mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
update profiles for apparmor3
This commit is contained in:
parent
503cf496bf
commit
7067edcf70
78
apparmor.d/abi/3.0
Normal file
78
apparmor.d/abi/3.0
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
query {label {multi_transaction {yes
|
||||||
|
}
|
||||||
|
data {yes
|
||||||
|
}
|
||||||
|
perms {allow deny audit quiet
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dbus {mask {acquire send receive
|
||||||
|
}
|
||||||
|
}
|
||||||
|
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ptrace {mask {read trace
|
||||||
|
}
|
||||||
|
}
|
||||||
|
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
capability {0xffffff
|
||||||
|
}
|
||||||
|
namespaces {pivot_root {no
|
||||||
|
}
|
||||||
|
profile {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
mount {mask {mount umount pivot_root
|
||||||
|
}
|
||||||
|
}
|
||||||
|
network {af_unix {yes
|
||||||
|
}
|
||||||
|
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
|
||||||
|
}
|
||||||
|
}
|
||||||
|
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file {mask {create read write exec append mmap_exec link lock
|
||||||
|
}
|
||||||
|
}
|
||||||
|
domain {version {1.2
|
||||||
|
}
|
||||||
|
attach_conditions {xattr {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
computed_longest_left {yes
|
||||||
|
}
|
||||||
|
post_nnp_subset {yes
|
||||||
|
}
|
||||||
|
fix_binfmt_elf_mmap {yes
|
||||||
|
}
|
||||||
|
stack {yes
|
||||||
|
}
|
||||||
|
change_profile {yes
|
||||||
|
}
|
||||||
|
change_onexec {yes
|
||||||
|
}
|
||||||
|
change_hatv {yes
|
||||||
|
}
|
||||||
|
change_hat {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
policy {set_load {yes
|
||||||
|
}
|
||||||
|
versions {v8 {yes
|
||||||
|
}
|
||||||
|
v7 {yes
|
||||||
|
}
|
||||||
|
v6 {yes
|
||||||
|
}
|
||||||
|
v5 {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
76
apparmor.d/abi/kernel-5.4-outoftree-network
Normal file
76
apparmor.d/abi/kernel-5.4-outoftree-network
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
query {label {multi_transaction {yes
|
||||||
|
}
|
||||||
|
data {yes
|
||||||
|
}
|
||||||
|
perms {allow deny audit quiet
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dbus {mask {acquire send receive
|
||||||
|
}
|
||||||
|
}
|
||||||
|
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ptrace {mask {read trace
|
||||||
|
}
|
||||||
|
}
|
||||||
|
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
capability {0xffffff
|
||||||
|
}
|
||||||
|
namespaces {pivot_root {no
|
||||||
|
}
|
||||||
|
profile {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
mount {mask {mount umount pivot_root
|
||||||
|
}
|
||||||
|
}
|
||||||
|
network {af_unix {yes
|
||||||
|
}
|
||||||
|
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file {mask {create read write exec append mmap_exec link lock
|
||||||
|
}
|
||||||
|
}
|
||||||
|
domain {version {1.2
|
||||||
|
}
|
||||||
|
attach_conditions {xattr {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
computed_longest_left {yes
|
||||||
|
}
|
||||||
|
post_nnp_subset {yes
|
||||||
|
}
|
||||||
|
fix_binfmt_elf_mmap {yes
|
||||||
|
}
|
||||||
|
stack {yes
|
||||||
|
}
|
||||||
|
change_profile {yes
|
||||||
|
}
|
||||||
|
change_onexec {yes
|
||||||
|
}
|
||||||
|
change_hatv {yes
|
||||||
|
}
|
||||||
|
change_hat {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
policy {set_load {yes
|
||||||
|
}
|
||||||
|
versions {v8 {yes
|
||||||
|
}
|
||||||
|
v7 {yes
|
||||||
|
}
|
||||||
|
v6 {yes
|
||||||
|
}
|
||||||
|
v5 {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
68
apparmor.d/abi/kernel-5.4-vanilla
Normal file
68
apparmor.d/abi/kernel-5.4-vanilla
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
query {label {multi_transaction {yes
|
||||||
|
}
|
||||||
|
data {yes
|
||||||
|
}
|
||||||
|
perms {allow deny audit quiet
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ptrace {mask {read trace
|
||||||
|
}
|
||||||
|
}
|
||||||
|
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
capability {0xffffff
|
||||||
|
}
|
||||||
|
namespaces {pivot_root {no
|
||||||
|
}
|
||||||
|
profile {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
mount {mask {mount umount pivot_root
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file {mask {create read write exec append mmap_exec link lock
|
||||||
|
}
|
||||||
|
}
|
||||||
|
domain {version {1.2
|
||||||
|
}
|
||||||
|
attach_conditions {xattr {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
computed_longest_left {yes
|
||||||
|
}
|
||||||
|
post_nnp_subset {yes
|
||||||
|
}
|
||||||
|
fix_binfmt_elf_mmap {yes
|
||||||
|
}
|
||||||
|
stack {yes
|
||||||
|
}
|
||||||
|
change_profile {yes
|
||||||
|
}
|
||||||
|
change_onexec {yes
|
||||||
|
}
|
||||||
|
change_hatv {yes
|
||||||
|
}
|
||||||
|
change_hat {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
policy {set_load {yes
|
||||||
|
}
|
||||||
|
versions {v8 {yes
|
||||||
|
}
|
||||||
|
v7 {yes
|
||||||
|
}
|
||||||
|
v6 {yes
|
||||||
|
}
|
||||||
|
v5 {yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -11,13 +11,14 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
#include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
|
|
||||||
|
|
||||||
# .ICEauthority files required for X authentication, per user
|
# .ICEauthority files required for X authentication, per user
|
||||||
owner @{HOME}/.ICEauthority r,
|
owner @{HOME}/.ICEauthority r,
|
||||||
|
owner @{run}/user/*/ICEauthority r,
|
||||||
|
|
||||||
# .Xauthority files required for X connections, per user
|
# .Xauthority files required for X connections, per user
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
@ -30,7 +31,7 @@
|
|||||||
owner @{run}/user/*/xauth_* r,
|
owner @{run}/user/*/xauth_* r,
|
||||||
|
|
||||||
# the unix socket to use to connect to the display
|
# the unix socket to use to connect to the display
|
||||||
/tmp/.X11-unix/* rw,
|
/tmp/.X11-unix/* r,
|
||||||
unix (connect, receive, send)
|
unix (connect, receive, send)
|
||||||
type=stream
|
type=stream
|
||||||
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||||
@ -58,7 +59,10 @@
|
|||||||
/etc/X11/cursors/** r,
|
/etc/X11/cursors/** r,
|
||||||
|
|
||||||
# Xwayland
|
# Xwayland
|
||||||
owner /run/user/*/.mutter-Xwaylandauth.* r,
|
owner @{run}/user/*/.mutter-Xwaylandauth.* r,
|
||||||
|
|
||||||
# Available Xsessions
|
# Available Xsessions
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/X.d>
|
||||||
|
@ -2,7 +2,9 @@
|
|||||||
|
|
||||||
# This file contains basic permissions for Apache and every vHost
|
# This file contains basic permissions for Apache and every vHost
|
||||||
|
|
||||||
#include <abstractions/nameservice>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/nameservice>
|
||||||
|
|
||||||
# Allow unconfined processes to send us signals by default
|
# Allow unconfined processes to send us signals by default
|
||||||
signal (receive) peer=unconfined,
|
signal (receive) peer=unconfined,
|
||||||
@ -20,7 +22,7 @@
|
|||||||
/usr/share/apache2/** r,
|
/usr/share/apache2/** r,
|
||||||
|
|
||||||
# changehat itself
|
# changehat itself
|
||||||
@{PROC}/@{pid}/attr/current rw,
|
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
|
||||||
|
|
||||||
# htaccess files - for what ever it is worth
|
# htaccess files - for what ever it is worth
|
||||||
/**/.htaccess r,
|
/**/.htaccess r,
|
||||||
@ -28,7 +30,10 @@
|
|||||||
/dev/urandom r,
|
/dev/urandom r,
|
||||||
|
|
||||||
# sasl-auth
|
# sasl-auth
|
||||||
/run/saslauthd/mux rw,
|
@{run}/saslauthd/mux rw,
|
||||||
|
|
||||||
# OCSP stapling
|
# OCSP stapling
|
||||||
/var/log/apache2/stapling-cache rw,
|
@{run}/lock/apache2/stapling-cache* rw,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/apache2-common.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Root app location
|
# Root app location
|
||||||
/ r,
|
/ r,
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# User app location
|
# User app location
|
||||||
/ r,
|
/ r,
|
||||||
|
@ -6,6 +6,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#include <abstractions/apparmor_api/introspect>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
@{PROC}/@{tid}/attr/{current,exec} w,
|
include <abstractions/apparmor_api/introspect>
|
||||||
|
|
||||||
|
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,
|
||||||
|
@ -9,4 +9,6 @@
|
|||||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||||
# when using this abstraction, if not tunables/global.
|
# when using this abstraction, if not tunables/global.
|
||||||
|
|
||||||
@{PROC}/@{pids}/attr/{current,prev,exec} r,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,
|
||||||
|
@ -6,6 +6,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
#permissions needed for aa_find_mountpoint
|
#permissions needed for aa_find_mountpoint
|
||||||
|
|
||||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||||
|
@ -6,7 +6,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Make sure to include at least tunables/proc and tunables/kernelvars
|
# Make sure to include at least tunables/proc and tunables/kernelvars
|
||||||
# when using this abstraction, if not tunables/global.
|
# when using this abstraction, if not tunables/global.
|
||||||
|
|
||||||
@{PROC}/@{tid}/attr/{current,prev,exec} r,
|
@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,
|
||||||
|
@ -6,12 +6,14 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# permissions needed for aa_is_enabled
|
# permissions needed for aa_is_enabled
|
||||||
|
|
||||||
# Make sure to include tunables/apparmorfs and tunables/global
|
# Make sure to include tunables/apparmorfs and tunables/global
|
||||||
# when using this abstraction
|
# when using this abstraction
|
||||||
|
|
||||||
#include <abstractions/apparmor_api/find_mountpoint>
|
include <abstractions/apparmor_api/find_mountpoint>
|
||||||
@{sys}/module/apparmor/parameters/enabled r,
|
@{sys}/module/apparmor/parameters/enabled r,
|
||||||
|
|
||||||
# TODO: add alternate apparmorfs interface for enabled
|
# TODO: add alternate apparmorfs interface for enabled
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/etc/apt/apt.conf r,
|
/etc/apt/apt.conf r,
|
||||||
/etc/apt/apt.conf.d/{,*} r,
|
/etc/apt/apt.conf.d/{,*} r,
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# aspell permissions
|
# aspell permissions
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# per-user settings and dictionaries
|
# per-user settings and dictionaries
|
||||||
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
|
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
|
||||||
|
|
||||||
@ -11,3 +13,6 @@
|
|||||||
/usr/share/aspell/ r,
|
/usr/share/aspell/ r,
|
||||||
/usr/share/aspell/* r,
|
/usr/share/aspell/* r,
|
||||||
/var/lib/aspell/* r,
|
/var/lib/aspell/* r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/aspell.d>
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
|
||||||
/dev/admmidi* rw,
|
/dev/admmidi* rw,
|
||||||
@ -56,13 +57,15 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
|
|||||||
# pulse
|
# pulse
|
||||||
/etc/pulse/ r,
|
/etc/pulse/ r,
|
||||||
/etc/pulse/** r,
|
/etc/pulse/** r,
|
||||||
/{run,dev}/shm/ r,
|
/dev/shm/ r,
|
||||||
owner /{run,dev}/shm/pulse-shm* rwk,
|
@{run}/shm/ r,
|
||||||
|
owner /dev/shm/pulse-shm* rwk,
|
||||||
|
owner @{run}/shm/pulse-shm* rwk,
|
||||||
owner @{HOME}/.pulse-cookie rwk,
|
owner @{HOME}/.pulse-cookie rwk,
|
||||||
owner @{HOME}/.pulse/ rw,
|
owner @{HOME}/.pulse/ rw,
|
||||||
owner @{HOME}/.pulse/* rwk,
|
owner @{HOME}/.pulse/* rwk,
|
||||||
owner /{,var/}run/user/*/pulse/ rw,
|
owner @{run}/user/*/pulse/ rw,
|
||||||
owner /{,var/}run/user/*/pulse/{native,pid} rwk,
|
owner @{run}/user/*/pulse/{native,pid} rwk,
|
||||||
owner @{HOME}/.config/pulse/*.conf r,
|
owner @{HOME}/.config/pulse/*.conf r,
|
||||||
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
|
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
|
||||||
owner @{HOME}/.config/pulse/cookie rwk,
|
owner @{HOME}/.config/pulse/cookie rwk,
|
||||||
@ -86,3 +89,6 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
|
|||||||
|
|
||||||
# wildmidi
|
# wildmidi
|
||||||
/etc/wildmidi/wildmidi.cfg r,
|
/etc/wildmidi/wildmidi.cfg r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/audio.d>
|
||||||
|
@ -10,18 +10,19 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
|
||||||
# Some services need to perform authentication of users
|
# Some services need to perform authentication of users
|
||||||
# Such authentication almost certainly needs access to the local users
|
# Such authentication almost certainly needs access to the local users
|
||||||
# databases containing passwords, PAM configuration files, PAM libraries
|
# databases containing passwords, PAM configuration files, PAM libraries
|
||||||
/{usr/,}etc/nologin r,
|
@{etc_ro}/nologin r,
|
||||||
/{usr/,}etc/pam.d/* r,
|
@{etc_ro}/pam.d/* r,
|
||||||
/{usr/,}etc/securetty r,
|
@{etc_ro}/securetty r,
|
||||||
/{usr/,}etc/security/* r,
|
@{etc_ro}/security/* r,
|
||||||
/{usr/,}etc/shadow r,
|
@{etc_ro}/shadow r,
|
||||||
/{usr/,}etc/gshadow r,
|
@{etc_ro}/gshadow r,
|
||||||
/{usr/,}etc/pwdb.conf r,
|
@{etc_ro}/pwdb.conf r,
|
||||||
|
|
||||||
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
|
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
|
||||||
/{usr/,}lib{,32,64}/security/pam_*.so mr,
|
/{usr/,}lib{,32,64}/security/pam_*.so mr,
|
||||||
@ -31,22 +32,25 @@
|
|||||||
/{usr/,}lib/@{multiarch}/security/ r,
|
/{usr/,}lib/@{multiarch}/security/ r,
|
||||||
|
|
||||||
# kerberos
|
# kerberos
|
||||||
#include <abstractions/kerberosclient>
|
include <abstractions/kerberosclient>
|
||||||
# SuSE's pwdutils are different:
|
# SuSE's pwdutils are different:
|
||||||
/{usr/,}etc/default/passwd r,
|
@{etc_ro}/default/passwd r,
|
||||||
/{usr/,}etc/login.defs r,
|
@{etc_ro}/login.defs r,
|
||||||
|
|
||||||
# nis
|
# nis
|
||||||
#include <abstractions/nis>
|
include <abstractions/nis>
|
||||||
|
|
||||||
# winbind
|
# winbind
|
||||||
#include <abstractions/winbind>
|
include <abstractions/winbind>
|
||||||
|
|
||||||
# likewise
|
# likewise
|
||||||
#include <abstractions/likewise>
|
include <abstractions/likewise>
|
||||||
|
|
||||||
# smbpass
|
# smbpass
|
||||||
#include <abstractions/smbpass>
|
include <abstractions/smbpass>
|
||||||
|
|
||||||
# p11-kit (PKCS#11 modules configuration)
|
# p11-kit (PKCS#11 modules configuration)
|
||||||
#include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/authentication.d>
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
|
||||||
# (Note that the ldd profile has inlined this file; if you make
|
# (Note that the ldd profile has inlined this file; if you make
|
||||||
@ -26,10 +27,10 @@
|
|||||||
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
||||||
# time and getrandom()/{,u}random and, when available, runs under an
|
# time and getrandom()/{,u}random and, when available, runs under an
|
||||||
# unprivilged, dedicated user).
|
# unprivilged, dedicated user).
|
||||||
/run/uuidd/request r,
|
@{run}/uuidd/request r,
|
||||||
/etc/locale/** r,
|
@{etc_ro}/locale/** r,
|
||||||
/etc/locale.alias r,
|
@{etc_ro}/locale.alias r,
|
||||||
/etc/localtime r,
|
@{etc_ro}/localtime r,
|
||||||
/etc/writable/localtime r,
|
/etc/writable/localtime r,
|
||||||
/usr/share/locale-bundle/** r,
|
/usr/share/locale-bundle/** r,
|
||||||
/usr/share/locale-langpack/** r,
|
/usr/share/locale-langpack/** r,
|
||||||
@ -39,13 +40,13 @@
|
|||||||
/usr/share/zoneinfo/ r,
|
/usr/share/zoneinfo/ r,
|
||||||
/usr/share/zoneinfo/** r,
|
/usr/share/zoneinfo/** r,
|
||||||
/usr/share/X11/locale/** r,
|
/usr/share/X11/locale/** r,
|
||||||
/run/systemd/journal/dev-log w,
|
@{run}/systemd/journal/dev-log w,
|
||||||
# systemd native journal API (see sd_journal_print(4))
|
# systemd native journal API (see sd_journal_print(4))
|
||||||
/run/systemd/journal/socket w,
|
@{run}/systemd/journal/socket w,
|
||||||
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
|
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
|
||||||
# be required but applications fail without it. journald doesn't leak
|
# be required but applications fail without it. journald doesn't leak
|
||||||
# anything when reading so this is ok.
|
# anything when reading so this is ok.
|
||||||
/run/systemd/journal/stdout rw,
|
@{run}/systemd/journal/stdout rw,
|
||||||
|
|
||||||
/usr/lib{,32,64}/locale/** mr,
|
/usr/lib{,32,64}/locale/** mr,
|
||||||
/usr/lib{,32,64}/gconv/*.so mr,
|
/usr/lib{,32,64}/gconv/*.so mr,
|
||||||
@ -54,14 +55,14 @@
|
|||||||
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
|
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
|
||||||
|
|
||||||
# used by glibc when binding to ephemeral ports
|
# used by glibc when binding to ephemeral ports
|
||||||
/etc/bindresvport.blacklist r,
|
@{etc_ro}/bindresvport.blacklist r,
|
||||||
|
|
||||||
# ld.so.cache and ld are used to load shared libraries; they are best
|
# ld.so.cache and ld are used to load shared libraries; they are best
|
||||||
# available everywhere
|
# available everywhere
|
||||||
/etc/ld.so.cache mr,
|
@{etc_ro}/ld.so.cache mr,
|
||||||
/etc/ld.so.conf r,
|
@{etc_ro}/ld.so.conf r,
|
||||||
/etc/ld.so.conf.d/{,*.conf} r,
|
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
|
||||||
/etc/ld.so.preload r,
|
@{etc_ro}/ld.so.preload r,
|
||||||
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
|
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
|
||||||
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
|
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
|
||||||
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
||||||
@ -76,6 +77,11 @@
|
|||||||
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
|
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
|
||||||
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
|
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
|
||||||
|
|
||||||
|
# FIPS-140-2 versions of some crypto libraries need to access their
|
||||||
|
# associated integrity verification file, or they will abort.
|
||||||
|
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
|
||||||
|
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
|
||||||
|
|
||||||
# /dev/null is pretty harmless and frequently used
|
# /dev/null is pretty harmless and frequently used
|
||||||
/dev/null rw,
|
/dev/null rw,
|
||||||
# as is /dev/zero
|
# as is /dev/zero
|
||||||
@ -180,3 +186,6 @@
|
|||||||
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
|
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
|
||||||
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
|
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/base.d>
|
||||||
|
@ -8,6 +8,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# user-specific bash files
|
# user-specific bash files
|
||||||
@{HOMEDIRS} r,
|
@{HOMEDIRS} r,
|
||||||
@{HOME}/.bashrc r,
|
@{HOME}/.bashrc r,
|
||||||
@ -42,3 +44,6 @@
|
|||||||
/etc/DIR_COLORS r,
|
/etc/DIR_COLORS r,
|
||||||
/{usr/,}bin/ls mix,
|
/{usr/,}bin/ls mix,
|
||||||
/usr/bin/dircolors mix,
|
/usr/bin/dircolors mix,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/bash.d>
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
|
||||||
# there are three common ways to refer to consoles
|
# there are three common ways to refer to consoles
|
||||||
@ -21,4 +22,6 @@
|
|||||||
/dev/pts/[0-9]* rw,
|
/dev/pts/[0-9]* rw,
|
||||||
/dev/pts/ r,
|
/dev/pts/ r,
|
||||||
|
|
||||||
/dev/ptmx rw,
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/consoles.d>
|
||||||
|
@ -9,10 +9,15 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# discoverable system configuration for non-local cupsd
|
# discoverable system configuration for non-local cupsd
|
||||||
/etc/cups/client.conf r,
|
/etc/cups/client.conf r,
|
||||||
# client should be able to talk the local cupsd
|
# client should be able to talk the local cupsd
|
||||||
/{,var/}run/cups/cups.sock rw,
|
@{run}/cups/cups.sock rw,
|
||||||
# client should be able to read user-specified cups configuration
|
# client should be able to read user-specified cups configuration
|
||||||
owner @{HOME}/.cups/client.conf r,
|
owner @{HOME}/.cups/client.conf r,
|
||||||
owner @{HOME}/.cups/lpoptions r,
|
owner @{HOME}/.cups/lpoptions r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/cups-client.d>
|
||||||
|
@ -9,8 +9,13 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction grants full system bus access. Consider using the
|
# This abstraction grants full system bus access. Consider using the
|
||||||
# dbus-strict abstraction for fine-grained bus mediation.
|
# dbus-strict abstraction for fine-grained bus mediation.
|
||||||
|
|
||||||
#include <abstractions/dbus-strict>
|
include <abstractions/dbus-strict>
|
||||||
dbus bus=system,
|
dbus bus=system,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus.d>
|
||||||
|
@ -9,8 +9,13 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction grants full accessibility bus access. Consider using the
|
# This abstraction grants full accessibility bus access. Consider using the
|
||||||
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
|
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
|
||||||
|
|
||||||
#include <abstractions/dbus-accessibility-strict>
|
include <abstractions/dbus-accessibility-strict>
|
||||||
dbus bus=accessibility,
|
dbus bus=accessibility,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus-accessibility.d>
|
||||||
|
@ -9,9 +9,14 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
dbus send
|
dbus send
|
||||||
bus=accessibility
|
bus=accessibility
|
||||||
path=/org/freedesktop/DBus
|
path=/org/freedesktop/DBus
|
||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus-accessibility-strict.d>
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
dbus send
|
dbus send
|
||||||
bus=system
|
bus=system
|
||||||
path=/org/freedesktop/NetworkManager
|
path=/org/freedesktop/NetworkManager
|
||||||
@ -42,4 +44,4 @@
|
|||||||
member=GetSettings
|
member=GetSettings
|
||||||
peer=(name=org.freedesktop.NetworkManager),
|
peer=(name=org.freedesktop.NetworkManager),
|
||||||
|
|
||||||
#include if exists <abstractions/dbus-network-manager-strict.d>
|
include if exists <abstractions/dbus-network-manager-strict.d>
|
||||||
|
@ -9,9 +9,14 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction grants full session bus access. Consider using the
|
# This abstraction grants full session bus access. Consider using the
|
||||||
# dbus-session-strict abstraction for fine-grained bus mediation.
|
# dbus-session-strict abstraction for fine-grained bus mediation.
|
||||||
|
|
||||||
#include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
/usr/bin/dbus-launch ix,
|
/usr/bin/dbus-launch ix,
|
||||||
dbus bus=session,
|
dbus bus=session,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus-session.d>
|
||||||
|
@ -9,17 +9,18 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# unique per-machine identifier
|
# unique per-machine identifier
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
owner /run/user/*/bus rw,
|
|
||||||
|
|
||||||
unix (connect, receive, send)
|
unix (connect, receive, send)
|
||||||
type=stream
|
type=stream
|
||||||
peer=(addr="@/tmp/dbus-*"),
|
peer=(addr="@/tmp/dbus-*"),
|
||||||
|
|
||||||
# dbus with systemd and --enable-user-session
|
# dbus with systemd and --enable-user-session
|
||||||
owner /run/user/[0-9]*/bus rw,
|
owner @{run}/user/[0-9]*/bus rw,
|
||||||
|
|
||||||
dbus send
|
dbus send
|
||||||
bus=session
|
bus=session
|
||||||
@ -27,3 +28,6 @@
|
|||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus-session-strict.d>
|
||||||
|
@ -9,7 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
/{,var/}run/dbus/system_bus_socket rw,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
@{run}/dbus/system_bus_socket rw,
|
||||||
|
|
||||||
dbus send
|
dbus send
|
||||||
bus=system
|
bus=system
|
||||||
@ -17,3 +19,6 @@
|
|||||||
interface=org.freedesktop.DBus
|
interface=org.freedesktop.DBus
|
||||||
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dbus-strict.d>
|
||||||
|
@ -1,8 +1,13 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# permissions for querying dconf settings; granting write access should
|
# permissions for querying dconf settings; granting write access should
|
||||||
# be specified in a specific application's profile.
|
# be specified in a specific application's profile.
|
||||||
|
|
||||||
/etc/dconf/** r,
|
/etc/dconf/** r,
|
||||||
owner /{,var/}run/user/*/dconf/user r,
|
owner @{run}/user/*/dconf/user r,
|
||||||
owner @{HOME}/.config/dconf/user r,
|
owner @{HOME}/.config/dconf/user r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dconf.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
deny /etc/dconf/{,**} r,
|
deny /etc/dconf/{,**} r,
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
|
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
|
||||||
# needed files in the user home dir.
|
# needed files in the user home dir.
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
|
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
|
||||||
audit deny /root/{,**} rwkmlx,
|
audit deny /root/{,**} rwkmlx,
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# The /sys/ entries probably should be tightened
|
# The /sys/ entries probably should be tightened
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# The /sys/ entries probably should be tightened
|
# The /sys/ entries probably should be tightened
|
||||||
|
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# used with dovecot/*
|
# used with dovecot/*
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
capability setgid,
|
capability setgid,
|
||||||
|
|
||||||
deny capability block_suspend,
|
deny capability block_suspend,
|
||||||
@ -16,4 +18,7 @@
|
|||||||
# dovecot's master can send us signals
|
# dovecot's master can send us signals
|
||||||
signal receive peer=dovecot,
|
signal receive peer=dovecot,
|
||||||
|
|
||||||
/{var/,}run/dovecot/config rw,
|
owner @{run}/dovecot/config rw,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dovecot-common.d>
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This file contains common DRI-specific rules useful for GUI applications
|
# This file contains common DRI-specific rules useful for GUI applications
|
||||||
# (needed by libdrm and similar).
|
# (needed by libdrm and similar).
|
||||||
|
|
||||||
@ -12,3 +14,6 @@
|
|||||||
/usr/share/drirc.d/{,*.conf} r,
|
/usr/share/drirc.d/{,*.conf} r,
|
||||||
owner @{HOME}/.drirc r,
|
owner @{HOME}/.drirc r,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dri-common.d>
|
||||||
|
@ -1,8 +1,13 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This file contains common DRI-specific rules useful for GUI applications that
|
# This file contains common DRI-specific rules useful for GUI applications that
|
||||||
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
|
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
|
||||||
# libdrm).
|
# libdrm).
|
||||||
|
|
||||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/dri-enumerate.d>
|
||||||
|
@ -9,14 +9,18 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# abstraction for Enchant spellchecking frontend
|
# abstraction for Enchant spellchecking frontend
|
||||||
|
|
||||||
/usr/share/enchant/ r,
|
/usr/share/enchant/ r,
|
||||||
/usr/share/enchant/enchant.ordering r,
|
/usr/share/enchant/enchant.ordering r,
|
||||||
/usr/share/enchant-[0-9]*/enchant.ordering r,
|
|
||||||
|
/usr/share/enchant-2/ r,
|
||||||
|
/usr/share/enchant-2/enchant.ordering r,
|
||||||
|
|
||||||
# aspell
|
# aspell
|
||||||
#include <abstractions/aspell>
|
include <abstractions/aspell>
|
||||||
/var/lib/dictionaries-common/aspell/ r,
|
/var/lib/dictionaries-common/aspell/ r,
|
||||||
/var/lib/dictionaries-common/aspell/* r,
|
/var/lib/dictionaries-common/aspell/* r,
|
||||||
|
|
||||||
@ -55,3 +59,6 @@
|
|||||||
# per-user dictionaries
|
# per-user dictionaries
|
||||||
owner @{HOME}/.config/enchant/ rw,
|
owner @{HOME}/.config/enchant/ rw,
|
||||||
owner @{HOME}/.config/enchant/* rwk,
|
owner @{HOME}/.config/enchant/* rwk,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/enchant.d>
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
# abstraction used by evince binaries
|
# abstraction used by evince binaries
|
||||||
#
|
#
|
||||||
|
|
||||||
#include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
#include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
#include <abstractions/ubuntu-helpers>
|
include <abstractions/ubuntu-helpers>
|
||||||
|
|
||||||
@{PROC}/[0-9]*/fd/ r,
|
@{PROC}/[0-9]*/fd/ r,
|
||||||
@{PROC}/[0-9]*/mountinfo r,
|
@{PROC}/[0-9]*/mountinfo r,
|
||||||
@ -94,7 +94,7 @@
|
|||||||
# access to the Cache directory, which the browser may tell evince to open
|
# access to the Cache directory, which the browser may tell evince to open
|
||||||
# from directly.
|
# from directly.
|
||||||
|
|
||||||
#include <abstractions/private-files>
|
include <abstractions/private-files>
|
||||||
audit deny @{HOME}/.gnupg/** mrwkl,
|
audit deny @{HOME}/.gnupg/** mrwkl,
|
||||||
audit deny @{HOME}/.ssh/** mrwkl,
|
audit deny @{HOME}/.ssh/** mrwkl,
|
||||||
audit deny @{HOME}/.gnome2_private/** mrwkl,
|
audit deny @{HOME}/.gnome2_private/** mrwkl,
|
||||||
@ -117,8 +117,8 @@
|
|||||||
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
|
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
|
||||||
|
|
||||||
# When LP: #451422 is fixed, change the above to simply be:
|
# When LP: #451422 is fixed, change the above to simply be:
|
||||||
##include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
#owner @{HOME}/.mozilla/**/*Cache/* r,
|
#owner @{HOME}/.mozilla/**/*Cache/* r,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
#include <local/usr.bin.evince>
|
include <local/usr.bin.evince>
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction is designed to be used in a child profile to limit what
|
# This abstraction is designed to be used in a child profile to limit what
|
||||||
# confined application can invoke via exo-open helper.
|
# confined application can invoke via exo-open helper.
|
||||||
#
|
#
|
||||||
@ -18,27 +20,27 @@
|
|||||||
#
|
#
|
||||||
# # out-of-line child profile
|
# # out-of-line child profile
|
||||||
# profile foo//exo-open {
|
# profile foo//exo-open {
|
||||||
# #include <abstractions/exo-open>
|
# include <abstractions/exo-open>
|
||||||
#
|
#
|
||||||
# # needed for ubuntu-* abstractions
|
# # needed for ubuntu-* abstractions
|
||||||
# #include <abstractions/ubuntu-helpers>
|
# include <abstractions/ubuntu-helpers>
|
||||||
#
|
#
|
||||||
# # Only allow to handle http[s]: and mailto: links
|
# # Only allow to handle http[s]: and mailto: links
|
||||||
# #include <abstractions/ubuntu-browsers>
|
# include <abstractions/ubuntu-browsers>
|
||||||
# #include <abstractions/ubuntu-email>
|
# include <abstractions/ubuntu-email>
|
||||||
#
|
#
|
||||||
# # Add if accesibility access is considered as required
|
# # Add if accesibility access is considered as required
|
||||||
# # (for message boxe in case exo-open fails)
|
# # (for message boxe in case exo-open fails)
|
||||||
# #include <abstractions/dbus-accessibility>
|
# include <abstractions/dbus-accessibility>
|
||||||
#
|
#
|
||||||
# # < add additional allowed applications here >
|
# # < add additional allowed applications here >
|
||||||
# }
|
# }
|
||||||
|
|
||||||
#include <abstractions/X>
|
include <abstractions/X>
|
||||||
#include <abstractions/audio> # for alert messages
|
include <abstractions/audio> # for alert messages
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
#include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
#include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -71,4 +73,4 @@
|
|||||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
||||||
|
|
||||||
# Include additions to the abstraction
|
# Include additions to the abstraction
|
||||||
#include if exists <abstractions/exo-open.d>
|
include if exists <abstractions/exo-open.d>
|
||||||
|
@ -9,5 +9,10 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#include <abstractions/fcitx-strict>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/fcitx-strict>
|
||||||
dbus bus=fcitx,
|
dbus bus=fcitx,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/fcitx.d>
|
||||||
|
@ -9,7 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#include <abstractions/dbus-session-strict>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/dbus-session-strict>
|
||||||
|
|
||||||
dbus send
|
dbus send
|
||||||
bus=fcitx
|
bus=fcitx
|
||||||
@ -19,3 +21,6 @@
|
|||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
owner @{HOME}/.config/fcitx/dbus/* r,
|
owner @{HOME}/.config/fcitx/dbus/* r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/fcitx-strict.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
deny @{PROC}/@{pid}/mountinfo r,
|
deny @{PROC}/@{pid}/mountinfo r,
|
||||||
deny @{PROC}/@{pid}/mounts r,
|
deny @{PROC}/@{pid}/mounts r,
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Flatpak
|
# Flatpak
|
||||||
/var/lib/flatpak/exports/share/{,**} r,
|
/var/lib/flatpak/exports/share/{,**} r,
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# The fontconfig cache can be generated via the following command:
|
# The fontconfig cache can be generated via the following command:
|
||||||
# $ fc-cache -f -v
|
# $ fc-cache -f -v
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
owner @{HOME}/.cache/fontconfig/ rw,
|
owner @{HOME}/.cache/fontconfig/ rw,
|
||||||
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
|
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
|
||||||
|
@ -10,6 +10,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/usr/share/AbiSuite/fonts/** r,
|
/usr/share/AbiSuite/fonts/** r,
|
||||||
|
|
||||||
/usr/lib/xorg/modules/fonts/**.so* mr,
|
/usr/lib/xorg/modules/fonts/**.so* mr,
|
||||||
@ -59,3 +61,6 @@
|
|||||||
|
|
||||||
# data files for LibThai
|
# data files for LibThai
|
||||||
/usr/share/libthai/thbrk.tri r,
|
/usr/share/libthai/thbrk.tri r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/fonts.d>
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# system configuration
|
# system configuration
|
||||||
@{system_share_dirs}/applications/{**,} r,
|
@{system_share_dirs}/applications/{**,} r,
|
||||||
@{system_share_dirs}/icons/{**,} r,
|
@{system_share_dirs}/icons/{**,} r,
|
||||||
@ -18,7 +20,8 @@
|
|||||||
@{system_share_dirs}/mime/** r,
|
@{system_share_dirs}/mime/** r,
|
||||||
|
|
||||||
# per-user configurations
|
# per-user configurations
|
||||||
owner @{HOME}/.icons/{**,} r,
|
owner @{HOME}/.icons/ r,
|
||||||
|
owner @{HOME}/.icons/default/index.theme r,
|
||||||
owner @{HOME}/.recently-used.xbel* rw,
|
owner @{HOME}/.recently-used.xbel* rw,
|
||||||
owner @{HOME}/.local/share/recently-used.xbel* rw,
|
owner @{HOME}/.local/share/recently-used.xbel* rw,
|
||||||
owner @{HOME}/.config/user-dirs.dirs r,
|
owner @{HOME}/.config/user-dirs.dirs r,
|
||||||
@ -26,3 +29,6 @@
|
|||||||
owner @{user_share_dirs}/applications/{**,} r,
|
owner @{user_share_dirs}/applications/{**,} r,
|
||||||
owner @{user_share_dirs}/icons/{**,} r,
|
owner @{user_share_dirs}/icons/{**,} r,
|
||||||
owner @{user_share_dirs}/mime/{**,} r,
|
owner @{user_share_dirs}/mime/{**,} r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/freedesktop.org.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
owner @{HOME}/.fzf/{,**} r,
|
owner @{HOME}/.fzf/{,**} r,
|
||||||
|
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction is designed to be used in a child profile to limit what
|
# This abstraction is designed to be used in a child profile to limit what
|
||||||
# confined application can invoke via gio helper.
|
# confined application can invoke via gio helper.
|
||||||
#
|
#
|
||||||
@ -18,20 +20,20 @@
|
|||||||
#
|
#
|
||||||
# # out-of-line child profile
|
# # out-of-line child profile
|
||||||
# profile foo//gio-open {
|
# profile foo//gio-open {
|
||||||
# #include <abstractions/gio-open>
|
# include <abstractions/gio-open>
|
||||||
#
|
#
|
||||||
# # needed for ubuntu-* abstractions
|
# # needed for ubuntu-* abstractions
|
||||||
# #include <abstractions/ubuntu-helpers>
|
# include <abstractions/ubuntu-helpers>
|
||||||
#
|
#
|
||||||
# # Only allow to handle http[s]: and mailto: links
|
# # Only allow to handle http[s]: and mailto: links
|
||||||
# #include <abstractions/ubuntu-browsers>
|
# include <abstractions/ubuntu-browsers>
|
||||||
# #include <abstractions/ubuntu-email>
|
# include <abstractions/ubuntu-email>
|
||||||
#
|
#
|
||||||
# # < add additional allowed applications here >
|
# # < add additional allowed applications here >
|
||||||
# }
|
# }
|
||||||
|
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
#include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -54,4 +56,4 @@
|
|||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
# Include additions to the abstraction
|
# Include additions to the abstraction
|
||||||
#include if exists <abstractions/gio-open.d>
|
include if exists <abstractions/gio-open.d>
|
||||||
|
@ -9,13 +9,16 @@
|
|||||||
# License published by the Free Software Foundation.
|
# License published by the Free Software Foundation.
|
||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/fonts>
|
abi <abi/3.0>,
|
||||||
#include <abstractions/X>
|
|
||||||
#include <abstractions/freedesktop.org>
|
include <abstractions/base>
|
||||||
#include <abstractions/xdg-desktop>
|
include <abstractions/fonts>
|
||||||
#include <abstractions/user-tmp>
|
include <abstractions/X>
|
||||||
#include <abstractions/wayland>
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/xdg-desktop>
|
||||||
|
include <abstractions/user-tmp>
|
||||||
|
include <abstractions/wayland>
|
||||||
|
|
||||||
# systemwide gtk defaults
|
# systemwide gtk defaults
|
||||||
/etc/gnome/gtkrc* r,
|
/etc/gnome/gtkrc* r,
|
||||||
@ -88,7 +91,7 @@
|
|||||||
/usr/share/gvfs/remote-volume-monitors/ r,
|
/usr/share/gvfs/remote-volume-monitors/ r,
|
||||||
/usr/share/gvfs/remote-volume-monitors/* r,
|
/usr/share/gvfs/remote-volume-monitors/* r,
|
||||||
@{PROC}/@{pid}/mounts r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
/run/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
|
||||||
# printing
|
# printing
|
||||||
/etc/papersize r,
|
/etc/papersize r,
|
||||||
@ -96,7 +99,7 @@
|
|||||||
/usr/share/cups/charmaps/** r,
|
/usr/share/cups/charmaps/** r,
|
||||||
|
|
||||||
# holds MIT-MAGIC-COOKIE for gnome
|
# holds MIT-MAGIC-COOKIE for gnome
|
||||||
owner /{,var/}run/gdm/auth*/database r,
|
owner @{run}/gdm/auth*/database r,
|
||||||
|
|
||||||
# mime-types
|
# mime-types
|
||||||
/etc/gnome/defaults.list r,
|
/etc/gnome/defaults.list r,
|
||||||
@ -109,3 +112,6 @@
|
|||||||
unix (send, receive, connect)
|
unix (send, receive, connect)
|
||||||
type=stream
|
type=stream
|
||||||
peer=(addr="@/dbus-vfs-daemon/socket-*"),
|
peer=(addr="@/dbus-vfs-daemon/socket-*"),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/gnome.d>
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# gnupg sub-process running permissions
|
# gnupg sub-process running permissions
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# user configurations
|
# user configurations
|
||||||
owner @{HOME}/.gnupg/options r,
|
owner @{HOME}/.gnupg/options r,
|
||||||
owner @{HOME}/.gnupg/pubring.gpg r,
|
owner @{HOME}/.gnupg/pubring.gpg r,
|
||||||
@ -9,3 +11,6 @@
|
|||||||
owner @{HOME}/.gnupg/secring.gpg r,
|
owner @{HOME}/.gnupg/secring.gpg r,
|
||||||
owner @{HOME}/.gnupg/so/*.x86_64 mr,
|
owner @{HOME}/.gnupg/so/*.x86_64 mr,
|
||||||
owner @{HOME}/.gnupg/trustdb.gpg rw,
|
owner @{HOME}/.gnupg/trustdb.gpg rw,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/gnupg.d>
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
#include <abstractions/p11-kit>
|
include <abstractions/p11-kit>
|
||||||
#include <abstractions/X>
|
include <abstractions/X>
|
||||||
|
|
||||||
# TODO: adjust when support finer-grained netlink rules
|
# TODO: adjust when support finer-grained netlink rules
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/usr/share/themes/{,**} r,
|
/usr/share/themes/{,**} r,
|
||||||
|
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction is designed to be used in a child profile to limit what
|
# This abstraction is designed to be used in a child profile to limit what
|
||||||
# confined application can invoke via gvfs-open helper.
|
# confined application can invoke via gvfs-open helper.
|
||||||
#
|
#
|
||||||
@ -18,23 +20,23 @@
|
|||||||
#
|
#
|
||||||
# # out-of-line child profile
|
# # out-of-line child profile
|
||||||
# profile foo//gvfs-open {
|
# profile foo//gvfs-open {
|
||||||
# #include <abstractions/gvfs-open>
|
# include <abstractions/gvfs-open>
|
||||||
#
|
#
|
||||||
# # needed for ubuntu-* abstractions
|
# # needed for ubuntu-* abstractions
|
||||||
# #include <abstractions/ubuntu-helpers>
|
# include <abstractions/ubuntu-helpers>
|
||||||
#
|
#
|
||||||
# # Only allow to handle http[s]: and mailto: links
|
# # Only allow to handle http[s]: and mailto: links
|
||||||
# #include <abstractions/ubuntu-browsers>
|
# include <abstractions/ubuntu-browsers>
|
||||||
# #include <abstractions/ubuntu-email>
|
# include <abstractions/ubuntu-email>
|
||||||
#
|
#
|
||||||
# # < add additional allowed applications here >
|
# # < add additional allowed applications here >
|
||||||
# }
|
# }
|
||||||
# ```
|
# ```
|
||||||
|
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# gvfs-open is deprecated, it launches gio open <uri>
|
# gvfs-open is deprecated, it launches gio open <uri>
|
||||||
#include <abstractions/gio-open>
|
include <abstractions/gio-open>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -42,4 +44,4 @@
|
|||||||
/{,usr/}bin/dash mr,
|
/{,usr/}bin/dash mr,
|
||||||
|
|
||||||
# Include additions to the abstraction
|
# Include additions to the abstraction
|
||||||
#include if exists <abstractions/gvfs-open.d>
|
include if exists <abstractions/gvfs-open.d>
|
||||||
|
@ -9,5 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/etc/hosts.deny r,
|
/etc/hosts.deny r,
|
||||||
/etc/hosts.allow r,
|
/etc/hosts.allow r,
|
||||||
|
|
||||||
|
include if exists <abstractions/hosts_access.d>
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# abstraction for ibus input methods
|
# abstraction for ibus input methods
|
||||||
owner @{HOME}/.config/ibus/ r,
|
owner @{HOME}/.config/ibus/ r,
|
||||||
owner @{HOME}/.config/ibus/bus/ rw,
|
owner @{HOME}/.config/ibus/bus/ rw,
|
||||||
@ -27,3 +29,6 @@
|
|||||||
unix (connect, receive, send)
|
unix (connect, receive, send)
|
||||||
type=stream
|
type=stream
|
||||||
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
|
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/ibus.d>
|
||||||
|
@ -9,13 +9,15 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#include <abstractions/base>
|
abi <abi/3.0>,
|
||||||
#include <abstractions/fonts>
|
|
||||||
#include <abstractions/X>
|
include <abstractions/base>
|
||||||
#include <abstractions/freedesktop.org>
|
include <abstractions/fonts>
|
||||||
#include <abstractions/xdg-desktop>
|
include <abstractions/X>
|
||||||
#include <abstractions/user-tmp>
|
include <abstractions/freedesktop.org>
|
||||||
#include <abstractions/qt5>
|
include <abstractions/xdg-desktop>
|
||||||
|
include <abstractions/user-tmp>
|
||||||
|
include <abstractions/qt5>
|
||||||
|
|
||||||
/etc/qt3/kstylerc r,
|
/etc/qt3/kstylerc r,
|
||||||
/etc/qt3/qt_plugins_3.3rc r,
|
/etc/qt3/qt_plugins_3.3rc r,
|
||||||
@ -75,3 +77,6 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
|
|||||||
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
|
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
|
||||||
/usr/lib/@{multiarch}/qt4/plugins/** mr,
|
/usr/lib/@{multiarch}/qt4/plugins/** mr,
|
||||||
/usr/share/qt4/** r,
|
/usr/share/qt4/** r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/kde.d>
|
||||||
|
@ -1,10 +1,15 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# Rules for changing KDE settings (for KFileDialog and other).
|
# Rules for changing KDE settings (for KFileDialog and other).
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# User files
|
# User files
|
||||||
|
|
||||||
owner @{HOME}/.config/#[0-9]* rw,
|
owner @{HOME}/.config/#[0-9]* rw,
|
||||||
owner @{HOME}/.config/kdeglobals rw,
|
owner @{HOME}/.config/kdeglobals rw,
|
||||||
owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*,
|
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
|
||||||
owner @{HOME}/.config/kdeglobals.lock rwk,
|
owner @{HOME}/.config/kdeglobals.lock rwk,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/kde-globals-write.d>
|
||||||
|
@ -1,7 +1,12 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# Rules for writing KDE icon cache
|
# Rules for writing KDE icon cache
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# User files
|
# User files
|
||||||
|
|
||||||
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
|
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/kde-icon-cache-write.d>
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Rules for changing per-application language settings on KDE. Some KDE
|
# Rules for changing per-application language settings on KDE. Some KDE
|
||||||
# applications have "Help -> Switch Application Language..." option, that needs
|
# applications have "Help -> Switch Application Language..." option, that needs
|
||||||
# write access to language settings file.
|
# write access to language settings file.
|
||||||
@ -7,6 +10,9 @@
|
|||||||
|
|
||||||
owner @{HOME}/.config/#[0-9]* rw,
|
owner @{HOME}/.config/#[0-9]* rw,
|
||||||
owner @{HOME}/.config/klanguageoverridesrc rw,
|
owner @{HOME}/.config/klanguageoverridesrc rw,
|
||||||
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*,
|
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
|
||||||
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
|
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/kde-language-write.d>
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# This abstraction is designed to be used in a child profile to limit what
|
# This abstraction is designed to be used in a child profile to limit what
|
||||||
# confined application can invoke via kde-open5 helper.
|
# confined application can invoke via kde-open5 helper.
|
||||||
#
|
#
|
||||||
@ -18,40 +20,40 @@
|
|||||||
#
|
#
|
||||||
# # out-of-line child profile
|
# # out-of-line child profile
|
||||||
# profile foo//kde-open5 {
|
# profile foo//kde-open5 {
|
||||||
# #include <abstractions/kde-open5>
|
# include <abstractions/kde-open5>
|
||||||
#
|
#
|
||||||
# # needed for ubuntu-* abstractions
|
# # needed for ubuntu-* abstractions
|
||||||
# #include <abstractions/ubuntu-helpers>
|
# include <abstractions/ubuntu-helpers>
|
||||||
#
|
#
|
||||||
# # Only allow to handle http[s]: and mailto: links
|
# # Only allow to handle http[s]: and mailto: links
|
||||||
# #include <abstractions/ubuntu-browsers>
|
# include <abstractions/ubuntu-browsers>
|
||||||
# #include <abstractions/ubuntu-email>
|
# include <abstractions/ubuntu-email>
|
||||||
#
|
#
|
||||||
# # Add if accesibility access is considered as required
|
# # Add if accesibility access is considered as required
|
||||||
# # (for message boxe in case exo-open fails)
|
# # (for message boxe in case exo-open fails)
|
||||||
# #include <abstractions/dbus-accessibility>
|
# include <abstractions/dbus-accessibility>
|
||||||
#
|
#
|
||||||
# # Add if audio support for message box is
|
# # Add if audio support for message box is
|
||||||
# # considered as required.
|
# # considered as required.
|
||||||
# #include if exists <abstractions/gstreamer>
|
# include if exists <abstractions/gstreamer>
|
||||||
#
|
#
|
||||||
# # < add additional allowed applications here >
|
# # < add additional allowed applications here >
|
||||||
# }
|
# }
|
||||||
# ```
|
# ```
|
||||||
|
|
||||||
#include <abstractions/audio> # for alert messages
|
include <abstractions/audio> # for alert messages
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
#include <abstractions/dbus-accessibility-strict>
|
include <abstractions/dbus-accessibility-strict>
|
||||||
#include <abstractions/dbus-network-manager-strict>
|
include <abstractions/dbus-network-manager-strict>
|
||||||
#include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
#include <abstractions/dbus-strict>
|
include <abstractions/dbus-strict>
|
||||||
#include <abstractions/kde-icon-cache-write>
|
include <abstractions/kde-icon-cache-write>
|
||||||
#include <abstractions/kde>
|
include <abstractions/kde>
|
||||||
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||||
#include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
#include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
#include <abstractions/recent-documents-write>
|
include <abstractions/recent-documents-write>
|
||||||
#include <abstractions/X>
|
include <abstractions/X>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -96,9 +98,9 @@
|
|||||||
# User files
|
# User files
|
||||||
|
|
||||||
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
|
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
|
||||||
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
|
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
|
||||||
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
||||||
owner @{HOME}/.cache/kio_http/ rw,
|
owner @{HOME}/.cache/kio_http/ rw,
|
||||||
|
|
||||||
# Include additions to the abstraction
|
# Include additions to the abstraction
|
||||||
#include if exists <abstractions/kde-open5.d>
|
include if exists <abstractions/kde-open5.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/usr/share/kde4/** r,
|
/usr/share/kde4/** r,
|
||||||
|
|
||||||
|
@ -9,9 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
#include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
|
|
||||||
# KDE/Plasma5 themes
|
# KDE/Plasma5 themes
|
||||||
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
|
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
|
||||||
@ -52,7 +52,7 @@
|
|||||||
|
|
||||||
# Think what to do about this #FIXME#
|
# Think what to do about this #FIXME#
|
||||||
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
|
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
|
||||||
##include <abstractions/recent-documents-write>
|
include <abstractions/recent-documents-write>
|
||||||
#signal (send) set=(term, kill) peer=unconfined,
|
#signal (send) set=(term, kill) peer=unconfined,
|
||||||
#deny @{sys}/bus/ r,
|
#deny @{sys}/bus/ r,
|
||||||
#deny @{sys}/bus/usb/devices/ r,
|
#deny @{sys}/bus/usb/devices/ r,
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# files required by kerberos client programs
|
# files required by kerberos client programs
|
||||||
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
|
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
|
||||||
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
|
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
|
||||||
@ -32,3 +34,6 @@
|
|||||||
|
|
||||||
# credential caches
|
# credential caches
|
||||||
/tmp/krb5cc* r,
|
/tmp/krb5cc* r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/kerberosclient.d>
|
||||||
|
@ -8,6 +8,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
|
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
|
||||||
/etc/ldap.conf r,
|
/etc/ldap.conf r,
|
||||||
/etc/ldap.secret r,
|
/etc/ldap.secret r,
|
||||||
@ -19,6 +21,9 @@
|
|||||||
/usr/lib{,32,64}/sasl2/* r,
|
/usr/lib{,32,64}/sasl2/* r,
|
||||||
|
|
||||||
# local LDAP name service daemon
|
# local LDAP name service daemon
|
||||||
/{,var/}run/nslcd/socket rw,
|
@{run}/nslcd/socket rw,
|
||||||
|
|
||||||
#include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/ldapclient.d>
|
||||||
|
@ -9,7 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#include <abstractions/dbus-strict>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/dbus-strict>
|
||||||
|
|
||||||
# libpam-systemd notifies systemd-logind about session logins/logouts
|
# libpam-systemd notifies systemd-logind about session logins/logouts
|
||||||
dbus send
|
dbus send
|
||||||
@ -17,3 +19,6 @@
|
|||||||
path=/org/freedesktop/login1
|
path=/org/freedesktop/login1
|
||||||
interface=org.freedesktop.login1.Manager
|
interface=org.freedesktop.login1.Manager
|
||||||
member={CreateSession,ReleaseSession},
|
member={CreateSession,ReleaseSession},
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/libpam-systemd.d>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
umount,
|
umount,
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
#include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
#include <abstractions/nameservice>
|
include <abstractions/nameservice>
|
||||||
|
|
||||||
# required for reading disk images
|
# required for reading disk images
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
@ -9,13 +9,13 @@
|
|||||||
|
|
||||||
# Requires apparmor 2.9
|
# Requires apparmor 2.9
|
||||||
|
|
||||||
#include <abstractions/authentication>
|
include <abstractions/authentication>
|
||||||
#include <abstractions/cups-client>
|
include <abstractions/cups-client>
|
||||||
#include <abstractions/dbus>
|
include <abstractions/dbus>
|
||||||
#include <abstractions/dbus-session>
|
include <abstractions/dbus-session>
|
||||||
#include <abstractions/dbus-accessibility>
|
include <abstractions/dbus-accessibility>
|
||||||
#include <abstractions/nameservice>
|
include <abstractions/nameservice>
|
||||||
#include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
|
|
||||||
# bug in compiz https://launchpad.net/bugs/697678
|
# bug in compiz https://launchpad.net/bugs/697678
|
||||||
/etc/compizconfig/config rw,
|
/etc/compizconfig/config rw,
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
|
|
||||||
profile chromium {
|
profile chromium {
|
||||||
# Allow all the same accesses as other applications in the guest session
|
# Allow all the same accesses as other applications in the guest session
|
||||||
#include <abstractions/lightdm>
|
include <abstractions/lightdm>
|
||||||
|
|
||||||
# but also allow a few things because of chromium-browser's sandboxing that
|
# but also allow a few things because of chromium-browser's sandboxing that
|
||||||
# are not appropriate to other guest session applications.
|
# are not appropriate to other guest session applications.
|
||||||
|
@ -9,5 +9,10 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/tmp/.lwidentity/pipe rw,
|
/tmp/.lwidentity/pipe rw,
|
||||||
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
|
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/likewise.d>
|
||||||
|
@ -8,7 +8,12 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# mdnsd
|
# mdnsd
|
||||||
/etc/mdns.allow r,
|
/etc/mdns.allow r,
|
||||||
/etc/nss_mdns.conf r,
|
/etc/nss_mdns.conf r,
|
||||||
/{,var/}run/mdnsd w,
|
@{run}/mdnsd w,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/mdns.d>
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# Rules for Mesa implementation of the OpenGL API
|
# Rules for Mesa implementation of the OpenGL API
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# System files
|
# System files
|
||||||
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
||||||
|
|
||||||
@ -15,3 +17,6 @@
|
|||||||
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
|
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
|
||||||
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
|
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/mesa.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# System files
|
# System files
|
||||||
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
||||||
|
@ -9,9 +9,14 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# mir libraries sometimes do not have a lib prefix
|
# mir libraries sometimes do not have a lib prefix
|
||||||
# see LP: #1422521
|
# see LP: #1422521
|
||||||
/usr/lib/@{multiarch}/mir/*.so* mr,
|
/usr/lib/@{multiarch}/mir/*.so* mr,
|
||||||
/usr/lib/@{multiarch}/mir/**/*.so* mr,
|
/usr/lib/@{multiarch}/mir/**/*.so* mr,
|
||||||
|
|
||||||
# unprivileged mir socket for clients
|
# unprivileged mir socket for clients
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/mir.d>
|
||||||
|
@ -9,4 +9,9 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
|
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/mozc.d>
|
||||||
|
@ -9,7 +9,12 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/var/lib/mysql{,d}/mysql{,d}.sock rw,
|
/var/lib/mysql{,d}/mysql{,d}.sock rw,
|
||||||
/{var/,}run/mysql{,d}/mysql{,d}.sock rw,
|
@{run}/mysql{,d}/mysql{,d}.sock rw,
|
||||||
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
|
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
|
||||||
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
|
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/mysql.d>
|
||||||
|
@ -9,31 +9,28 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Many programs wish to perform nameservice-like operations, such as
|
# Many programs wish to perform nameservice-like operations, such as
|
||||||
# looking up users by name or id, groups by name or id, hosts by name
|
# looking up users by name or id, groups by name or id, hosts by name
|
||||||
# or IP, etc. These operations may be performed through files, dns,
|
# or IP, etc. These operations may be performed through files, dns,
|
||||||
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
|
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
|
||||||
/etc/group r,
|
@{etc_ro}/group r,
|
||||||
/etc/host.conf r,
|
@{etc_ro}/host.conf r,
|
||||||
/etc/hosts r,
|
@{etc_ro}/hosts r,
|
||||||
/etc/nsswitch.conf r,
|
@{etc_ro}/nsswitch.conf r,
|
||||||
/etc/gai.conf r,
|
@{etc_ro}/gai.conf r,
|
||||||
/etc/passwd r,
|
@{etc_ro}/passwd r,
|
||||||
/etc/protocols r,
|
@{etc_ro}/protocols r,
|
||||||
|
|
||||||
# libtirpc (used for NIS/YP login) needs this
|
# libtirpc (used for NIS/YP login) needs this
|
||||||
/etc/netconfig r,
|
@{etc_ro}/netconfig r,
|
||||||
|
|
||||||
# When using libnss-extrausers, the passwd and group files are merged from
|
# When using libnss-extrausers, the passwd and group files are merged from
|
||||||
# an alternate path
|
# an alternate path
|
||||||
/var/lib/extrausers/group r,
|
/var/lib/extrausers/group r,
|
||||||
/var/lib/extrausers/passwd r,
|
/var/lib/extrausers/passwd r,
|
||||||
|
|
||||||
# NSS records from systemd-userdbd.service
|
|
||||||
@{run}/systemd/userdb/ r,
|
|
||||||
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
|
||||||
|
|
||||||
# When using sssd, the passwd and group files are stored in an alternate path
|
# When using sssd, the passwd and group files are stored in an alternate path
|
||||||
# and the nss plugin also needs to talk to a pipe
|
# and the nss plugin also needs to talk to a pipe
|
||||||
/var/lib/sss/mc/group r,
|
/var/lib/sss/mc/group r,
|
||||||
@ -41,56 +38,68 @@
|
|||||||
/var/lib/sss/mc/passwd r,
|
/var/lib/sss/mc/passwd r,
|
||||||
/var/lib/sss/pipes/nss rw,
|
/var/lib/sss/pipes/nss rw,
|
||||||
|
|
||||||
/etc/resolv.conf r,
|
@{etc_ro}/resolv.conf r,
|
||||||
# On systems where /etc/resolv.conf is managed programmatically, it is
|
# On systems where /etc/resolv.conf is managed programmatically, it is
|
||||||
# a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
|
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
|
||||||
/{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
|
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
|
||||||
/etc/resolvconf/run/resolv.conf r,
|
@{etc_ro}/resolvconf/run/resolv.conf r,
|
||||||
/{,var/}run/systemd/resolve/stub-resolv.conf r,
|
@{run}/systemd/resolve/stub-resolv.conf r,
|
||||||
|
|
||||||
/etc/samba/lmhosts r,
|
@{etc_ro}/samba/lmhosts r,
|
||||||
/etc/services r,
|
@{etc_ro}/services r,
|
||||||
# db backend
|
# db backend
|
||||||
/var/lib/misc/*.db r,
|
/var/lib/misc/*.db r,
|
||||||
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
||||||
# to vast speed increases when working with network-based lookups.
|
# to vast speed increases when working with network-based lookups.
|
||||||
/{,var/}run/.nscd_socket rw,
|
@{run}/.nscd_socket rw,
|
||||||
/{,var/}run/nscd/socket rw,
|
@{run}/nscd/socket rw,
|
||||||
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
|
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
|
||||||
# nscd renames and unlinks files in it's operation that clients will
|
# nscd renames and unlinks files in it's operation that clients will
|
||||||
# have open
|
# have open
|
||||||
/{,var/}run/nscd/db* rmix,
|
@{run}/nscd/db* rmix,
|
||||||
|
|
||||||
# The nss libraries are sometimes used in addition to PAM; make sure
|
# The nss libraries are sometimes used in addition to PAM; make sure
|
||||||
# they are available
|
# they are available
|
||||||
/{usr/,}lib{,32,64}/libnss_*.so* mr,
|
/{usr/,}lib{,32,64}/libnss_*.so* mr,
|
||||||
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
|
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
|
||||||
/etc/default/nss r,
|
@{etc_ro}/default/nss r,
|
||||||
|
|
||||||
# avahi-daemon is used for mdns4 resolution
|
# avahi-daemon is used for mdns4 resolution
|
||||||
/{,var/}run/avahi-daemon/socket rw,
|
@{run}/avahi-daemon/socket rw,
|
||||||
|
|
||||||
# libnl-3-200 via libnss-gw-name
|
# libnl-3-200 via libnss-gw-name
|
||||||
@{PROC}/@{pid}/net/psched r,
|
@{PROC}/@{pid}/net/psched r,
|
||||||
/etc/libnl-*/classid r,
|
@{etc_ro}/libnl-*/classid r,
|
||||||
|
|
||||||
# nis
|
# nis
|
||||||
#include <abstractions/nis>
|
include <abstractions/nis>
|
||||||
|
|
||||||
# ldap
|
# ldap
|
||||||
#include <abstractions/ldapclient>
|
include <abstractions/ldapclient>
|
||||||
|
|
||||||
# winbind
|
# winbind
|
||||||
#include <abstractions/winbind>
|
include <abstractions/winbind>
|
||||||
|
|
||||||
# likewise
|
# likewise
|
||||||
#include <abstractions/likewise>
|
include <abstractions/likewise>
|
||||||
|
|
||||||
# mdnsd
|
# mdnsd
|
||||||
#include <abstractions/mdns>
|
include <abstractions/mdns>
|
||||||
|
|
||||||
# kerberos
|
# kerberos
|
||||||
#include <abstractions/kerberosclient>
|
include <abstractions/kerberosclient>
|
||||||
|
|
||||||
|
#libnss-systemd
|
||||||
|
include <abstractions/nss-systemd>
|
||||||
|
|
||||||
|
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
|
||||||
|
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
dbus send
|
||||||
|
bus=system
|
||||||
|
path="/org/freedesktop/systemd1"
|
||||||
|
interface="org.freedesktop.systemd1.Manager"
|
||||||
|
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
|
||||||
|
peer=(name="org.freedesktop.systemd1"),
|
||||||
|
|
||||||
# TCP/UDP network access
|
# TCP/UDP network access
|
||||||
network inet stream,
|
network inet stream,
|
||||||
@ -104,3 +113,6 @@
|
|||||||
|
|
||||||
# interface details
|
# interface details
|
||||||
@{PROC}/@{pid}/net/route r,
|
@{PROC}/@{pid}/net/route r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/nameservice.d>
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
#abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/etc/hosts r,
|
/etc/hosts r,
|
||||||
/etc/host.conf r,
|
/etc/host.conf r,
|
||||||
|
@ -8,8 +8,13 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# NIS rules
|
# NIS rules
|
||||||
/var/yp/binding/* r,
|
/var/yp/binding/* r,
|
||||||
# portmapper may ask root processes to do nis/ldap at low ports
|
# portmapper may ask root processes to do nis/ldap at low ports
|
||||||
capability net_bind_service,
|
capability net_bind_service,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/nis.d>
|
||||||
|
30
apparmor.d/abstractions/nss-systemd
Normal file
30
apparmor.d/abstractions/nss-systemd
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# ------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# Copyright (C) 2002-2009 Novell/SUSE
|
||||||
|
# Copyright (C) 2009-2011 Canonical Ltd.
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of version 2 of the GNU General Public
|
||||||
|
# License published by the Free Software Foundation.
|
||||||
|
#
|
||||||
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
# libnss-systemd
|
||||||
|
#
|
||||||
|
# https://systemd.io/USER_GROUP_API/
|
||||||
|
# https://systemd.io/USER_RECORD/
|
||||||
|
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
|
||||||
|
#
|
||||||
|
# Allow User/Group lookups via common VarLink socket APIs. Applications need
|
||||||
|
# to either consult all of them or the io.systemd.Multiplexer frontend.
|
||||||
|
@{run}/systemd/userdb/ r,
|
||||||
|
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
|
||||||
|
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
|
||||||
|
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
|
||||||
|
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
include if exists <abstractions/nss-systemd.d>
|
@ -1,6 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# nvidia access requirements
|
# nvidia access requirements
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# configuration queries
|
# configuration queries
|
||||||
capability ipc_lock,
|
capability ipc_lock,
|
||||||
|
|
||||||
@ -26,3 +28,6 @@
|
|||||||
owner @{HOME}/.nv/GLCache/** rwk,
|
owner @{HOME}/.nv/GLCache/** rwk,
|
||||||
|
|
||||||
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
|
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/nvidia.d>
|
||||||
|
@ -1,9 +1,15 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# OpenCL access requirements
|
# OpenCL access requirements
|
||||||
|
|
||||||
# TODO: use conditionals to select allowed implementations
|
# TODO: use conditionals to select allowed implementations
|
||||||
#include <abstractions/opencl-intel>
|
include <abstractions/opencl-intel>
|
||||||
#include <abstractions/opencl-mesa>
|
include <abstractions/opencl-mesa>
|
||||||
#include <abstractions/opencl-nvidia>
|
include <abstractions/opencl-nvidia>
|
||||||
#include <abstractions/opencl-pocl>
|
include <abstractions/opencl-pocl>
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl.d>
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# implementation-independent OpenCL access requirements
|
# implementation-independent OpenCL access requirements
|
||||||
|
|
||||||
# System files
|
# System files
|
||||||
@ -8,3 +11,6 @@
|
|||||||
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
|
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
|
||||||
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
|
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl-common.d>
|
||||||
|
@ -1,13 +1,16 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# OpenCL access requirements for Intel implementation
|
# OpenCL access requirements for Intel implementation
|
||||||
|
|
||||||
#include <abstractions/opencl-common>
|
include <abstractions/opencl-common>
|
||||||
|
|
||||||
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
|
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
|
||||||
#include <abstractions/X>
|
include <abstractions/X>
|
||||||
|
|
||||||
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
|
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
|
||||||
#include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
|
|
||||||
# System files
|
# System files
|
||||||
|
|
||||||
@ -15,3 +18,6 @@
|
|||||||
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
|
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
|
||||||
/usr/lib/@{multiarch}/beignet/** r,
|
/usr/lib/@{multiarch}/beignet/** r,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl-intel.d>
|
||||||
|
@ -1,7 +1,10 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# OpenCL access requirements for Mesa implementation
|
# OpenCL access requirements for Mesa implementation
|
||||||
|
|
||||||
#include <abstractions/opencl-common>
|
include <abstractions/opencl-common>
|
||||||
|
|
||||||
# Additional libraries
|
# Additional libraries
|
||||||
|
|
||||||
@ -18,3 +21,6 @@
|
|||||||
|
|
||||||
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
|
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl-mesa.d>
|
||||||
|
@ -1,8 +1,11 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# OpenCL access requirements for NVIDIA implementation
|
# OpenCL access requirements for NVIDIA implementation
|
||||||
|
|
||||||
#include <abstractions/nvidia>
|
include <abstractions/nvidia>
|
||||||
#include <abstractions/opencl-common>
|
include <abstractions/opencl-common>
|
||||||
|
|
||||||
# Executables
|
# Executables
|
||||||
|
|
||||||
@ -28,3 +31,6 @@
|
|||||||
owner @{HOME}/.nv/ComputeCache/** rw,
|
owner @{HOME}/.nv/ComputeCache/** rw,
|
||||||
owner @{HOME}/.nv/ComputeCache/index rwk,
|
owner @{HOME}/.nv/ComputeCache/index rwk,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl-nvidia.d>
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# OpenCL access requirements for POCL implementation
|
# OpenCL access requirements for POCL implementation
|
||||||
|
|
||||||
#include <abstractions/opencl-common>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/opencl-common>
|
||||||
|
|
||||||
# Executables
|
# Executables
|
||||||
|
|
||||||
@ -28,7 +30,7 @@
|
|||||||
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
|
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
|
||||||
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
|
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
|
||||||
/usr/share/pocl/** r,
|
/usr/share/pocl/** r,
|
||||||
/{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
|
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
|
||||||
|
|
||||||
# User files
|
# User files
|
||||||
|
|
||||||
@ -41,7 +43,7 @@
|
|||||||
# Child profiles
|
# Child profiles
|
||||||
|
|
||||||
profile opencl_pocl_ld {
|
profile opencl_pocl_ld {
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -54,7 +56,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
profile opencl_pocl_clang {
|
profile opencl_pocl_clang {
|
||||||
#include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# Main executables
|
# Main executables
|
||||||
|
|
||||||
@ -74,3 +76,6 @@
|
|||||||
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
|
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/opencl-pocl.d>
|
||||||
|
@ -8,7 +8,12 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/etc/ssl/openssl.cnf r,
|
/etc/ssl/openssl.cnf r,
|
||||||
/usr/share/ssl/openssl.cnf r,
|
/usr/share/ssl/openssl.cnf r,
|
||||||
@{PROC}/sys/crypto/fips_enabled r,
|
@{PROC}/sys/crypto/fips_enabled r,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/openssl.d>
|
||||||
|
@ -1,5 +1,10 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# orbit2 permissions
|
# orbit2 permissions
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# system library
|
# system library
|
||||||
/usr/lib/orbit-2.0/*.so mr,
|
/usr/lib/orbit-2.0/*.so mr,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/orbit2.d>
|
||||||
|
@ -8,6 +8,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/etc/pkcs11/ r,
|
/etc/pkcs11/ r,
|
||||||
/etc/pkcs11/pkcs11.conf r,
|
/etc/pkcs11/pkcs11.conf r,
|
||||||
/etc/pkcs11/modules/ r,
|
/etc/pkcs11/modules/ r,
|
||||||
@ -20,8 +22,11 @@
|
|||||||
/usr/share/p11-kit/modules/* r,
|
/usr/share/p11-kit/modules/* r,
|
||||||
|
|
||||||
# gnome-keyring pkcs11 module
|
# gnome-keyring pkcs11 module
|
||||||
owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
|
owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
|
||||||
|
|
||||||
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
|
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
|
||||||
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
|
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
|
||||||
# included in this abstraction.
|
# included in this abstraction.
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/p11-kit.d>
|
||||||
|
@ -9,6 +9,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# a few files typically required for perl scripts
|
# a few files typically required for perl scripts
|
||||||
/usr/bin/perl rmix,
|
/usr/bin/perl rmix,
|
||||||
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
|
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
|
||||||
@ -21,3 +23,6 @@
|
|||||||
/usr/share/perl/** r,
|
/usr/share/perl/** r,
|
||||||
/usr/share/perl5/** r,
|
/usr/share/perl5/** r,
|
||||||
/etc/perl/** r,
|
/etc/perl/** r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/perl.d>
|
||||||
|
@ -10,6 +10,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# shared snippets for config files
|
# shared snippets for config files
|
||||||
/etc/php{,5,7}/**/ r,
|
/etc/php{,5,7}/**/ r,
|
||||||
/etc/php{,5,7}/**.ini r,
|
/etc/php{,5,7}/**.ini r,
|
||||||
@ -37,3 +39,6 @@
|
|||||||
|
|
||||||
# Zend opcache
|
# Zend opcache
|
||||||
/tmp/.ZendSem.* rwlk,
|
/tmp/.ZendSem.* rwlk,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/php.d>
|
||||||
|
22
apparmor.d/abstractions/php-worker
Normal file
22
apparmor.d/abstractions/php-worker
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# vim:syntax=apparmor
|
||||||
|
|
||||||
|
# This file contains basic permissions for php-fpm workers
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
# load common libraries and their support files
|
||||||
|
include <abstractions/base>
|
||||||
|
# common php files and support files that php needs
|
||||||
|
include <abstractions/php>
|
||||||
|
|
||||||
|
signal (receive) peer=php-fpm,
|
||||||
|
|
||||||
|
# This is some php opcaching file
|
||||||
|
/tmp/.ZendSem.* rwk,
|
||||||
|
|
||||||
|
# I think this is adaptive memory management
|
||||||
|
/sys/devices/system/node/* r,
|
||||||
|
/sys/devices/system/node/*/meminfo r,
|
||||||
|
/sys/devices/system/node/ r,
|
||||||
|
|
||||||
|
include if exists <abstractions/php-worker.d>
|
@ -1,3 +1,8 @@
|
|||||||
#backwards compatibility include, actual abstraction moved from php5 to php
|
#backwards compatibility include, actual abstraction moved from php5 to php
|
||||||
|
|
||||||
#include <abstractions/php>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/php>
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/php5.d>
|
||||||
|
@ -11,16 +11,16 @@
|
|||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# used with postfix/*
|
# used with postfix/*
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
|
||||||
capability setuid,
|
capability setuid,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
capability sys_chroot,
|
capability sys_chroot,
|
||||||
|
|
||||||
# postfix's master can send us signals
|
# postfix's master can send us signals
|
||||||
signal receive peer=/usr/lib/postfix/master,
|
|
||||||
signal receive peer=postfix-master,
|
signal receive peer=postfix-master,
|
||||||
|
|
||||||
unix (send, receive) peer=(label=/usr/lib/postfix/master),
|
|
||||||
unix (send, receive) peer=(label=postfix-master),
|
unix (send, receive) peer=(label=postfix-master),
|
||||||
|
|
||||||
/etc/mailname r,
|
/etc/mailname r,
|
||||||
@ -37,3 +37,8 @@
|
|||||||
/var/spool/postfix/etc/* r,
|
/var/spool/postfix/etc/* r,
|
||||||
/var/spool/postfix/lib/lib*.so* mr,
|
/var/spool/postfix/lib/lib*.so* mr,
|
||||||
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
|
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
|
||||||
|
|
||||||
|
/etc/postfix/dynamicmaps.cf.d/ r,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/postfix-common.d>
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
# privacy-violations contains rules for common files that you want to
|
# privacy-violations contains rules for common files that you want to
|
||||||
# explicitly deny access
|
# explicitly deny access
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# privacy violations (don't audit files under $HOME otherwise get a
|
# privacy violations (don't audit files under $HOME otherwise get a
|
||||||
# lot of false positives when reading contents of directories)
|
# lot of false positives when reading contents of directories)
|
||||||
deny @{HOME}/.*history mrwkl,
|
deny @{HOME}/.*history mrwkl,
|
||||||
@ -45,3 +47,6 @@
|
|||||||
|
|
||||||
deny @{HOME}/.zshenv mrk,
|
deny @{HOME}/.zshenv mrk,
|
||||||
audit deny @{HOME}/.zshenv wl,
|
audit deny @{HOME}/.zshenv wl,
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/private-files.d>
|
||||||
|
@ -2,7 +2,9 @@
|
|||||||
# privacy-violations-strict contains additional rules for sensitive
|
# privacy-violations-strict contains additional rules for sensitive
|
||||||
# files that you want to explicitly deny access
|
# files that you want to explicitly deny access
|
||||||
|
|
||||||
#include <abstractions/private-files>
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <abstractions/private-files>
|
||||||
|
|
||||||
# potentially extremely sensitive files
|
# potentially extremely sensitive files
|
||||||
audit deny @{HOME}/.aws/{,**} mrwkl,
|
audit deny @{HOME}/.aws/{,**} mrwkl,
|
||||||
@ -12,7 +14,7 @@
|
|||||||
audit deny @{HOME}/.gnome2/ w,
|
audit deny @{HOME}/.gnome2/ w,
|
||||||
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
|
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
|
||||||
# don't allow access to any gnome-keyring modules
|
# don't allow access to any gnome-keyring modules
|
||||||
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
|
audit deny @{run}/user/[0-9]*/keyring** mrwkl,
|
||||||
audit deny @{HOME}/.mozilla/{,**} mrwkl,
|
audit deny @{HOME}/.mozilla/{,**} mrwkl,
|
||||||
audit deny @{HOME}/.config/ w,
|
audit deny @{HOME}/.config/ w,
|
||||||
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
|
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
|
||||||
@ -23,3 +25,6 @@
|
|||||||
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
|
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
|
||||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/private-files-strict.d>
|
||||||
|
@ -10,6 +10,8 @@
|
|||||||
#
|
#
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
|
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
|
||||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
|
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
|
||||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
|
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
|
||||||
@ -37,5 +39,5 @@
|
|||||||
# python build configuration and headers
|
# python build configuration and headers
|
||||||
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
|
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
|
||||||
|
|
||||||
# Silencer
|
# Include additions to the abstraction
|
||||||
deny /usr/lib{,32,64}/python*/** w,
|
include if exists <abstractions/python.d>
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# Common rules for Qt5-based applications
|
# Common rules for Qt5-based applications
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# Additional libraries
|
# Additional libraries
|
||||||
|
|
||||||
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
|
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
|
||||||
@ -20,3 +22,6 @@
|
|||||||
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
|
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
|
||||||
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/qt5.d>
|
||||||
|
@ -1,8 +1,13 @@
|
|||||||
# vim:syntax=apparmor
|
# vim:syntax=apparmor
|
||||||
# Allow writing cache for Qt5 "platforminputcontexts" plugins
|
# Allow writing cache for Qt5 "platforminputcontexts" plugins
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
# User files
|
# User files
|
||||||
|
|
||||||
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
||||||
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
||||||
|
|
||||||
|
|
||||||
|
# Include additions to the abstraction
|
||||||
|
include if exists <abstractions/qt5-compose-cache-write.d>
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user