +1,8 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# permissions for querying dconf settings; granting write access should
|
||||
# be specified in a specific application's profile.
|
||||
|
||||
/etc/dconf/** r,
|
||||
owner /{,var/}run/user/*/dconf/user r,
|
||||
owner @{HOME}/.config/dconf/user r,
|
28
apparmor.d/abstractions/deny-dconf
Normal file
28
apparmor.d/abstractions/deny-dconf
Normal file
|
@ -0,0 +1,28 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
deny /etc/dconf/{,**} r,
|
||||
|
||||
# When this is blocked, expect lots of the following errors:
|
||||
# dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
|
||||
# dconf will not work properly.
|
||||
deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw,
|
||||
|
||||
deny owner @{HOME}/.config/dconf/{,**} rw,
|
||||
deny owner @{HOME}/.cache/dconf/{,**} rw,
|
||||
|
||||
# When GSETTINGS_BACKEND=keyfile
|
||||
deny owner @{HOME}/.config/glib-2.0/ rw,
|
||||
deny owner @{HOME}/.config/glib-2.0/settings/ rw,
|
||||
deny owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
|
||||
deny owner @{HOME}/.config/glib-2.0/settings/.goutputstream-* rw,
|
23
apparmor.d/abstractions/deny-root-dir-access
Normal file
23
apparmor.d/abstractions/deny-root-dir-access
Normal file
|
@ -0,0 +1,23 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
|
||||
# access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
|
||||
# user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
|
||||
#
|
||||
# Note that some apps will work anyway when run as root even if all of the files in the /root/
|
||||
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
|
||||
# needed files in the user home dir.
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
|
||||
audit deny /root/{,**} rwkmlx,
|
86
apparmor.d/abstractions/disks-read
Normal file
86
apparmor.d/abstractions/disks-read
Normal file
|
@ -0,0 +1,86 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# The /sys/ entries probably should be tightened
|
||||
|
||||
/dev/ r,
|
||||
|
||||
# Regular disk/partition devices
|
||||
/dev/sd[a-z] rk,
|
||||
/dev/sd[a-z][0-9]* rk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
|
||||
|
||||
# SD card devices
|
||||
/dev/mmcblk[0-9]* rk,
|
||||
/dev/mmcblk[0-9]*p[0-9]* rk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
|
||||
|
||||
# Loop devices
|
||||
/dev/loop[0-9]* rk,
|
||||
/dev/loop[0-9]*p[0-9]* rk,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/** r,
|
||||
|
||||
# LUKS/LVM (device-mapper) devices
|
||||
/dev/dm-[0-9]* rk,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
|
||||
|
||||
# ZRAM devices
|
||||
/dev/zram[0-9]* rk,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/** r,
|
||||
|
||||
# CD-ROM
|
||||
/dev/sr[0-9]* rk,
|
||||
|
||||
@{sys}/class/block/ r,
|
||||
@{sys}/block/ r,
|
||||
# To be able to look up each block device by major:minor numbers
|
||||
@{sys}/dev/block/ r,
|
||||
|
||||
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
|
||||
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
|
||||
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
|
||||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
/{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
|
||||
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
|
||||
/{var/,}run/udev/data/+usb:* r, # for ?
|
86
apparmor.d/abstractions/disks-write
Normal file
86
apparmor.d/abstractions/disks-write
Normal file
|
@ -0,0 +1,86 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# The /sys/ entries probably should be tightened
|
||||
|
||||
/dev/ r,
|
||||
|
||||
# Regular disk/partition devices
|
||||
/dev/sd[a-z] rwk,
|
||||
/dev/sd[a-z][0-9]* rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/sd[a-z]/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/{usb,ata}[1-9]/** r,
|
||||
|
||||
# SD card devices
|
||||
/dev/mmcblk[0-9]* rwk,
|
||||
/dev/mmcblk[0-9]*p[0-9]* rwk,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r,
|
||||
|
||||
# Loop devices
|
||||
/dev/loop[0-9]* rwk,
|
||||
/dev/loop[0-9]*p[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]*/** r,
|
||||
|
||||
# LUKS/LVM (device-mapper) devices
|
||||
/dev/dm-[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/dm-[0-9]*/** r,
|
||||
|
||||
# ZRAM devices
|
||||
/dev/zram[0-9]* rwk,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/ r,
|
||||
@{sys}/devices/virtual/block/zram[0-9]*/** r,
|
||||
|
||||
# CD-ROM
|
||||
/dev/sr[0-9]* rwk,
|
||||
|
||||
@{sys}/class/block/ r,
|
||||
@{sys}/block/ r,
|
||||
# To be able to look up each block device by major:minor numbers
|
||||
@{sys}/dev/block/ r,
|
||||
|
||||
# According to the kernel docs[1], the major block numbers from 240 to 254 are allocated
|
||||
# dynamically by the kernel for devices which don't have official numbers assigned. It looks like
|
||||
# that "dm" (device mapper) and "zram" are such devices. To avoid issues when kernel config
|
||||
# changes, it's better to allow the whole range (240-254) instead of the single major numbers
|
||||
# visible in the /proc/devices file.
|
||||
# [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
|
||||
/{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
/{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
|
||||
|
||||
/{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
|
||||
/{var/,}run/udev/data/b11:[0-9]* r, # for /dev/sr*
|
||||
/{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sd*
|
||||
/{var/,}run/udev/data/b7:[0-9]* r, # for /dev/loop*
|
||||
|
||||
/{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
|
||||
|
||||
/{var/,}run/udev/data/+usb:* r, # for ?
|
19
apparmor.d/abstractions/dovecot-common
Normal file
19
apparmor.d/abstractions/dovecot-common
Normal file
|
@ -0,0 +1,19 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2014 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
# used with dovecot/*
|
||||
|
||||
capability setgid,
|
||||
|
||||
deny capability block_suspend,
|
||||
|
||||
# dovecot's master can send us signals
|
||||
signal receive peer=dovecot,
|
||||
|
||||
/{var/,}run/dovecot/config rw,
|
14
apparmor.d/abstractions/dri-common
Normal file
14
apparmor.d/abstractions/dri-common
Normal file
|
@ -0,0 +1,14 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This file contains common DRI-specific rules useful for GUI applications
|
||||
# (needed by libdrm and similar).
|
||||
|
||||
/usr/lib{,32,64}/dri/** mr,
|
||||
/usr/lib/@{multiarch}/dri/** mr,
|
||||
/usr/lib/fglrx/dri/** mr,
|
||||
/dev/dri/ r,
|
||||
/dev/dri/** rw,
|
||||
/etc/drirc r,
|
||||
/usr/share/drirc.d/{,*.conf} r,
|
||||
owner @{HOME}/.drirc r,
|
||||
|
8
apparmor.d/abstractions/dri-enumerate
Normal file
8
apparmor.d/abstractions/dri-enumerate
Normal file
|
@ -0,0 +1,8 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This file contains common DRI-specific rules useful for GUI applications that
|
||||
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
|
||||
# libdrm).
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
||||
|
57
apparmor.d/abstractions/enchant
Normal file
57
apparmor.d/abstractions/enchant
Normal file
|
@ -0,0 +1,57 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2010 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# abstraction for Enchant spellchecking frontend
|
||||
|
||||
/usr/share/enchant/ r,
|
||||
/usr/share/enchant/enchant.ordering r,
|
||||
/usr/share/enchant-[0-9]*/enchant.ordering r,
|
||||
|
||||
# aspell
|
||||
#include <abstractions/aspell>
|
||||
/var/lib/dictionaries-common/aspell/ r,
|
||||
/var/lib/dictionaries-common/aspell/* r,
|
||||
|
||||
# hspell
|
||||
/usr/share/hspell/ r,
|
||||
/usr/share/hspell/*.wgz.* r,
|
||||
|
||||
# hunspell
|
||||
/usr/share/hunspell/ r,
|
||||
/usr/share/hunspell/* r,
|
||||
|
||||
# ispell
|
||||
/usr/lib/ispell/ r,
|
||||
/usr/lib/ispell/*.hash r,
|
||||
/usr/share/dict/ r,
|
||||
/usr/share/dict/* r,
|
||||
/var/lib/dictionaries-common/ r,
|
||||
/var/lib/dictionaries-common/{ispell,wordlist}/ r,
|
||||
/var/lib/dictionaries-common/{ispell,wordlist}/* r,
|
||||
|
||||
# myspell
|
||||
/usr/share/myspell/ r,
|
||||
/usr/share/myspell/** r,
|
||||
|
||||
# voikko
|
||||
/usr/lib/voikko/ r,
|
||||
/usr/lib/voikko/2/ r,
|
||||
/usr/lib/voikko/2/mor-standard/ r,
|
||||
/usr/lib/voikko/2/mor-standard/voikko* r,
|
||||
|
||||
# zemberek
|
||||
/usr/share/java/ r,
|
||||
/usr/share/java/zemberek-[0-9]*.jar r,
|
||||
/usr/share/java/zemberek-tr-[0-9]*.jar r,
|
||||
|
||||
# per-user dictionaries
|
||||
owner @{HOME}/.config/enchant/ rw,
|
||||
owner @{HOME}/.config/enchant/* rwk,
|
124
apparmor.d/abstractions/evince
Normal file
124
apparmor.d/abstractions/evince
Normal file
|
@ -0,0 +1,124 @@
|
|||
# vim:syntax=apparmor
|
||||
#
|
||||
# abstraction used by evince binaries
|
||||
#
|
||||
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/p11-kit>
|
||||
#include <abstractions/ubuntu-helpers>
|
||||
|
||||
@{PROC}/[0-9]*/fd/ r,
|
||||
@{PROC}/[0-9]*/mountinfo r,
|
||||
owner @{PROC}/[0-9]*/auxv r,
|
||||
owner @{PROC}/[0-9]*/status r,
|
||||
|
||||
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
|
||||
# Possibly move to an abstraction if anything else needs it.
|
||||
deny /run/udev/data/** r,
|
||||
|
||||
# move out to the gnome abstraction if anyone else needs these
|
||||
/dev/.udev/{data,db}/* r,
|
||||
/etc/udev/udev.conf r,
|
||||
/sys/devices/**/block/**/uevent r,
|
||||
|
||||
# apport
|
||||
/etc/default/apport r,
|
||||
|
||||
# XFCE
|
||||
/etc/xfce4/defaults.list r,
|
||||
|
||||
# Lubuntu
|
||||
/etc/xdg/lubuntu/applications/defaults.list r,
|
||||
|
||||
# evince specific
|
||||
/etc/ r,
|
||||
/etc/fstab r,
|
||||
/etc/texmf/ r,
|
||||
/etc/texmf/** r,
|
||||
/etc/xpdf/* r,
|
||||
owner @{HOME}/.config/evince/ rw,
|
||||
owner @{HOME}/.config/evince/** rwkl,
|
||||
|
||||
/usr/bin/gs-esp ixr,
|
||||
/usr/bin/mktexpk Cx -> sanitized_helper,
|
||||
/usr/bin/mktextfm Cx -> sanitized_helper,
|
||||
/usr/bin/dvipdfm Cx -> sanitized_helper,
|
||||
/usr/bin/dvipdfmx Cx -> sanitized_helper,
|
||||
|
||||
# supported archivers
|
||||
/bin/gzip ixr,
|
||||
/bin/bzip2 ixr,
|
||||
/usr/bin/unrar* ixr,
|
||||
/usr/bin/unzip ixr,
|
||||
/usr/bin/7zr ixr,
|
||||
/usr/lib/p7zip/7zr ixr,
|
||||
/usr/bin/7za ixr,
|
||||
/usr/lib/p7zip/7za ixr,
|
||||
/usr/bin/zipnote ixr,
|
||||
/bin/tar ixr,
|
||||
/usr/bin/xz ixr,
|
||||
|
||||
# allow read access to anything in /usr/share, for plugins and input methods
|
||||
/usr/local/share/** r,
|
||||
/usr/share/** r,
|
||||
/usr/lib/ghostscript/** mr,
|
||||
/var/lib/ghostscript/** r,
|
||||
/var/lib/texmf/** r,
|
||||
|
||||
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
|
||||
# read for all supported file formats
|
||||
/**.[bB][mM][pP] r,
|
||||
/**.[dD][jJ][vV][uU] r,
|
||||
/**.[dD][vV][iI] r,
|
||||
/**.[gG][iI][fF] r,
|
||||
/**.[jJ][pP][gG] r,
|
||||
/**.[jJ][pP][eE][gG] r,
|
||||
/**.[oO][dD][pP] r,
|
||||
/**.[fFpP][dD][fF] r,
|
||||
/**.[pP][nN][mM] r,
|
||||
/**.[pP][nN][gG] r,
|
||||
/**.[pP][sS] r,
|
||||
/**.[eE][pP][sS] r,
|
||||
/**.[eE][pP][sS][fFiI23] r,
|
||||
/**.[tT][iI][fF] r,
|
||||
/**.[tT][iI][fF][fF] r,
|
||||
/**.[xX][pP][mM] r,
|
||||
/**.[gG][zZ] r,
|
||||
/**.[bB][zZ]2 r,
|
||||
/**.[cC][bB][rRzZ7] r,
|
||||
/**.[xX][zZ] r,
|
||||
|
||||
# Use abstractions/private-files instead of abstractions/private-files-strict
|
||||
# and add the sensitive files manually to work around LP: #451422. The goal
|
||||
# is to disallow access to the .mozilla folder in general, but to allow
|
||||
# access to the Cache directory, which the browser may tell evince to open
|
||||
# from directly.
|
||||
|
||||
#include <abstractions/private-files>
|
||||
audit deny @{HOME}/.gnupg/** mrwkl,
|
||||
audit deny @{HOME}/.ssh/** mrwkl,
|
||||
audit deny @{HOME}/.gnome2_private/** mrwkl,
|
||||
audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
|
||||
audit deny @{HOME}/.pki/nssdb/** w,
|
||||
|
||||
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
|
||||
audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
|
||||
audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
|
||||
audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
|
||||
audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
|
||||
|
||||
audit deny @{HOME}/.config/chromium/** mrwkl,
|
||||
audit deny @{HOME}/.evolution/** mrwkl,
|
||||
audit deny @{HOME}/.config/evolution/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/config/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
|
||||
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
|
||||
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
|
||||
|
||||
# When LP: #451422 is fixed, change the above to simply be:
|
||||
##include <abstractions/private-files-strict>
|
||||
#owner @{HOME}/.mozilla/**/*Cache/* r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.evince>
|
71
apparmor.d/abstractions/exo-open
Normal file
71
apparmor.d/abstractions/exo-open
Normal file
|
@ -0,0 +1,71 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via exo-open helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/exo-open directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/exo-open rPx -> foo//exo-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//exo-open {
|
||||
# #include <abstractions/exo-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/gnome>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/exo-open rix,
|
||||
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
|
||||
|
||||
# Other executables
|
||||
|
||||
/{,usr/}bin/which rix,
|
||||
|
||||
# Deny DBus
|
||||
|
||||
# for GTK error message dialog, not required exo-open to work.
|
||||
deny dbus send
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mounttracker,
|
||||
|
||||
# System files
|
||||
|
||||
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
|
||||
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
|
||||
/usr/share/sounds/freedesktop/** r, # for message box alert sound
|
||||
/usr/share/xfce4/helpers/*.desktop r,
|
||||
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
|
||||
|
||||
# User files
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{HOME}/.config/xfce4/helpers.rc r,
|
13
apparmor.d/abstractions/fcitx
Normal file
13
apparmor.d/abstractions/fcitx
Normal file
|
@ -0,0 +1,13 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <abstractions/fcitx-strict>
|
||||
dbus bus=fcitx,
|
21
apparmor.d/abstractions/fcitx-strict
Normal file
21
apparmor.d/abstractions/fcitx-strict
Normal file
|
@ -0,0 +1,21 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
|
||||
dbus send
|
||||
bus=fcitx
|
||||
path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
owner @{HOME}/.config/fcitx/dbus/* r,
|
20
apparmor.d/abstractions/file-browsing-strict
Normal file
20
apparmor.d/abstractions/file-browsing-strict
Normal file
|
@ -0,0 +1,20 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
deny @{PROC}/@{pid}/mountinfo r,
|
||||
deny @{PROC}/@{pid}/mounts r,
|
||||
|
||||
# Usually, apps shouldn't view this file
|
||||
deny /etc/fstab r,
|
||||
|
||||
deny /dev/disk/*/ r,
|
27
apparmor.d/abstractions/flatpak-snap
Normal file
27
apparmor.d/abstractions/flatpak-snap
Normal file
|
@ -0,0 +1,27 @@
|
|||
# kate: syntax AppArmor Security Profile
|
||||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018 Nibaldo Gonzalez <nibgonz@gmail.com>
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# Flatpak
|
||||
/var/lib/flatpak/exports/share/{,**} r,
|
||||
/var/lib/flatpak/app/**/export/share/applications/{,*.desktop} r,
|
||||
|
||||
owner @{HOME}/.local/share/flatpak/exports/share/{,**} r,
|
||||
owner @{HOME}/.local/share/flatpak/app/{,**.desktop} r,
|
||||
deny owner @{HOME}/.local/share/flatpak/** w,
|
||||
|
||||
# Snap
|
||||
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
|
||||
/var/lib/snapd/desktop/applications/*.desktop r,
|
||||
/var/lib/snapd/desktop/applications/ r,
|
43
apparmor.d/abstractions/fontconfig-cache-read
Normal file
43
apparmor.d/abstractions/fontconfig-cache-read
Normal file
|
@ -0,0 +1,43 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# The fontconfig cache can be generated via the following command:
|
||||
# $ fc-cache -f -v
|
||||
# There's no need to give apps the ability to create cache for their own. Apps can generate the
|
||||
# fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
|
||||
# the "fontconfig-cache-write" abstraction.
|
||||
|
||||
owner @{HOME}/.cache/fontconfig/ r,
|
||||
deny @{HOME}/.cache/fontconfig/ w,
|
||||
deny @{HOME}/.cache/fontconfig/** w,
|
||||
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
|
||||
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||
|
||||
owner @{HOME}/.fontconfig/ r,
|
||||
deny @{HOME}/.fontconfig/ w,
|
||||
deny @{HOME}/.fontconfig/** w,
|
||||
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
|
||||
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||
|
||||
/var/cache/fontconfig/ r,
|
||||
deny /var/cache/fontconfig/ w,
|
||||
deny /var/cache/fontconfig/** w,
|
||||
/var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
|
||||
/var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||
|
||||
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
|
||||
# identify the font directory and is used to determine the cache filename if available.
|
||||
owner /usr/local/share/fonts/.uuid r,
|
||||
deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
|
||||
/usr/share/**/.uuid r,
|
||||
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
|
27
apparmor.d/abstractions/fontconfig-cache-write
Normal file
27
apparmor.d/abstractions/fontconfig-cache-write
Normal file
|
@ -0,0 +1,27 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
owner @{HOME}/.cache/fontconfig/ rw,
|
||||
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
|
||||
owner @{HOME}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
|
||||
|
||||
owner @{HOME}/.fontconfig/ rw,
|
||||
owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
|
||||
owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
|
||||
|
||||
# This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
|
||||
# identify the font directory and is used to determine the cache filename if available.
|
||||
owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
|
||||
link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
|
||||
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
|
||||
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
|
62
apparmor.d/abstractions/fonts
Normal file
62
apparmor.d/abstractions/fonts
Normal file
|
@ -0,0 +1,62 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/usr/share/AbiSuite/fonts/** r,
|
||||
|
||||
/usr/lib/xorg/modules/fonts/**.so* mr,
|
||||
|
||||
/usr/share/fonts/ r,
|
||||
/usr/share/fonts/** r,
|
||||
/usr/share/fonts-*/{,**} r,
|
||||
|
||||
/etc/fonts/** r,
|
||||
# Debian, openSUSE paths are different
|
||||
/usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
|
||||
/usr/share/ghostscript/fonts/{,**} r,
|
||||
|
||||
/opt/kde3/share/fonts/** r,
|
||||
|
||||
/usr/lib{,32,64}/openoffice/share/fonts/** r,
|
||||
|
||||
/var/cache/fonts/** r,
|
||||
/var/cache/fontconfig/** mr,
|
||||
/var/lib/defoma/** mr,
|
||||
|
||||
/usr/share/a2ps/fonts/** r,
|
||||
/usr/share/xfce/fonts/** r,
|
||||
/usr/share/ghostscript/fonts/** r,
|
||||
/usr/share/javascript/*/fonts/** r,
|
||||
/usr/share/texmf/{,*/}fonts/** r,
|
||||
/usr/share/texlive/texmf-dist/fonts/** r,
|
||||
/var/lib/ghostscript/** r,
|
||||
|
||||
owner @{HOME}/.fonts.conf r,
|
||||
owner @{HOME}/.fonts/ r,
|
||||
owner @{HOME}/.fonts/** r,
|
||||
owner @{HOME}/.local/share/fonts/ r,
|
||||
owner @{HOME}/.local/share/fonts/** r,
|
||||
owner @{HOME}/.fonts.cache-2 mr,
|
||||
owner @{HOME}/.{,cache/}fontconfig/ rw,
|
||||
owner @{HOME}/.{,cache/}fontconfig/** mrl,
|
||||
owner @{HOME}/.fonts.conf.d/ r,
|
||||
owner @{HOME}/.fonts.conf.d/** r,
|
||||
owner @{HOME}/.config/fontconfig/ r,
|
||||
owner @{HOME}/.config/fontconfig/** r,
|
||||
|
||||
/usr/local/share/fonts/ r,
|
||||
/usr/local/share/fonts/** r,
|
||||
|
||||
# poppler CMap tables
|
||||
/usr/share/poppler/cMap/** r,
|
||||
|
||||
# data files for LibThai
|
||||
/usr/share/libthai/thbrk.tri r,
|
28
apparmor.d/abstractions/freedesktop.org
Normal file
28
apparmor.d/abstractions/freedesktop.org
Normal file
|
@ -0,0 +1,28 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# system configuration
|
||||
@{system_share_dirs}/applications/{**,} r,
|
||||
@{system_share_dirs}/icons/{**,} r,
|
||||
@{system_share_dirs}/pixmaps/{**,} r,
|
||||
|
||||
# this should probably go elsewhere
|
||||
@{system_share_dirs}/mime/** r,
|
||||
|
||||
# per-user configurations
|
||||
owner @{HOME}/.icons/{**,} r,
|
||||
owner @{HOME}/.recently-used.xbel* rw,
|
||||
owner @{HOME}/.local/share/recently-used.xbel* rw,
|
||||
owner @{HOME}/.config/user-dirs.dirs r,
|
||||
owner @{HOME}/.config/mimeapps.list r,
|
||||
owner @{user_share_dirs}/applications/{**,} r,
|
||||
owner @{user_share_dirs}/icons/{**,} r,
|
||||
owner @{user_share_dirs}/mime/{**,} r,
|
16
apparmor.d/abstractions/fzf
Normal file
16
apparmor.d/abstractions/fzf
Normal file
|
@ -0,0 +1,16 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
owner @{HOME}/.fzf/{,**} r,
|
||||
|
||||
owner @{HOME}/.fzf.* r,
|
54
apparmor.d/abstractions/gio-open
Normal file
54
apparmor.d/abstractions/gio-open
Normal file
|
@ -0,0 +1,54 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via gio helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/gio directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/gio rPx -> foo//gio-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gio-open {
|
||||
# #include <abstractions/gio-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/gio rix,
|
||||
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
|
||||
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
|
||||
|
||||
# System files
|
||||
|
||||
/etc/gnome/defaults.list r,
|
||||
/usr/share/mime/* r,
|
||||
/usr/share/{,*/}applications/{,**} r,
|
||||
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
||||
/var/lib/snapd/desktop/applications/{,**} r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/mimeapps.list r,
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
109
apparmor.d/abstractions/gnome
Normal file
109
apparmor.d/abstractions/gnome
Normal file
|
@ -0,0 +1,109 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/freedesktop.org>
|
||||
#include <abstractions/xdg-desktop>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/wayland>
|
||||
|
||||
# systemwide gtk defaults
|
||||
/etc/gnome/gtkrc* r,
|
||||
/etc/gtk/* r,
|
||||
/usr/lib{,32,64}/gtk/** mr,
|
||||
/usr/lib/@{multiarch}/gtk/** mr,
|
||||
/usr/lib{,32,64}/gtk-[0-9]*/** mr,
|
||||
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
|
||||
/usr/share/themes/ r,
|
||||
/usr/share/themes/** r,
|
||||
|
||||
# for gnome 1 applications
|
||||
/etc/orbitrc r,
|
||||
|
||||
# gtk-2 needed some new rights
|
||||
/etc/fonts/* r,
|
||||
/etc/gtk-*/* r,
|
||||
/etc/pango/* r,
|
||||
/usr/lib{,32,64}/pango/** mr,
|
||||
/usr/lib{,32,64}/gtk-*/** mr,
|
||||
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
|
||||
/usr/lib/@{multiarch}/pango/** mr,
|
||||
/usr/lib/@{multiarch}/gtk-*/** mr,
|
||||
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
|
||||
|
||||
# per-user gtk configuration
|
||||
owner @{HOME}/.config/gtk-3.0/ w,
|
||||
owner @{HOME}/.config/gtk-3.0/* r,
|
||||
owner @{HOME}/.gnome/Gnome r,
|
||||
owner @{HOME}/.gtk r,
|
||||
owner @{HOME}/.gtkrc r,
|
||||
owner @{HOME}/.gtkrc-2.0 r,
|
||||
owner @{HOME}/.gtk-bookmarks r,
|
||||
owner @{HOME}/.themes/ r,
|
||||
owner @{HOME}/.themes/** r,
|
||||
owner @{user_share_dirs}/themes/ r,
|
||||
owner @{user_share_dirs}/themes/** r,
|
||||
|
||||
# for gtk file dialog
|
||||
owner @{HOME}/.config/gtk-2.0/ w,
|
||||
owner @{HOME}/.config/gtk-2.0/** r,
|
||||
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
|
||||
|
||||
# from evolution-mail
|
||||
owner @{HOME}/.gconfd/lock/* r,
|
||||
owner @{HOME}/.gnome/application-info r,
|
||||
|
||||
# per-user font business
|
||||
owner @{HOME}/.fonts.cache-* rwl,
|
||||
|
||||
# GtkComposeTable
|
||||
owner @{HOME}/.cache/gtk-3.0/** r,
|
||||
|
||||
# icon caches
|
||||
/var/cache/**/icon-theme.cache r,
|
||||
/usr/share/**/icon-theme.cache r,
|
||||
|
||||
# GLib schemas
|
||||
/usr/{local/,}share/glib-[0-9]*/schemas/ r,
|
||||
/usr/{local/,}share/glib-[0-9]*/schemas/** r,
|
||||
|
||||
# gnome VFS modules
|
||||
/etc/gnome-vfs-2.0/modules/ r,
|
||||
/etc/gnome-vfs-2.0/modules/* r,
|
||||
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
|
||||
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
|
||||
|
||||
# gvfs
|
||||
/usr/share/gvfs/remote-volume-monitors/ r,
|
||||
/usr/share/gvfs/remote-volume-monitors/* r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
# printing
|
||||
/etc/papersize r,
|
||||
/etc/cups/lpoptions r,
|
||||
/usr/share/cups/charmaps/** r,
|
||||
|
||||
# holds MIT-MAGIC-COOKIE for gnome
|
||||
owner /{,var/}run/gdm/auth*/database r,
|
||||
|
||||
# mime-types
|
||||
/etc/gnome/defaults.list r,
|
||||
/etc/xdg/{,*-}mimeapps.list r,
|
||||
/usr/share/gnome/applications/ r,
|
||||
/usr/share/gnome/applications/mimeinfo.cache r,
|
||||
|
||||
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
||||
# rules)
|
||||
unix (send, receive, connect)
|
||||
type=stream
|
||||
peer=(addr="@/dbus-vfs-daemon/socket-*"),
|
11
apparmor.d/abstractions/gnupg
Normal file
11
apparmor.d/abstractions/gnupg
Normal file
|
@ -0,0 +1,11 @@
|
|||
# vim:syntax=apparmor
|
||||
# gnupg sub-process running permissions
|
||||
|
||||
# user configurations
|
||||
owner @{HOME}/.gnupg/options r,
|
||||
owner @{HOME}/.gnupg/pubring.gpg r,
|
||||
owner @{HOME}/.gnupg/pubring.kbx r,
|
||||
owner @{HOME}/.gnupg/random_seed rw,
|
||||
owner @{HOME}/.gnupg/secring.gpg r,
|
||||
owner @{HOME}/.gnupg/so/*.x86_64 mr,
|
||||
owner @{HOME}/.gnupg/trustdb.gpg rw,
|
45
apparmor.d/abstractions/gstreamer
Normal file
45
apparmor.d/abstractions/gstreamer
Normal file
|
@ -0,0 +1,45 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/p11-kit>
|
||||
#include <abstractions/X>
|
||||
|
||||
# TODO: adjust when support finer-grained netlink rules
|
||||
network netlink raw,
|
||||
|
||||
/etc/udev/udev.conf r,
|
||||
/etc/wildmidi/wildmidi.cfg r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/bus/usb/ r,
|
||||
/dev/dri/ r,
|
||||
|
||||
# /dev/shm is a symlink to /run/shm on ubuntu
|
||||
owner /{dev,run}/shm/shmfd-* rw,
|
||||
|
||||
/run/udev/data/c* r,
|
||||
/run/udev/data/+pci:* r,
|
||||
/run/udev/data/+usb* r,
|
||||
|
||||
/sys/bus/ r,
|
||||
/sys/bus/usb/devices/ r,
|
||||
/sys/class/ r,
|
||||
/sys/class/drm/ r,
|
||||
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
|
||||
/sys/devices/system/node/ r,
|
||||
/sys/devices/system/node/*/meminfo r,
|
||||
|
||||
owner /tmp/orcexec.* mrw,
|
||||
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
|
||||
# needed if /tmp is mounted noexec:
|
||||
owner @{HOME}/orcexec.* mr,
|
||||
|
||||
/usr/lib/frei0r-[0-9]/*.so m,
|
||||
# /usr/lib/@{multiarch}/dri/** mr,
|
||||
/usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
|
||||
/usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
|
||||
/usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
|
||||
|
||||
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
|
||||
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
|
||||
owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
|
42
apparmor.d/abstractions/gtk
Normal file
42
apparmor.d/abstractions/gtk
Normal file
|
@ -0,0 +1,42 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2017-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
/usr/share/themes/{,**} r,
|
||||
|
||||
/usr/share/gtk-3.0/settings.ini r,
|
||||
|
||||
/etc/gtk-2.0/gtkrc r,
|
||||
/etc/gtk-3.0/*.conf r,
|
||||
|
||||
/etc/gtk/gtkrc r,
|
||||
|
||||
owner @{HOME}/.gtk r,
|
||||
owner @{HOME}/.gtkrc r,
|
||||
owner @{HOME}/.gtkrc-2.0 r,
|
||||
owner @{HOME}/.gtk-bookmarks r,
|
||||
owner @{HOME}/.config/gtkrc r,
|
||||
owner @{HOME}/.config/gtkrc-2.0 r,
|
||||
owner @{HOME}/.config/gtk-3.0/ w,
|
||||
owner @{HOME}/.config/gtk-3.0/settings.ini r,
|
||||
owner @{HOME}/.config/gtk-3.0/bookmarks r,
|
||||
owner @{HOME}/.config/gtk-3.0/gtk.css r,
|
||||
|
||||
# for gtk file dialog
|
||||
owner @{HOME}/.config/gtk-2.0/ w,
|
||||
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
|
||||
|
||||
# .Xauthority file required for X connections
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
# Xsession errors file
|
||||
owner @{HOME}/.xsession-errors w,
|
42
apparmor.d/abstractions/gvfs-open
Normal file
42
apparmor.d/abstractions/gvfs-open
Normal file
|
@ -0,0 +1,42 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via gvfs-open helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/gvfs-open directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gvfs-open {
|
||||
# #include <abstractions/gvfs-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/base>
|
||||
|
||||
# gvfs-open is deprecated, it launches gio open <uri>
|
||||
#include <abstractions/gio-open>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/gvfs-open r,
|
||||
/{,usr/}bin/dash mr,
|
29
apparmor.d/abstractions/ibus
Normal file
29
apparmor.d/abstractions/ibus
Normal file
|
@ -0,0 +1,29 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2010 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# abstraction for ibus input methods
|
||||
owner @{HOME}/.config/ibus/ r,
|
||||
owner @{HOME}/.config/ibus/bus/ rw,
|
||||
owner @{HOME}/.config/ibus/bus/* rw,
|
||||
|
||||
# abstract path in ibus < 1.5.22 uses /tmp
|
||||
unix (connect, receive, send)
|
||||
type=stream
|
||||
peer=(addr="@/tmp/ibus/dbus-*"),
|
||||
|
||||
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
|
||||
# This should use this, but due to LP: #1856738 we cannot
|
||||
#unix (connect, receive, send)
|
||||
# type=stream
|
||||
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
|
||||
unix (connect, receive, send)
|
||||
type=stream
|
||||
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
|
77
apparmor.d/abstractions/kde
Normal file
77
apparmor.d/abstractions/kde
Normal file
|
@ -0,0 +1,77 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/freedesktop.org>
|
||||
#include <abstractions/xdg-desktop>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/qt5>
|
||||
|
||||
/etc/qt3/kstylerc r,
|
||||
/etc/qt3/qt_plugins_3.3rc r,
|
||||
/etc/qt3/qtrc r,
|
||||
/etc/kderc r,
|
||||
/etc/kde3/* r,
|
||||
/etc/kde4rc r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/Trolltech.conf r,
|
||||
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
|
||||
/usr/share/kubuntu-default-settings/kf5-settings/* r,
|
||||
|
||||
owner @{HOME}/.DCOPserver_* r,
|
||||
owner @{HOME}/.ICEauthority r,
|
||||
owner @{HOME}/.fonts.* lrw,
|
||||
owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
|
||||
owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
|
||||
owner @{HOME}/.qt/** rw,
|
||||
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
|
||||
owner @{HOME}/.config/Trolltech.conf rwk,
|
||||
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
|
||||
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
|
||||
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
|
||||
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
|
||||
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
|
||||
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
|
||||
|
||||
/usr/share/X11/XKeysymDB r,
|
||||
|
||||
# kde3
|
||||
/usr/lib*/kde3/plugins/styles/ r,
|
||||
/usr/lib*/kde3/plugins/styles/* mr,
|
||||
/usr/lib*/kde3/lib*so* mr,
|
||||
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
|
||||
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
|
||||
/usr/lib/@{multiarch}/kde3/lib*so* mr,
|
||||
/usr/lib*/qt3/lib*/lib*so* mr,
|
||||
/usr/lib*/qt3/plugins/** mr,
|
||||
/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
|
||||
/usr/lib/@{multiarch}/qt3/plugins/** mr,
|
||||
/usr/lib*/libqt-mt*so* mr,
|
||||
/usr/lib*/libqui*so* mr,
|
||||
/usr/lib/@{multiarch}/libqt-mt*so* mr,
|
||||
/usr/lib/@{multiarch}/libqui*so* mr,
|
||||
/usr/share/qt3/lib*/libqt-mt*so* mr,
|
||||
/usr/share/qt3/lib*/libqui*so* mr,
|
||||
|
||||
# kde4
|
||||
/usr/lib*/kde4/plugins/*/*.so mr,
|
||||
/usr/lib*/kde4/plugins/*/ r,
|
||||
/usr/lib*/kde4/lib*so* mr,
|
||||
/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
|
||||
/usr/lib/@{multiarch}/kde4/plugins/*/ r,
|
||||
/usr/lib/@{multiarch}/kde4/lib*so* mr,
|
||||
/usr/lib*/qt4/lib*/lib*so* mr,
|
||||
/usr/lib*/qt4/plugins/** mr,
|
||||
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
|
||||
/usr/lib/@{multiarch}/qt4/plugins/** mr,
|
||||
/usr/share/qt4/** r,
|
10
apparmor.d/abstractions/kde-globals-write
Normal file
10
apparmor.d/abstractions/kde-globals-write
Normal file
|
@ -0,0 +1,10 @@
|
|||
# vim:syntax=apparmor
|
||||
# Rules for changing KDE settings (for KFileDialog and other).
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/#[0-9]* rw,
|
||||
owner @{HOME}/.config/kdeglobals rw,
|
||||
owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*,
|
||||
owner @{HOME}/.config/kdeglobals.lock rwk,
|
||||
|
7
apparmor.d/abstractions/kde-icon-cache-write
Normal file
7
apparmor.d/abstractions/kde-icon-cache-write
Normal file
|
@ -0,0 +1,7 @@
|
|||
# vim:syntax=apparmor
|
||||
# Rules for writing KDE icon cache
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
|
||||
|
12
apparmor.d/abstractions/kde-language-write
Normal file
12
apparmor.d/abstractions/kde-language-write
Normal file
|
@ -0,0 +1,12 @@
|
|||
# vim:syntax=apparmor
|
||||
# Rules for changing per-application language settings on KDE. Some KDE
|
||||
# applications have "Help -> Switch Application Language..." option, that needs
|
||||
# write access to language settings file.
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/#[0-9]* rw,
|
||||
owner @{HOME}/.config/klanguageoverridesrc rw,
|
||||
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*,
|
||||
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
|
||||
|
102
apparmor.d/abstractions/kde-open5
Normal file
102
apparmor.d/abstractions/kde-open5
Normal file
|
@ -0,0 +1,102 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via kde-open5 helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/kde-open5 directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//kde-open5 {
|
||||
# #include <abstractions/kde-open5>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # Add if audio support for message box is
|
||||
# # considered as required.
|
||||
# include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
#include <abstractions/dbus-network-manager-strict>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/dbus-strict>
|
||||
#include <abstractions/kde-icon-cache-write>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/qt5>
|
||||
#include <abstractions/recent-documents-write>
|
||||
#include <abstractions/X>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/kde-open5 rix,
|
||||
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
|
||||
|
||||
# DBus
|
||||
|
||||
dbus
|
||||
bus=session
|
||||
interface=org.kde.KLauncher
|
||||
member=start_service_by_desktop_path
|
||||
peer=(name=org.kde.klauncher5),
|
||||
|
||||
# Denied system files
|
||||
|
||||
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
|
||||
|
||||
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
||||
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
||||
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
||||
# so we deny this path to protect from loading exploits from /tmp.
|
||||
deny /tmp/#[0-9]*[0-9] m,
|
||||
|
||||
# System files
|
||||
|
||||
/dev/tty r,
|
||||
/etc/xdg/accept-languages.codes r,
|
||||
/etc/xdg/menus/{,*/} r,
|
||||
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
|
||||
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
|
||||
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
|
||||
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
|
||||
/usr/share/mime/ r,
|
||||
/usr/share/mime/generic-icons r,
|
||||
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
|
||||
/usr/share/sounds/ r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
# User files
|
||||
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
|
||||
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
|
||||
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
||||
owner @{HOME}/.cache/kio_http/ rw,
|
||||
|
38
apparmor.d/abstractions/kde4
Normal file
38
apparmor.d/abstractions/kde4
Normal file
|
@ -0,0 +1,38 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
/usr/share/kde4/** r,
|
||||
|
||||
/{usr/,}lib/kde4/*.so mr,
|
||||
/{usr/,}lib/kde4/plugins/*/ r,
|
||||
/{usr/,}lib/kde4/plugins/*/*.so mr,
|
||||
|
||||
# Create home KDE directory structure
|
||||
owner @{HOME}/.kde{,4}/ rw,
|
||||
owner @{HOME}/.kde{,4}/**/ rw,
|
||||
owner @{HOME}/.config/kde.org/ rw,
|
||||
owner @{HOME}/.config/kde.org/**/ rw,
|
||||
|
||||
# Common configs
|
||||
owner @{HOME}/.kde{,4}/share/config/kdeglobals r,
|
||||
owner @{HOME}/.kde{,4}/share/config/kdebugrc r,
|
||||
owner @{HOME}/.kde{,4}/share/config/servicetype_profilerc r,
|
||||
|
||||
# Phonon
|
||||
owner @{HOME}/.config/kde.org/libphonon.conf rk,
|
||||
|
||||
owner @{HOME}/.config/Trolltech.conf rk,
|
||||
|
||||
owner /var/tmp/kdecache-*/ r,
|
||||
owner /var/tmp/kdecache-*/** r,
|
||||
owner /var/tmp/kdecache-*/*.kcache rw,
|
67
apparmor.d/abstractions/kde5-plasma5
Normal file
67
apparmor.d/abstractions/kde5-plasma5
Normal file
|
@ -0,0 +1,67 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/thumbnails-cache-read>
|
||||
|
||||
# KDE/Plasma5 themes
|
||||
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
|
||||
#/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr,
|
||||
#/usr/share/plasma/look-and-feel/** r,
|
||||
#/usr/share/color-schemes/*.colors r,
|
||||
|
||||
#/usr/share/kservices5/{,**/} r,
|
||||
#/usr/share/kservices5/*.protocol r,
|
||||
|
||||
#/usr/share/knotifications5/plasma_workspace.notifyrc r,
|
||||
|
||||
# For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
|
||||
# includes this abstraction)
|
||||
#owner @{HOME}/.config/#[0-9]*[0-9] rwk,
|
||||
#owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
#owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
|
||||
#owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
|
||||
|
||||
# Common KDE config files
|
||||
#owner @{HOME}/.config/#[0-9]*[0-9] rw,
|
||||
#owner @{HOME}/.config/kdeglobals* rwkl -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
#owner @{HOME}/.config/baloofilerc r,
|
||||
#owner @{HOME}/.config/dolphinrc r,
|
||||
#owner @{HOME}/.config/trashrc r,
|
||||
#owner @{HOME}/.config/knfsshare r,
|
||||
#owner /**/.directory r,
|
||||
|
||||
# For bookmarks
|
||||
#/{usr/,}bin/keditbookmarks rPUx,
|
||||
#owner @{HOME}/.local/share/kfile/ rw,
|
||||
#owner @{HOME}/.local/share/kfile/#[0-9]*[0-9] rw,
|
||||
#owner @{HOME}/.local/share/kfile/bookmarks.xml* rwl -> @{HOME}/.local/share/kfile/#[0-9]*[0-9],
|
||||
|
||||
# Common cache files
|
||||
#owner @{HOME}/.cache/icon-cache.kcache rw,
|
||||
#owner @{HOME}/.cache/ksycoca5_* r,
|
||||
|
||||
# Think what to do about this #FIXME#
|
||||
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
|
||||
##include <abstractions/recent-documents-write>
|
||||
#signal (send) set=(term, kill) peer=unconfined,
|
||||
#deny @{sys}/bus/ r,
|
||||
#deny @{sys}/bus/usb/devices/ r,
|
||||
#deny @{sys}/class/ r,
|
||||
#deny /{var/,}run/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc.
|
||||
#deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
|
||||
#deny /{var/,}run/udev/data/+usb:* r, #
|
||||
#/etc/exports r,
|
||||
#/etc/xdg/menus/ r,
|
||||
#/usr/share/mime/ r,
|
||||
#owner @{HOME}/.config/menus/ r,
|
||||
#owner @{HOME}/.config/menus/applications-merged/ r,
|
34
apparmor.d/abstractions/kerberosclient
Normal file
34
apparmor.d/abstractions/kerberosclient
Normal file
|
@ -0,0 +1,34 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# files required by kerberos client programs
|
||||
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
|
||||
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
|
||||
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
|
||||
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
|
||||
|
||||
/usr/lib{,32,64}/krb5/plugins/preauth/ r,
|
||||
/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
|
||||
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
|
||||
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
|
||||
|
||||
/etc/krb5.keytab rk,
|
||||
/etc/krb5.conf r,
|
||||
/etc/krb5.conf.d/ r,
|
||||
/etc/krb5.conf.d/* r,
|
||||
|
||||
# config files found via strings on libs
|
||||
/etc/krb.conf r,
|
||||
/etc/krb.realms r,
|
||||
/etc/srvtab r,
|
||||
|
||||
# credential caches
|
||||
/tmp/krb5cc* r,
|
24
apparmor.d/abstractions/ldapclient
Normal file
24
apparmor.d/abstractions/ldapclient
Normal file
|
@ -0,0 +1,24 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2011 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
|
||||
/etc/ldap.conf r,
|
||||
/etc/ldap.secret r,
|
||||
/etc/openldap/* r,
|
||||
/etc/openldap/cacerts/* r,
|
||||
|
||||
# SASL plugins and config
|
||||
/etc/sasl2/* r,
|
||||
/usr/lib{,32,64}/sasl2/* r,
|
||||
|
||||
# local LDAP name service daemon
|
||||
/{,var/}run/nslcd/socket rw,
|
||||
|
||||
#include <abstractions/ssl_certs>
|
19
apparmor.d/abstractions/libpam-systemd
Normal file
19
apparmor.d/abstractions/libpam-systemd
Normal file
|
@ -0,0 +1,19 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2015-2016 Simon Deziel
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <abstractions/dbus-strict>
|
||||
|
||||
# libpam-systemd notifies systemd-logind about session logins/logouts
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={CreateSession,ReleaseSession},
|
114
apparmor.d/abstractions/libvirt-lxc
Normal file
114
apparmor.d/abstractions/libvirt-lxc
Normal file
|
@ -0,0 +1,114 @@
|
|||
#include <abstractions/base>
|
||||
|
||||
umount,
|
||||
|
||||
# ignore DENIED message on / remount
|
||||
deny mount options=(ro, remount) -> /,
|
||||
|
||||
# allow tmpfs mounts everywhere
|
||||
mount fstype=tmpfs,
|
||||
|
||||
# allow mqueue mounts everywhere
|
||||
mount fstype=mqueue,
|
||||
|
||||
# allow fuse mounts everywhere
|
||||
mount fstype=fuse.*,
|
||||
|
||||
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
||||
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
||||
deny @{PROC}/sys/fs/** wklx,
|
||||
|
||||
# allow efivars to be mounted, writing to it will be blocked though
|
||||
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
||||
|
||||
# block some other dangerous paths
|
||||
deny @{PROC}/sysrq-trigger rwklx,
|
||||
deny @{PROC}/mem rwklx,
|
||||
deny @{PROC}/kmem rwklx,
|
||||
|
||||
# deny writes in /sys except for /sys/fs/cgroup, also allow
|
||||
# fusectl, securityfs and debugfs to be mounted there (read-only)
|
||||
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
||||
mount fstype=securityfs -> /sys/kernel/security/,
|
||||
mount fstype=debugfs -> /sys/kernel/debug/,
|
||||
mount fstype=proc -> /proc/,
|
||||
mount fstype=sysfs -> /sys/,
|
||||
deny /sys/firmware/efi/efivars/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
|
||||
# generated by: lxc-generate-aa-rules.py container-rules.base
|
||||
deny /proc/sys/[^kn]*{,/**} wklx,
|
||||
deny /proc/sys/k[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ke[^r]*{,/**} wklx,
|
||||
deny /proc/sys/ker[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kern[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kerne[^l]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/msg*/** wklx,
|
||||
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/sem*/** wklx,
|
||||
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/shm*/** wklx,
|
||||
deny /proc/sys/kernel?*{,/**} wklx,
|
||||
deny /proc/sys/n[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ne[^t]*{,/**} wklx,
|
||||
deny /proc/sys/net?*{,/**} wklx,
|
||||
deny /sys/[^fdc]*{,/**} wklx,
|
||||
deny /sys/c[^l]*{,/**} wklx,
|
||||
deny /sys/cl[^a]*{,/**} wklx,
|
||||
deny /sys/cla[^s]*{,/**} wklx,
|
||||
deny /sys/clas[^s]*{,/**} wklx,
|
||||
deny /sys/class/[^n]*{,/**} wklx,
|
||||
deny /sys/class/n[^e]*{,/**} wklx,
|
||||
deny /sys/class/ne[^t]*{,/**} wklx,
|
||||
deny /sys/class/net?*{,/**} wklx,
|
||||
deny /sys/class?*{,/**} wklx,
|
||||
deny /sys/d[^e]*{,/**} wklx,
|
||||
deny /sys/de[^v]*{,/**} wklx,
|
||||
deny /sys/dev[^i]*{,/**} wklx,
|
||||
deny /sys/devi[^c]*{,/**} wklx,
|
||||
deny /sys/devic[^e]*{,/**} wklx,
|
||||
deny /sys/device[^s]*{,/**} wklx,
|
||||
deny /sys/devices/[^v]*{,/**} wklx,
|
||||
deny /sys/devices/v[^i]*{,/**} wklx,
|
||||
deny /sys/devices/vi[^r]*{,/**} wklx,
|
||||
deny /sys/devices/vir[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virt[^u]*{,/**} wklx,
|
||||
deny /sys/devices/virtu[^a]*{,/**} wklx,
|
||||
deny /sys/devices/virtua[^l]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/[^n]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/net?*{,/**} wklx,
|
||||
deny /sys/devices/virtual?*{,/**} wklx,
|
||||
deny /sys/devices?*{,/**} wklx,
|
||||
deny /sys/f[^s]*{,/**} wklx,
|
||||
deny /sys/fs/[^c]*{,/**} wklx,
|
||||
deny /sys/fs/c[^g]*{,/**} wklx,
|
||||
deny /sys/fs/cg[^r]*{,/**} wklx,
|
||||
deny /sys/fs/cgr[^o]*{,/**} wklx,
|
||||
deny /sys/fs/cgro[^u]*{,/**} wklx,
|
||||
deny /sys/fs/cgrou[^p]*{,/**} wklx,
|
||||
deny /sys/fs/cgroup?*{,/**} wklx,
|
||||
deny /sys/fs?*{,/**} wklx,
|
236
apparmor.d/abstractions/libvirt-qemu
Normal file
236
apparmor.d/abstractions/libvirt-qemu
Normal file
|
@ -0,0 +1,236 @@
|
|||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
# required for reading disk images
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability chown,
|
||||
|
||||
# needed to drop privileges
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
ptrace (readby, tracedby) peer=libvirtd,
|
||||
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
|
||||
|
||||
signal (receive) peer=libvirtd,
|
||||
signal (receive) peer=/usr/sbin/libvirtd,
|
||||
|
||||
/dev/kvm rw,
|
||||
/dev/net/tun rw,
|
||||
/dev/ptmx rw,
|
||||
@{PROC}/*/status r,
|
||||
# When qemu is signaled to terminate, it will read cmdline of signaling
|
||||
# process for reporting purposes. Allowing read access to a process
|
||||
# cmdline may leak sensitive information embedded in the cmdline.
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
# Per man(5) proc, the kernel enforces that a thread may
|
||||
# only modify its comm value or those in its thread group.
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
# For hostdev access. The actual devices will be added dynamically
|
||||
/sys/bus/usb/devices/ r,
|
||||
/sys/devices/**/usb[0-9]*/** r,
|
||||
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
|
||||
/run/udev/data/+usb* r,
|
||||
/run/udev/data/c16[6,7]* r,
|
||||
/run/udev/data/c18[0,8,9]* r,
|
||||
|
||||
# WARNING: this gives the guest direct access to host hardware and specific
|
||||
# portions of shared memory. This is required for sound using ALSA with kvm,
|
||||
# but may constitute a security risk. If your environment does not require
|
||||
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
||||
# the rules for files in /dev.
|
||||
/dev/snd/* rw,
|
||||
/{dev,run}/shm r,
|
||||
/{dev,run}/shmpulse-shm* r,
|
||||
/{dev,run}/shmpulse-shm* rwk,
|
||||
capability ipc_lock,
|
||||
# spice
|
||||
owner /{dev,run}/shm/spice.* rw,
|
||||
# 'kill' is not required for sound and is a security risk. Do not enable
|
||||
# unless you absolutely need it.
|
||||
deny capability kill,
|
||||
|
||||
# Uncomment the following if you need access to /dev/fb*
|
||||
#/dev/fb* rw,
|
||||
|
||||
/etc/pulse/client.conf r,
|
||||
@{HOME}/.pulse-cookie rwk,
|
||||
owner /root/.pulse-cookie rwk,
|
||||
owner /root/.pulse/ rw,
|
||||
owner /root/.pulse/* rw,
|
||||
/usr/share/alsa/** r,
|
||||
owner /tmp/pulse-*/ rw,
|
||||
owner /tmp/pulse-*/* rw,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
# access to firmware's etc
|
||||
/usr/share/AAVMF/** r,
|
||||
/usr/share/bochs/** r,
|
||||
/usr/share/edk2-ovmf/** r,
|
||||
/usr/share/kvm/** r,
|
||||
/usr/share/misc/sgabios.bin r,
|
||||
/usr/share/openbios/** r,
|
||||
/usr/share/openhackware/** r,
|
||||
/usr/share/OVMF/** r,
|
||||
/usr/share/ovmf/** r,
|
||||
/usr/share/proll/** r,
|
||||
/usr/share/qemu-efi/** r,
|
||||
/usr/share/qemu-kvm/** r,
|
||||
/usr/share/qemu/** r,
|
||||
/usr/share/seabios/** r,
|
||||
/usr/share/sgabios/** r,
|
||||
/usr/share/slof/** r,
|
||||
/usr/share/vgabios/** r,
|
||||
|
||||
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
|
||||
/etc/pki/CA/ r,
|
||||
/etc/pki/CA/* r,
|
||||
/etc/pki/libvirt{,-spice,-vnc}/ r,
|
||||
/etc/pki/libvirt{,-spice,-vnc}/** r,
|
||||
/etc/pki/qemu/ r,
|
||||
/etc/pki/qemu/** r,
|
||||
|
||||
# the various binaries
|
||||
/usr/bin/kvm rmix,
|
||||
/usr/bin/qemu rmix,
|
||||
/usr/bin/qemu-aarch64 rmix,
|
||||
/usr/bin/qemu-alpha rmix,
|
||||
/usr/bin/qemu-arm rmix,
|
||||
/usr/bin/qemu-armeb rmix,
|
||||
/usr/bin/qemu-cris rmix,
|
||||
/usr/bin/qemu-i386 rmix,
|
||||
/usr/bin/qemu-kvm rmix,
|
||||
/usr/bin/qemu-m68k rmix,
|
||||
/usr/bin/qemu-microblaze rmix,
|
||||
/usr/bin/qemu-microblazeel rmix,
|
||||
/usr/bin/qemu-mips rmix,
|
||||
/usr/bin/qemu-mips64 rmix,
|
||||
/usr/bin/qemu-mips64el rmix,
|
||||
/usr/bin/qemu-mipsel rmix,
|
||||
/usr/bin/qemu-mipsn32 rmix,
|
||||
/usr/bin/qemu-mipsn32el rmix,
|
||||
/usr/bin/qemu-or32 rmix,
|
||||
/usr/bin/qemu-ppc rmix,
|
||||
/usr/bin/qemu-ppc64 rmix,
|
||||
/usr/bin/qemu-ppc64abi32 rmix,
|
||||
/usr/bin/qemu-ppc64le rmix,
|
||||
/usr/bin/qemu-s390x rmix,
|
||||
/usr/bin/qemu-sh4 rmix,
|
||||
/usr/bin/qemu-sh4eb rmix,
|
||||
/usr/bin/qemu-sparc rmix,
|
||||
/usr/bin/qemu-sparc32plus rmix,
|
||||
/usr/bin/qemu-sparc64 rmix,
|
||||
/usr/bin/qemu-system-aarch64 rmix,
|
||||
/usr/bin/qemu-system-alpha rmix,
|
||||
/usr/bin/qemu-system-arm rmix,
|
||||
/usr/bin/qemu-system-cris rmix,
|
||||
/usr/bin/qemu-system-hppa rmix,
|
||||
/usr/bin/qemu-system-i386 rmix,
|
||||
/usr/bin/qemu-system-lm32 rmix,
|
||||
/usr/bin/qemu-system-m68k rmix,
|
||||
/usr/bin/qemu-system-microblaze rmix,
|
||||
/usr/bin/qemu-system-microblazeel rmix,
|
||||
/usr/bin/qemu-system-mips rmix,
|
||||
/usr/bin/qemu-system-mips64 rmix,
|
||||
/usr/bin/qemu-system-mips64el rmix,
|
||||
/usr/bin/qemu-system-mipsel rmix,
|
||||
/usr/bin/qemu-system-moxie rmix,
|
||||
/usr/bin/qemu-system-nios2 rmix,
|
||||
/usr/bin/qemu-system-or1k rmix,
|
||||
/usr/bin/qemu-system-or32 rmix,
|
||||
/usr/bin/qemu-system-ppc rmix,
|
||||
/usr/bin/qemu-system-ppc64 rmix,
|
||||
/usr/bin/qemu-system-ppcemb rmix,
|
||||
/usr/bin/qemu-system-riscv32 rmix,
|
||||
/usr/bin/qemu-system-riscv64 rmix,
|
||||
/usr/bin/qemu-system-s390x rmix,
|
||||
/usr/bin/qemu-system-sh4 rmix,
|
||||
/usr/bin/qemu-system-sh4eb rmix,
|
||||
/usr/bin/qemu-system-sparc rmix,
|
||||
/usr/bin/qemu-system-sparc64 rmix,
|
||||
/usr/bin/qemu-system-tricore rmix,
|
||||
/usr/bin/qemu-system-unicore32 rmix,
|
||||
/usr/bin/qemu-system-x86_64 rmix,
|
||||
/usr/bin/qemu-system-xtensa rmix,
|
||||
/usr/bin/qemu-system-xtensaeb rmix,
|
||||
/usr/bin/qemu-unicore32 rmix,
|
||||
/usr/bin/qemu-x86_64 rmix,
|
||||
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
|
||||
/usr/{lib,lib64}/qemu/*.so mr,
|
||||
/usr/lib/@{multiarch}/qemu/*.so mr,
|
||||
|
||||
# swtpm
|
||||
/{usr/,}bin/swtpm rmix,
|
||||
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
|
||||
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
|
||||
|
||||
# for save and resume
|
||||
/{usr/,}bin/dash rmix,
|
||||
/{usr/,}bin/dd rmix,
|
||||
/{usr/,}bin/cat rmix,
|
||||
|
||||
# for restore
|
||||
/{usr/,}bin/bash rmix,
|
||||
|
||||
# for usb access
|
||||
/dev/bus/usb/ r,
|
||||
/etc/udev/udev.conf r,
|
||||
/sys/bus/ r,
|
||||
/sys/class/ r,
|
||||
|
||||
# for rbd
|
||||
/etc/ceph/ceph.conf r,
|
||||
|
||||
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
|
||||
# dir and a few known functions like samba support.
|
||||
# We want to avoid to give blanket rw permission to everything under /tmp,
|
||||
# users are expected to add site specific addons for more uncommon cases.
|
||||
# Qemu processes usually all run as the same users, so the "owner"
|
||||
# restriction prevents access to other services files, but not across
|
||||
# different instances.
|
||||
# This is a tradeoff between usability and security - if paths would be more
|
||||
# predictable that would be preferred - at least for write rules we would
|
||||
# want more unique paths per rule.
|
||||
/{,var/}tmp/ r,
|
||||
owner /{,var/}tmp/**/ r,
|
||||
|
||||
# for file-posix getting limits since 9103f1ce
|
||||
/sys/devices/**/block/*/queue/max_segments r,
|
||||
|
||||
# for ppc device-tree access
|
||||
@{PROC}/device-tree/ r,
|
||||
@{PROC}/device-tree/** r,
|
||||
/sys/firmware/devicetree/** r,
|
||||
|
||||
# allow connect with openGraphicsFD to work
|
||||
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
|
||||
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
|
||||
|
||||
# for gathering information about available host resources
|
||||
/sys/devices/system/cpu/ r,
|
||||
/sys/devices/system/node/ r,
|
||||
/sys/devices/system/node/node[0-9]*/meminfo r,
|
||||
/sys/module/vhost/parameters/max_mem_regions r,
|
||||
|
||||
# silence refusals to open lttng files (see LP: #1432644)
|
||||
deny /dev/shm/lttng-ust-wait-* r,
|
||||
deny /run/shm/lttng-ust-wait-* r,
|
||||
|
||||
# for vfio hotplug on systems without static vfio (LP: #1775777)
|
||||
/dev/vfio/vfio rw,
|
||||
|
||||
# required for sasl GSSAPI plugin
|
||||
/etc/gss/mech.d/ r,
|
||||
/etc/gss/mech.d/* r,
|
||||
|
||||
# required by libpmem init to fts_open()/fts_read() the symlinks in
|
||||
# /sys/bus/nd/devices
|
||||
/ r, # harmless on any lsb compliant system
|
||||
/sys/bus/nd/devices/{,**/} r,
|
114
apparmor.d/abstractions/lightdm
Normal file
114
apparmor.d/abstractions/lightdm
Normal file
|
@ -0,0 +1,114 @@
|
|||
# vim:syntax=apparmor
|
||||
# Profile for restricting lightdm guest session
|
||||
# Author: Martin Pitt <martin.pitt@ubuntu.com>
|
||||
|
||||
# This abstraction provides the majority of the confinement for guest sessions.
|
||||
# It is in its own abstraction so we can have a centralized place for
|
||||
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
|
||||
# etc). Note that this profile intentionally omits chromium-browser.
|
||||
|
||||
# Requires apparmor 2.9
|
||||
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/cups-client>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/dbus-session>
|
||||
#include <abstractions/dbus-accessibility>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
|
||||
# bug in compiz https://launchpad.net/bugs/697678
|
||||
/etc/compizconfig/config rw,
|
||||
/etc/compizconfig/unity.ini rw,
|
||||
|
||||
/ r,
|
||||
/bin/ rmix,
|
||||
/bin/fusermount Px,
|
||||
/bin/** rmix,
|
||||
/cdrom/ rmix,
|
||||
/cdrom/** rmix,
|
||||
/dev/ r,
|
||||
/dev/** rmw, # audio devices etc.
|
||||
owner /dev/shm/** rmw,
|
||||
/etc/ r,
|
||||
/etc/** rmk,
|
||||
/etc/X11/Xsession ix,
|
||||
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
|
||||
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
|
||||
/lib/ r,
|
||||
/lib/** rmixk,
|
||||
/lib32/ r,
|
||||
/lib32/** rmixk,
|
||||
/lib64/ r,
|
||||
/lib64/** rmixk,
|
||||
owner /{,run/}media/ r,
|
||||
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
|
||||
/opt/ r,
|
||||
/opt/** rmixk,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/* rm,
|
||||
@{PROC}/[0-9]*/net/ r,
|
||||
@{PROC}/[0-9]*/net/dev r,
|
||||
@{PROC}/asound rm,
|
||||
@{PROC}/asound/** rm,
|
||||
@{PROC}/ati rm,
|
||||
@{PROC}/ati/** rm,
|
||||
@{PROC}/sys/vm/overcommit_memory r,
|
||||
owner @{PROC}/** rm,
|
||||
# needed for gnome-keyring-daemon
|
||||
@{PROC}/*/status r,
|
||||
# needed for bamfdaemon and utilities such as ps and killall
|
||||
@{PROC}/*/stat r,
|
||||
/sbin/ r,
|
||||
/sbin/** rmixk,
|
||||
/sys/ r,
|
||||
/sys/** rm,
|
||||
# needed for confined trusted helpers, such as dbus-daemon
|
||||
/sys/kernel/security/apparmor/.access rw,
|
||||
/tmp/ rw,
|
||||
owner /tmp/** rwlkmix,
|
||||
/usr/ r,
|
||||
/usr/** rmixk,
|
||||
/var/ r,
|
||||
/var/** rmixk,
|
||||
/var/guest-data/** rw, # allow to store files permanently
|
||||
/var/tmp/ rw,
|
||||
owner /var/tmp/** rwlkm,
|
||||
/{,var/}run/ r,
|
||||
# necessary for writing to sockets, etc.
|
||||
/{,var/}run/** rmkix,
|
||||
/{,var/}run/mir_socket rw,
|
||||
/{,var/}run/screen/** wl,
|
||||
/{,var/}run/shm/** wl,
|
||||
/{,var/}run/uuidd/request w,
|
||||
# libpam-xdg-support/logind
|
||||
owner /{,var/}run/user/*/** rw,
|
||||
|
||||
capability ipc_lock,
|
||||
|
||||
# allow processes in the guest session to signal and ptrace each other
|
||||
signal peer=@{profile_name},
|
||||
ptrace peer=@{profile_name},
|
||||
# needed when logging out of the guest session
|
||||
signal (receive) peer=unconfined,
|
||||
|
||||
unix peer=(label=@{profile_name}),
|
||||
unix (receive) peer=(label=unconfined),
|
||||
unix (create),
|
||||
unix (getattr, getopt, setopt, shutdown),
|
||||
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
|
||||
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
|
||||
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
|
||||
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
|
||||
unix (bind, listen) type=stream addr="@guest*",
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
|
||||
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
|
||||
|
||||
# silence warnings for stuff that we really don't want to grant
|
||||
deny capability dac_override,
|
||||
deny capability dac_read_search,
|
||||
#deny /etc/** w, # re-enable once LP#697678 is fixed
|
||||
deny /usr/** w,
|
||||
deny /var/crash/ w,
|
76
apparmor.d/abstractions/lightdm_chromium-browser
Normal file
76
apparmor.d/abstractions/lightdm_chromium-browser
Normal file
|
@ -0,0 +1,76 @@
|
|||
# vim:syntax=apparmor
|
||||
# Profile abstraction for restricting chromium in the lightdm guest session
|
||||
# Author: Jamie Strandboge <jamie@canonical.com>
|
||||
|
||||
# The abstraction provides the additional accesses required to launch
|
||||
# chromium based browsers from within an lightdm session. Because AppArmor
|
||||
# cannot yet merge profiles and because we want to utilize the access rules
|
||||
# provided in abstractions/lightdm, this abstraction must be separate from
|
||||
# abstractions/lightdm.
|
||||
|
||||
# Requires apparmor 2.9
|
||||
|
||||
/usr/lib/chromium/chromium Cx -> chromium,
|
||||
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
|
||||
/usr/bin/webapp-container Cx -> chromium,
|
||||
/usr/bin/webbrowser-app Cx -> chromium,
|
||||
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
|
||||
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
|
||||
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
|
||||
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
|
||||
/opt/google/chrome/google-chrome Cx -> chromium,
|
||||
|
||||
# Allow ptracing processes in the chromium child profile
|
||||
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
|
||||
|
||||
# Allow receiving and sending signals to processes in the chromium child profile
|
||||
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
|
||||
|
||||
# Allow communications with chromium child profile via unix sockets
|
||||
unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
|
||||
|
||||
profile chromium {
|
||||
# Allow all the same accesses as other applications in the guest session
|
||||
#include <abstractions/lightdm>
|
||||
|
||||
# but also allow a few things because of chromium-browser's sandboxing that
|
||||
# are not appropriate to other guest session applications.
|
||||
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
|
||||
@{PROC}/sys/kernel/shmmax r,
|
||||
capability sys_admin, # for sandbox to change namespaces
|
||||
capability sys_chroot, # fod sandbox to chroot to a safe directory
|
||||
capability setgid, # for sandbox to drop privileges
|
||||
capability setuid, # for sandbox to drop privileges
|
||||
capability sys_ptrace, # chromium needs this to keep track of itself
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
|
||||
# Allow ptrace reads of processes in the lightdm-guest-session
|
||||
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
|
||||
# Allow other guest session processes to read and trace us
|
||||
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
|
||||
ptrace (readby, tracedby) peer=@{profile_name},
|
||||
|
||||
# Allow us to receive and send signals from processes in the
|
||||
# lightdm-guest-session
|
||||
signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
|
||||
|
||||
# Allow us to receive and send on unix sockets from processes in the
|
||||
# lightdm-guest-session
|
||||
unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
|
||||
|
||||
@{PROC}/[0-9]*/ r, # sandbox wants these
|
||||
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
|
||||
@{PROC}/[0-9]*/statm r, # sandbox wants these
|
||||
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
|
||||
|
||||
owner @{PROC}/@{pid}/setgroups w,
|
||||
owner @{PROC}/@{pid}/uid_map w,
|
||||
owner @{PROC}/@{pid}/gid_map w,
|
||||
|
||||
/selinux/ r,
|
||||
|
||||
/usr/lib/chromium/chrome-sandbox ix,
|
||||
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
|
||||
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
|
||||
/opt/google/chrome-*/chrome-sandbox ix,
|
||||
}
|
13
apparmor.d/abstractions/likewise
Normal file
13
apparmor.d/abstractions/likewise
Normal file
|
@ -0,0 +1,13 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/tmp/.lwidentity/pipe rw,
|
||||
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
|
225
apparmor.d/abstractions/lxc/container-base
Normal file
225
apparmor.d/abstractions/lxc/container-base
Normal file
|
@ -0,0 +1,225 @@
|
|||
network,
|
||||
capability,
|
||||
file,
|
||||
umount,
|
||||
|
||||
# dbus, signal, ptrace and unix are only supported by recent apparmor
|
||||
# versions. Comment them if the apparmor parser doesn't recognize them.
|
||||
|
||||
# This also needs additional rules to reach outside of the container via
|
||||
# DBus, so just let all of DBus within the container.
|
||||
dbus,
|
||||
|
||||
# Allow us to receive signals from anywhere. Note: if per-container profiles
|
||||
# are supported, for container isolation this should be changed to something
|
||||
# like:
|
||||
# signal (receive) peer=unconfined,
|
||||
# signal (receive) peer=/usr/bin/lxc-start,
|
||||
signal (receive),
|
||||
|
||||
# Allow us to send signals to ourselves
|
||||
signal peer=@{profile_name},
|
||||
|
||||
# Allow other processes to read our /proc entries, futexes, perf tracing and
|
||||
# kcmp for now (they will need 'read' in the first place). Administrators can
|
||||
# override with:
|
||||
# deny ptrace (readby) ...
|
||||
ptrace (readby),
|
||||
|
||||
# Allow other processes to trace us by default (they will need 'trace' in
|
||||
# the first place). Administrators can override with:
|
||||
# deny ptrace (tracedby) ...
|
||||
ptrace (tracedby),
|
||||
|
||||
# Allow us to ptrace ourselves
|
||||
ptrace peer=@{profile_name},
|
||||
|
||||
# Allow receive via unix sockets from anywhere. Note: if per-container
|
||||
# profiles are supported, for container isolation this should be changed to
|
||||
# something like:
|
||||
# unix (receive) peer=(label=unconfined),
|
||||
unix (receive),
|
||||
|
||||
# Allow all unix in the container
|
||||
unix peer=(label=@{profile_name}),
|
||||
|
||||
# ignore DENIED message on / remount
|
||||
deny mount options=(ro, remount) -> /,
|
||||
deny mount options=(ro, remount, silent) -> /,
|
||||
|
||||
# allow tmpfs mounts everywhere
|
||||
mount fstype=tmpfs,
|
||||
|
||||
# allow hugetlbfs mounts everywhere
|
||||
mount fstype=hugetlbfs,
|
||||
|
||||
# allow mqueue mounts everywhere
|
||||
mount fstype=mqueue,
|
||||
|
||||
# allow fuse mounts everywhere
|
||||
mount fstype=fuse,
|
||||
mount fstype=fuse.*,
|
||||
|
||||
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
|
||||
deny @{PROC}/bus/** wklx,
|
||||
|
||||
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
||||
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
||||
deny @{PROC}/sys/fs/** wklx,
|
||||
|
||||
# allow efivars to be mounted, writing to it will be blocked though
|
||||
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
||||
|
||||
# block some other dangerous paths
|
||||
deny @{PROC}/kcore rwklx,
|
||||
deny @{PROC}/sysrq-trigger rwklx,
|
||||
deny @{PROC}/acpi/** rwklx,
|
||||
|
||||
# deny writes in /sys except for /sys/fs/cgroup, also allow
|
||||
# fusectl, securityfs and debugfs to be mounted there (read-only)
|
||||
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
||||
mount fstype=securityfs -> /sys/kernel/security/,
|
||||
mount fstype=debugfs -> /sys/kernel/debug/,
|
||||
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
|
||||
mount fstype=proc -> /proc/,
|
||||
mount fstype=sysfs -> /sys/,
|
||||
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
|
||||
deny /sys/firmware/efi/efivars/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
|
||||
|
||||
# deny reads from debugfs
|
||||
deny /sys/kernel/debug/{,**} rwklx,
|
||||
|
||||
# allow paths to be made slave, shared, private or unbindable
|
||||
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
|
||||
# mount options=(rw,make-slave) -> **,
|
||||
# mount options=(rw,make-rslave) -> **,
|
||||
# mount options=(rw,make-shared) -> **,
|
||||
# mount options=(rw,make-rshared) -> **,
|
||||
# mount options=(rw,make-private) -> **,
|
||||
# mount options=(rw,make-rprivate) -> **,
|
||||
# mount options=(rw,make-unbindable) -> **,
|
||||
# mount options=(rw,make-runbindable) -> **,
|
||||
|
||||
# allow bind-mounts of anything except /proc, /sys and /dev
|
||||
mount options=(rw,bind) /[^spd]*{,/**},
|
||||
mount options=(rw,bind) /d[^e]*{,/**},
|
||||
mount options=(rw,bind) /de[^v]*{,/**},
|
||||
mount options=(rw,bind) /dev/.[^l]*{,/**},
|
||||
mount options=(rw,bind) /dev/.l[^x]*{,/**},
|
||||
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
|
||||
mount options=(rw,bind) /dev/.lxc?*{,/**},
|
||||
mount options=(rw,bind) /dev/[^.]*{,/**},
|
||||
mount options=(rw,bind) /dev?*{,/**},
|
||||
mount options=(rw,bind) /p[^r]*{,/**},
|
||||
mount options=(rw,bind) /pr[^o]*{,/**},
|
||||
mount options=(rw,bind) /pro[^c]*{,/**},
|
||||
mount options=(rw,bind) /proc?*{,/**},
|
||||
mount options=(rw,bind) /s[^y]*{,/**},
|
||||
mount options=(rw,bind) /sy[^s]*{,/**},
|
||||
mount options=(rw,bind) /sys?*{,/**},
|
||||
|
||||
# allow various ro-bind-*re*-mounts
|
||||
mount options=(ro,remount,bind),
|
||||
mount options=(ro,remount,bind,nosuid),
|
||||
mount options=(ro,remount,bind,noexec),
|
||||
mount options=(ro,remount,bind,nodev),
|
||||
mount options=(ro,remount,bind,nosuid,noexec),
|
||||
mount options=(ro,remount,bind,noexec,nodev),
|
||||
mount options=(ro,remount,bind,nodev,nosuid),
|
||||
mount options=(ro,remount,bind,nosuid,noexec,nodev),
|
||||
|
||||
# allow moving mounts except for /proc, /sys and /dev
|
||||
mount options=(rw,move) /[^spd]*{,/**},
|
||||
mount options=(rw,move) /d[^e]*{,/**},
|
||||
mount options=(rw,move) /de[^v]*{,/**},
|
||||
mount options=(rw,move) /dev/.[^l]*{,/**},
|
||||
mount options=(rw,move) /dev/.l[^x]*{,/**},
|
||||
mount options=(rw,move) /dev/.lx[^c]*{,/**},
|
||||
mount options=(rw,move) /dev/.lxc?*{,/**},
|
||||
mount options=(rw,move) /dev/[^.]*{,/**},
|
||||
mount options=(rw,move) /dev?*{,/**},
|
||||
mount options=(rw,move) /p[^r]*{,/**},
|
||||
mount options=(rw,move) /pr[^o]*{,/**},
|
||||
mount options=(rw,move) /pro[^c]*{,/**},
|
||||
mount options=(rw,move) /proc?*{,/**},
|
||||
mount options=(rw,move) /s[^y]*{,/**},
|
||||
mount options=(rw,move) /sy[^s]*{,/**},
|
||||
mount options=(rw,move) /sys?*{,/**},
|
||||
# generated by: lxc-generate-aa-rules.py container-rules.base
|
||||
deny /proc/sys/[^kn]*{,/**} wklx,
|
||||
deny /proc/sys/k[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ke[^r]*{,/**} wklx,
|
||||
deny /proc/sys/ker[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kern[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kerne[^l]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/msg*/** wklx,
|
||||
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/sem*/** wklx,
|
||||
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/shm*/** wklx,
|
||||
deny /proc/sys/kernel?*{,/**} wklx,
|
||||
deny /proc/sys/n[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ne[^t]*{,/**} wklx,
|
||||
deny /proc/sys/net?*{,/**} wklx,
|
||||
deny /sys/[^fdc]*{,/**} wklx,
|
||||
deny /sys/c[^l]*{,/**} wklx,
|
||||
deny /sys/cl[^a]*{,/**} wklx,
|
||||
deny /sys/cla[^s]*{,/**} wklx,
|
||||
deny /sys/clas[^s]*{,/**} wklx,
|
||||
deny /sys/class/[^n]*{,/**} wklx,
|
||||
deny /sys/class/n[^e]*{,/**} wklx,
|
||||
deny /sys/class/ne[^t]*{,/**} wklx,
|
||||
deny /sys/class/net?*{,/**} wklx,
|
||||
deny /sys/class?*{,/**} wklx,
|
||||
deny /sys/d[^e]*{,/**} wklx,
|
||||
deny /sys/de[^v]*{,/**} wklx,
|
||||
deny /sys/dev[^i]*{,/**} wklx,
|
||||
deny /sys/devi[^c]*{,/**} wklx,
|
||||
deny /sys/devic[^e]*{,/**} wklx,
|
||||
deny /sys/device[^s]*{,/**} wklx,
|
||||
deny /sys/devices/[^v]*{,/**} wklx,
|
||||
deny /sys/devices/v[^i]*{,/**} wklx,
|
||||
deny /sys/devices/vi[^r]*{,/**} wklx,
|
||||
deny /sys/devices/vir[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virt[^u]*{,/**} wklx,
|
||||
deny /sys/devices/virtu[^a]*{,/**} wklx,
|
||||
deny /sys/devices/virtua[^l]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/[^n]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/net?*{,/**} wklx,
|
||||
deny /sys/devices/virtual?*{,/**} wklx,
|
||||
deny /sys/devices?*{,/**} wklx,
|
||||
deny /sys/f[^s]*{,/**} wklx,
|
||||
deny /sys/fs/[^c]*{,/**} wklx,
|
||||
deny /sys/fs/c[^g]*{,/**} wklx,
|
||||
deny /sys/fs/cg[^r]*{,/**} wklx,
|
||||
deny /sys/fs/cgr[^o]*{,/**} wklx,
|
||||
deny /sys/fs/cgro[^u]*{,/**} wklx,
|
||||
deny /sys/fs/cgrou[^p]*{,/**} wklx,
|
||||
deny /sys/fs/cgroup?*{,/**} wklx,
|
||||
deny /sys/fs?*{,/**} wklx,
|
50
apparmor.d/abstractions/lxc/start-container
Normal file
50
apparmor.d/abstractions/lxc/start-container
Normal file
|
@ -0,0 +1,50 @@
|
|||
network,
|
||||
capability,
|
||||
file,
|
||||
|
||||
# The following 3 entries are only supported by recent apparmor versions.
|
||||
# Comment them if the apparmor parser doesn't recognize them.
|
||||
dbus,
|
||||
signal,
|
||||
ptrace,
|
||||
|
||||
# currently blocked by apparmor bug
|
||||
mount -> /usr/lib*/*/lxc/{**,},
|
||||
mount -> /usr/lib*/lxc/{**,},
|
||||
mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
|
||||
mount fstype=devpts -> /dev/pts/,
|
||||
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
|
||||
mount options=bind /dev/pts/** -> /dev/**,
|
||||
mount options=(rw, make-slave) -> **,
|
||||
mount options=(rw, make-rslave) -> **,
|
||||
mount fstype=debugfs,
|
||||
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
|
||||
mount -> /var/lib/lxc/{**,},
|
||||
|
||||
mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
|
||||
mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
|
||||
|
||||
# required for some pre-mount hooks
|
||||
mount fstype=overlayfs,
|
||||
mount fstype=aufs,
|
||||
mount fstype=ecryptfs,
|
||||
|
||||
# all umounts are under the original root's /mnt, but right now we
|
||||
# can't allow those umounts after pivot_root. So allow all umounts
|
||||
# right now. They'll be restricted for the container at least.
|
||||
umount,
|
||||
#umount /mnt/{**,},
|
||||
|
||||
# This may look a bit redundant, however it appears we need all of
|
||||
# them if we want things to work properly on all combinations of kernel
|
||||
# and userspace parser...
|
||||
pivot_root /usr/lib*/lxc/,
|
||||
pivot_root /usr/lib*/*/lxc/,
|
||||
pivot_root /usr/lib*/lxc/**,
|
||||
pivot_root /usr/lib*/*/lxc/**,
|
||||
pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
|
||||
|
||||
change_profile -> lxc-*,
|
||||
change_profile -> lxc-**,
|
||||
change_profile -> unconfined,
|
||||
change_profile -> :lxc-*:unconfined,
|
13
apparmor.d/abstractions/mdns
Normal file
13
apparmor.d/abstractions/mdns
Normal file
|
@ -0,0 +1,13 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# mdnsd
|
||||
/etc/nss_mdns.conf r,
|
||||
/{,var/}run/mdnsd w,
|
17
apparmor.d/abstractions/mesa
Normal file
17
apparmor.d/abstractions/mesa
Normal file
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
# Rules for Mesa implementation of the OpenGL API
|
||||
|
||||
# System files
|
||||
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
||||
|
||||
# Needed to check if the kernel supports the i915 perf interface
|
||||
# (src/intel/perf/gen_perf.c, load_oa_metrics())
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
|
||||
# User files
|
||||
owner @{HOME}/.cache/ w, # if user clears all caches
|
||||
owner @{HOME}/.cache/mesa_shader_cache/ w,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/index rw,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
|
||||
|
31
apparmor.d/abstractions/mesa-cache-write
Normal file
31
apparmor.d/abstractions/mesa-cache-write
Normal file
|
@ -0,0 +1,31 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
# System files
|
||||
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
||||
|
||||
# Mesa cache (since mesa v18.1.1)
|
||||
owner @{HOME}/.cache/mesa_shader_cache/ rw,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/index rw,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||
|
||||
# If the dir in @{HOME}/.cache is not writable, it uses a dir in /tmp/
|
||||
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
|
||||
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
|
||||
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
|
||||
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
|
||||
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
|
||||
|
||||
|
17
apparmor.d/abstractions/mir
Normal file
17
apparmor.d/abstractions/mir
Normal file
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2015 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# mir libraries sometimes do not have a lib prefix
|
||||
# see LP: #1422521
|
||||
/usr/lib/@{multiarch}/mir/*.so* mr,
|
||||
/usr/lib/@{multiarch}/mir/**/*.so* mr,
|
||||
|
||||
# unprivileged mir socket for clients
|
12
apparmor.d/abstractions/mozc
Normal file
12
apparmor.d/abstractions/mozc
Normal file
|
@ -0,0 +1,12 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
|
15
apparmor.d/abstractions/mysql
Normal file
15
apparmor.d/abstractions/mysql
Normal file
|
@ -0,0 +1,15 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2013 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/var/lib/mysql{,d}/mysql{,d}.sock rw,
|
||||
/{var/,}run/mysql{,d}/mysql{,d}.sock rw,
|
||||
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
|
||||
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
|
106
apparmor.d/abstractions/nameservice
Normal file
106
apparmor.d/abstractions/nameservice
Normal file
|
@ -0,0 +1,106 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# Many programs wish to perform nameservice-like operations, such as
|
||||
# looking up users by name or id, groups by name or id, hosts by name
|
||||
# or IP, etc. These operations may be performed through files, dns,
|
||||
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
|
||||
/etc/group r,
|
||||
/etc/host.conf r,
|
||||
/etc/hosts r,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/gai.conf r,
|
||||
/etc/passwd r,
|
||||
/etc/protocols r,
|
||||
|
||||
# libtirpc (used for NIS/YP login) needs this
|
||||
/etc/netconfig r,
|
||||
|
||||
# When using libnss-extrausers, the passwd and group files are merged from
|
||||
# an alternate path
|
||||
/var/lib/extrausers/group r,
|
||||
/var/lib/extrausers/passwd r,
|
||||
|
||||
# NSS records from systemd-userdbd.service
|
||||
/{,var/}run/systemd/userdb/ r,
|
||||
/{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
# When using sssd, the passwd and group files are stored in an alternate path
|
||||
# and the nss plugin also needs to talk to a pipe
|
||||
/var/lib/sss/mc/group r,
|
||||
/var/lib/sss/mc/initgroups r,
|
||||
/var/lib/sss/mc/passwd r,
|
||||
/var/lib/sss/pipes/nss rw,
|
||||
|
||||
/etc/resolv.conf r,
|
||||
# On systems where /etc/resolv.conf is managed programmatically, it is
|
||||
# a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
|
||||
/{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
|
||||
/etc/resolvconf/run/resolv.conf r,
|
||||
/{,var/}run/systemd/resolve/stub-resolv.conf r,
|
||||
|
||||
/etc/samba/lmhosts r,
|
||||
/etc/services r,
|
||||
# db backend
|
||||
/var/lib/misc/*.db r,
|
||||
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
||||
# to vast speed increases when working with network-based lookups.
|
||||
/{,var/}run/.nscd_socket rw,
|
||||
/{,var/}run/nscd/socket rw,
|
||||
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
|
||||
# nscd renames and unlinks files in it's operation that clients will
|
||||
# have open
|
||||
/{,var/}run/nscd/db* rmix,
|
||||
|
||||
# The nss libraries are sometimes used in addition to PAM; make sure
|
||||
# they are available
|
||||
/{usr/,}lib{,32,64}/libnss_*.so* mr,
|
||||
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
|
||||
/etc/default/nss r,
|
||||
|
||||
# avahi-daemon is used for mdns4 resolution
|
||||
/{,var/}run/avahi-daemon/socket rw,
|
||||
|
||||
# libnl-3-200 via libnss-gw-name
|
||||
@{PROC}/@{pid}/net/psched r,
|
||||
/etc/libnl-*/classid r,
|
||||
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
|
||||
# ldap
|
||||
#include <abstractions/ldapclient>
|
||||
|
||||
# winbind
|
||||
#include <abstractions/winbind>
|
||||
|
||||
# likewise
|
||||
#include <abstractions/likewise>
|
||||
|
||||
# mdnsd
|
||||
#include <abstractions/mdns>
|
||||
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
|
||||
# TCP/UDP network access
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
# TODO: adjust when support finer-grained netlink rules
|
||||
# Netlink raw needed for nscd
|
||||
network netlink raw,
|
||||
|
||||
# interface details
|
||||
@{PROC}/@{pid}/net/route r,
|
29
apparmor.d/abstractions/nameservice-strict
Normal file
29
apparmor.d/abstractions/nameservice-strict
Normal file
|
@ -0,0 +1,29 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2019-2020 Mikhail Morfikov
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#abi <abi/3.0>,
|
||||
|
||||
/etc/hosts r,
|
||||
/etc/host.conf r,
|
||||
/etc/resolv.conf r,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/passwd r,
|
||||
/etc/gai.conf r,
|
||||
/etc/group r,
|
||||
/etc/protocols r,
|
||||
/etc/default/nss r,
|
||||
/etc/services r,
|
||||
|
||||
# NSS records from systemd-userdbd.service
|
||||
/{var,}run/systemd/userdb/ r,
|
||||
/{var,}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
15
apparmor.d/abstractions/nis
Normal file
15
apparmor.d/abstractions/nis
Normal file
|
@ -0,0 +1,15 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# NIS rules
|
||||
/var/yp/binding/* r,
|
||||
# portmapper may ask root processes to do nis/ldap at low ports
|
||||
capability net_bind_service,
|
||||
|
28
apparmor.d/abstractions/nvidia
Normal file
28
apparmor.d/abstractions/nvidia
Normal file
|
@ -0,0 +1,28 @@
|
|||
# vim:syntax=apparmor
|
||||
# nvidia access requirements
|
||||
|
||||
# configuration queries
|
||||
capability ipc_lock,
|
||||
|
||||
/usr/share/nvidia/nvidia-application-profiles* r,
|
||||
|
||||
# libvdpau config file for nvidia workarounds
|
||||
/etc/vdpau_wrapper.cfg r,
|
||||
|
||||
# device files
|
||||
/dev/nvidiactl rw,
|
||||
/dev/nvidia-modeset rw,
|
||||
/dev/nvidia[0-9]* rw,
|
||||
|
||||
@{PROC}/interrupts r,
|
||||
@{PROC}/sys/vm/max_map_count r,
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
|
||||
@{sys}/devices/system/memory/block_size_bytes r,
|
||||
|
||||
owner @{HOME}/.nv/ w,
|
||||
owner @{HOME}/.nv/GLCache/ rw,
|
||||
owner @{HOME}/.nv/GLCache/** rwk,
|
||||
|
||||
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
|
9
apparmor.d/abstractions/opencl
Normal file
9
apparmor.d/abstractions/opencl
Normal file
|
@ -0,0 +1,9 @@
|
|||
# vim:syntax=apparmor
|
||||
# OpenCL access requirements
|
||||
|
||||
# TODO: use conditionals to select allowed implementations
|
||||
#include <abstractions/opencl-intel>
|
||||
#include <abstractions/opencl-mesa>
|
||||
#include <abstractions/opencl-nvidia>
|
||||
#include <abstractions/opencl-pocl>
|
||||
|
10
apparmor.d/abstractions/opencl-common
Normal file
10
apparmor.d/abstractions/opencl-common
Normal file
|
@ -0,0 +1,10 @@
|
|||
# vim:syntax=apparmor
|
||||
# implementation-independent OpenCL access requirements
|
||||
|
||||
# System files
|
||||
|
||||
/etc/OpenCL/** r,
|
||||
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
|
||||
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
|
||||
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
|
||||
|
17
apparmor.d/abstractions/opencl-intel
Normal file
17
apparmor.d/abstractions/opencl-intel
Normal file
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
# OpenCL access requirements for Intel implementation
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
|
||||
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
|
||||
#include <abstractions/X>
|
||||
|
||||
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
|
||||
#include <abstractions/dri-enumerate>
|
||||
|
||||
# System files
|
||||
|
||||
/dev/dri/card[0-9]* rw, # beignet/libcl.so
|
||||
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
|
||||
/usr/lib/@{multiarch}/beignet/** r,
|
||||
|
20
apparmor.d/abstractions/opencl-mesa
Normal file
20
apparmor.d/abstractions/opencl-mesa
Normal file
|
@ -0,0 +1,20 @@
|
|||
# vim:syntax=apparmor
|
||||
# OpenCL access requirements for Mesa implementation
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
|
||||
# Additional libraries
|
||||
|
||||
/usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
|
||||
/usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
|
||||
|
||||
# System files
|
||||
|
||||
/dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
|
||||
/dev/dri/render* rw, # libMesaOpenCL.so
|
||||
/etc/drirc r, # libMesaOpenCL.so
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
|
||||
|
30
apparmor.d/abstractions/opencl-nvidia
Normal file
30
apparmor.d/abstractions/opencl-nvidia
Normal file
|
@ -0,0 +1,30 @@
|
|||
# vim:syntax=apparmor
|
||||
# OpenCL access requirements for NVIDIA implementation
|
||||
|
||||
#include <abstractions/nvidia>
|
||||
#include <abstractions/opencl-common>
|
||||
|
||||
# Executables
|
||||
|
||||
# https://github.com/NVIDIA/nvidia-modprobe
|
||||
# This setuid executable is used to create various device files and load the
|
||||
# the nvidia kernel module.
|
||||
/usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
|
||||
|
||||
# System files
|
||||
|
||||
# libnvidia-opencl.so rules:
|
||||
/dev/nvidia-uvm rw,
|
||||
/dev/nvidia-uvm-tools rw,
|
||||
@{sys}/devices/pci[0-9]*/**/config r,
|
||||
@{sys}/devices/system/memory/block_size_bytes r,
|
||||
/usr/share/nvidia/** r,
|
||||
@{PROC}/devices r,
|
||||
@{PROC}/sys/vm/mmap_min_addr r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.nv/ComputeCache/ w,
|
||||
owner @{HOME}/.nv/ComputeCache/** rw,
|
||||
owner @{HOME}/.nv/ComputeCache/index rwk,
|
||||
|
76
apparmor.d/abstractions/opencl-pocl
Normal file
76
apparmor.d/abstractions/opencl-pocl
Normal file
|
@ -0,0 +1,76 @@
|
|||
# vim:syntax=apparmor
|
||||
# OpenCL access requirements for POCL implementation
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
|
||||
# Executables
|
||||
|
||||
/usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
|
||||
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
|
||||
|
||||
# System files
|
||||
|
||||
/ r, # libpocl.so -> libhwloc.so
|
||||
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
|
||||
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
|
||||
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
|
||||
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
|
||||
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
|
||||
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
|
||||
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
|
||||
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
|
||||
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
|
||||
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
|
||||
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
|
||||
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
|
||||
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
|
||||
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
|
||||
/usr/share/pocl/** r,
|
||||
/{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/pocl/ w,
|
||||
owner @{HOME}/.cache/pocl/kcache/ w,
|
||||
owner @{HOME}/.cache/pocl/kcache/** rw,
|
||||
owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
|
||||
owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
|
||||
|
||||
# Child profiles
|
||||
|
||||
profile opencl_pocl_ld {
|
||||
#include <abstractions/base>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/{,@{multiarch}-}ld.bfd mr,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
|
||||
owner @{HOME}/.cache/pocl/kcache/**.so.o r,
|
||||
}
|
||||
|
||||
profile opencl_pocl_clang {
|
||||
#include <abstractions/base>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
|
||||
|
||||
# Additional executables
|
||||
|
||||
/usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
|
||||
|
||||
# System files
|
||||
|
||||
/etc/debian-version r,
|
||||
/etc/lsb-release r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
|
||||
}
|
||||
|
14
apparmor.d/abstractions/openssl
Normal file
14
apparmor.d/abstractions/openssl
Normal file
|
@ -0,0 +1,14 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2011 Novell/SUSE
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/ssl/openssl.cnf r,
|
||||
/usr/share/ssl/openssl.cnf r,
|
||||
@{PROC}/sys/crypto/fips_enabled r,
|
||||
|
5
apparmor.d/abstractions/orbit2
Normal file
5
apparmor.d/abstractions/orbit2
Normal file
|
@ -0,0 +1,5 @@
|
|||
# vim:syntax=apparmor
|
||||
# orbit2 permissions
|
||||
|
||||
# system library
|
||||
/usr/lib/orbit-2.0/*.so mr,
|
27
apparmor.d/abstractions/p11-kit
Normal file
27
apparmor.d/abstractions/p11-kit
Normal file
|
@ -0,0 +1,27 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/pkcs11/ r,
|
||||
/etc/pkcs11/pkcs11.conf r,
|
||||
/etc/pkcs11/modules/ r,
|
||||
/etc/pkcs11/modules/* r,
|
||||
|
||||
/usr/lib{,32,64}/pkcs11/*.so mr,
|
||||
/usr/lib/@{multiarch}/pkcs11/*.so mr,
|
||||
|
||||
/usr/share/p11-kit/modules/ r,
|
||||
/usr/share/p11-kit/modules/* r,
|
||||
|
||||
# gnome-keyring pkcs11 module
|
||||
owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
|
||||
|
||||
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
|
||||
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
|
||||
# included in this abstraction.
|
23
apparmor.d/abstractions/perl
Normal file
23
apparmor.d/abstractions/perl
Normal file
|
@ -0,0 +1,23 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# a few files typically required for perl scripts
|
||||
/usr/bin/perl rmix,
|
||||
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
|
||||
|
||||
/usr/lib{,32,64}/perl5/** r,
|
||||
/usr/lib{,32,64}/perl{,5}/**.so* mr,
|
||||
/usr/lib/@{multiarch}/perl{,5,-base}/** r,
|
||||
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
|
||||
|
||||
/usr/share/perl/** r,
|
||||
/usr/share/perl5/** r,
|
||||
/etc/perl/** r,
|
39
apparmor.d/abstractions/php
Normal file
39
apparmor.d/abstractions/php
Normal file
|
@ -0,0 +1,39 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2009-2010 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# shared snippets for config files
|
||||
/etc/php{,5,7}/**/ r,
|
||||
/etc/php{,5,7}/**.ini r,
|
||||
|
||||
# Xlibs
|
||||
/usr/X11R6/lib{,32,64}/lib*.so* mr,
|
||||
# php extensions
|
||||
/usr/lib{64,}/php{,5,7}/*/*.so mr,
|
||||
|
||||
# ICU (unicode support) data tables
|
||||
/usr/share/icu/*/*.dat r,
|
||||
|
||||
# php session mmap socket
|
||||
/var/lib/php{,5,7}/session_mm_* rwlk,
|
||||
# file based session handler
|
||||
/var/lib/php{,5,7}/sess_* rwlk,
|
||||
/var/lib/php{,5,7}/sessions/* rwlk,
|
||||
|
||||
# php libraries
|
||||
/usr/share/php{,5,7}/ r,
|
||||
/usr/share/php{,5,7}/** mr,
|
||||
|
||||
# MySQL extension
|
||||
/usr/share/mysql/** r,
|
||||
|
||||
# Zend opcache
|
||||
/tmp/.ZendSem.* rwlk,
|
3
apparmor.d/abstractions/php5
Normal file
3
apparmor.d/abstractions/php5
Normal file
|
@ -0,0 +1,3 @@
|
|||
#backwards compatibility include, actual abstraction moved from php5 to php
|
||||
|
||||
#include <abstractions/php>
|
37
apparmor.d/abstractions/postfix-common
Normal file
37
apparmor.d/abstractions/postfix-common
Normal file
|
@ -0,0 +1,37 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2015 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
# used with postfix/*
|
||||
|
||||
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability sys_chroot,
|
||||
|
||||
# postfix's master can send us signals
|
||||
signal receive peer=/usr/lib/postfix/master,
|
||||
signal receive peer=postfix-master,
|
||||
|
||||
unix (send, receive) peer=(label=/usr/lib/postfix/master),
|
||||
unix (send, receive) peer=(label=postfix-master),
|
||||
|
||||
/etc/mailname r,
|
||||
/etc/postfix/*.cf r,
|
||||
/etc/postfix/*.db rk,
|
||||
@{PROC}/net/if_inet6 r,
|
||||
/usr/lib/postfix/*.so mr,
|
||||
/usr/lib{,32,64}/sasl2/* mr,
|
||||
/usr/lib{,32,64}/sasl2/ r,
|
||||
/usr/lib/@{multiarch}/sasl2/* mr,
|
||||
/usr/lib/@{multiarch}/sasl2/ r,
|
||||
|
||||
/var/spool/postfix/etc/* r,
|
||||
/var/spool/postfix/lib/lib*.so* mr,
|
||||
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
|
47
apparmor.d/abstractions/private-files
Normal file
47
apparmor.d/abstractions/private-files
Normal file
|
@ -0,0 +1,47 @@
|
|||
# vim:syntax=apparmor
|
||||
# privacy-violations contains rules for common files that you want to
|
||||
# explicitly deny access
|
||||
|
||||
# privacy violations (don't audit files under $HOME otherwise get a
|
||||
# lot of false positives when reading contents of directories)
|
||||
deny @{HOME}/.*history mrwkl,
|
||||
deny @{HOME}/.fetchmail* mrwkl,
|
||||
deny @{HOME}/.mutt** mrwkl,
|
||||
deny @{HOME}/.viminfo* mrwkl,
|
||||
deny @{HOME}/.*~ mrwkl,
|
||||
deny @{HOME}/.*.swp mrwkl,
|
||||
deny @{HOME}/.*~1~ mrwkl,
|
||||
deny @{HOME}/.*.bak mrwkl,
|
||||
|
||||
# special attention to (potentially) executable files
|
||||
audit deny @{HOME}/bin/{,**} wl,
|
||||
audit deny @{HOME}/.config/ w,
|
||||
audit deny @{HOME}/.config/autostart/{,**} wl,
|
||||
audit deny @{HOME}/.config/upstart/{,**} wl,
|
||||
audit deny @{HOME}/.init/{,**} wl,
|
||||
audit deny @{HOME}/.kde{,4}/ w,
|
||||
audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
|
||||
audit deny @{HOME}/.kde{,4}/env/{,**} wl,
|
||||
audit deny @{HOME}/.local/{,share/} w,
|
||||
audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
|
||||
audit deny @{HOME}/.pki/ w,
|
||||
audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
|
||||
|
||||
# don't allow reading/updating of run control files
|
||||
deny @{HOME}/.*rc mrk,
|
||||
audit deny @{HOME}/.*rc wl,
|
||||
|
||||
# bash
|
||||
deny @{HOME}/.bash* mrk,
|
||||
audit deny @{HOME}/.bash* wl,
|
||||
deny @{HOME}/.inputrc mrk,
|
||||
audit deny @{HOME}/.inputrc wl,
|
||||
|
||||
# sh/dash/csh/tcsh/pdksh/zsh
|
||||
deny @{HOME}/.{,z}profile* mrk,
|
||||
audit deny @{HOME}/.{,z}profile* wl,
|
||||
deny @{HOME}/.{,z}log{in,out} mrk,
|
||||
audit deny @{HOME}/.{,z}log{in,out} wl,
|
||||
|
||||
deny @{HOME}/.zshenv mrk,
|
||||
audit deny @{HOME}/.zshenv wl,
|
25
apparmor.d/abstractions/private-files-strict
Normal file
25
apparmor.d/abstractions/private-files-strict
Normal file
|
@ -0,0 +1,25 @@
|
|||
# vim:syntax=apparmor
|
||||
# privacy-violations-strict contains additional rules for sensitive
|
||||
# files that you want to explicitly deny access
|
||||
|
||||
#include <abstractions/private-files>
|
||||
|
||||
# potentially extremely sensitive files
|
||||
audit deny @{HOME}/.aws/{,**} mrwkl,
|
||||
audit deny @{HOME}/.gnupg/{,**} mrwkl,
|
||||
audit deny @{HOME}/.ssh/{,**} mrwkl,
|
||||
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
||||
audit deny @{HOME}/.gnome2/ w,
|
||||
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
|
||||
# don't allow access to any gnome-keyring modules
|
||||
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
|
||||
audit deny @{HOME}/.mozilla/{,**} mrwkl,
|
||||
audit deny @{HOME}/.config/ w,
|
||||
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
|
||||
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
|
||||
audit deny @{HOME}/.evolution/{,**} mrwkl,
|
||||
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
||||
|
41
apparmor.d/abstractions/python
Normal file
41
apparmor.d/abstractions/python
Normal file
|
@ -0,0 +1,41 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
|
||||
/usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
|
||||
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
|
||||
/usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
|
||||
|
||||
# Site-wide configuration
|
||||
/etc/python{2.[4-7],3.[0-9]}/** r,
|
||||
|
||||
# shared python paths
|
||||
/usr/share/{pyshared,pycentral,python-support}/** r,
|
||||
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
|
||||
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
|
||||
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
|
||||
/usr/lib/python3/dist-packages/**.so mr,
|
||||
|
||||
# wx paths
|
||||
/usr/lib/wx/python/*.pth r,
|
||||
|
||||
# python build configuration and headers
|
||||
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
|
||||
|
||||
# Silencer
|
||||
deny /usr/lib{,32,64}/python*/** w,
|
22
apparmor.d/abstractions/qt5
Normal file
22
apparmor.d/abstractions/qt5
Normal file
|
@ -0,0 +1,22 @@
|
|||
# vim:syntax=apparmor
|
||||
# Common rules for Qt5-based applications
|
||||
|
||||
# Additional libraries
|
||||
|
||||
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
|
||||
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
|
||||
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
|
||||
|
||||
# System files
|
||||
|
||||
/etc/xdg/QtProject/qtlogging.ini r,
|
||||
/usr/share/qt5/translations/*.qm r,
|
||||
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
|
||||
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/QtProject/qtlogging.ini r,
|
||||
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
|
||||
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
|
||||
|
8
apparmor.d/abstractions/qt5-compose-cache-write
Normal file
8
apparmor.d/abstractions/qt5-compose-cache-write
Normal file
|
@ -0,0 +1,8 @@
|
|||
# vim:syntax=apparmor
|
||||
# Allow writing cache for Qt5 "platforminputcontexts" plugins
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
||||
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
||||
|
11
apparmor.d/abstractions/qt5-settings-write
Normal file
11
apparmor.d/abstractions/qt5-settings-write
Normal file
|
@ -0,0 +1,11 @@
|
|||
# vim:syntax=apparmor
|
||||
# Allow writing shared settings for Qt-based applications
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
# for temporary files like QtProject.conf.Aqrgeb
|
||||
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
|
||||
owner @{HOME}/.config/QtProject.conf.lock rwk,
|
||||
|
10
apparmor.d/abstractions/recent-documents-write
Normal file
10
apparmor.d/abstractions/recent-documents-write
Normal file
|
@ -0,0 +1,10 @@
|
|||
# vim:syntax=apparmor
|
||||
# Allow updating recent documents
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.local/share/RecentDocuments/ rw,
|
||||
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
|
||||
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> /home/*/.local/share/RecentDocuments/#[0-9]*,
|
||||
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
|
||||
|
21
apparmor.d/abstractions/ruby
Normal file
21
apparmor.d/abstractions/ruby
Normal file
|
@ -0,0 +1,21 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
|
||||
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
|
||||
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
|
||||
|
||||
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
|
||||
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
|
||||
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
|
||||
|
||||
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
|
||||
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
|
27
apparmor.d/abstractions/samba
Normal file
27
apparmor.d/abstractions/samba
Normal file
|
@ -0,0 +1,27 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009-2010 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/samba/* r,
|
||||
/usr/lib*/ldb/*.so mr,
|
||||
/usr/lib*/samba/ldb/*.so mr,
|
||||
/usr/share/samba/*.dat r,
|
||||
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
|
||||
/var/cache/samba/ w,
|
||||
/var/cache/samba/lck/* rwk,
|
||||
/var/lib/samba/** rwk,
|
||||
/var/log/samba/cores/ rw,
|
||||
/var/log/samba/cores/** rw,
|
||||
/var/log/samba/* w,
|
||||
/{,var/}run/samba/ w,
|
||||
/{,var/}run/samba/*.tdb rw,
|
||||
|
||||
# required for clustering
|
||||
/var/lib/ctdb/** rwk,
|
13
apparmor.d/abstractions/smbpass
Normal file
13
apparmor.d/abstractions/smbpass
Normal file
|
@ -0,0 +1,13 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# libpam-smbpass/pam_smbpass.so permissions
|
||||
/var/lib/samba/*.[lt]db rwk,
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue