update profiles for apparmor3

This commit is contained in:
Mikhail Morfikov 2020-12-10 22:33:39 +01:00
parent 503cf496bf
commit 7067edcf70
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
776 changed files with 6867 additions and 5199 deletions

78
apparmor.d/abi/3.0 Normal file
View File

@ -0,0 +1,78 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

View File

@ -0,0 +1,76 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

View File

@ -0,0 +1,68 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

View File

@ -11,13 +11,14 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
#include <abstractions/dri-common> include <abstractions/dri-common>
# .ICEauthority files required for X authentication, per user # .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r, owner @{HOME}/.ICEauthority r,
owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user # .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
@ -30,7 +31,7 @@
owner @{run}/user/*/xauth_* r, owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display # the unix socket to use to connect to the display
/tmp/.X11-unix/* rw, /tmp/.X11-unix/* r,
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"), peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@ -58,7 +59,10 @@
/etc/X11/cursors/** r, /etc/X11/cursors/** r,
# Xwayland # Xwayland
owner /run/user/*/.mutter-Xwaylandauth.* r, owner @{run}/user/*/.mutter-Xwaylandauth.* r,
# Available Xsessions # Available Xsessions
/usr/share/xsessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r,
# Include additions to the abstraction
include if exists <abstractions/X.d>

View File

@ -2,7 +2,9 @@
# This file contains basic permissions for Apache and every vHost # This file contains basic permissions for Apache and every vHost
#include <abstractions/nameservice> abi <abi/3.0>,
include <abstractions/nameservice>
# Allow unconfined processes to send us signals by default # Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined, signal (receive) peer=unconfined,
@ -20,7 +22,7 @@
/usr/share/apache2/** r, /usr/share/apache2/** r,
# changehat itself # changehat itself
@{PROC}/@{pid}/attr/current rw, @{PROC}/@{pid}/attr/{apparmor/,}current rw,
# htaccess files - for what ever it is worth # htaccess files - for what ever it is worth
/**/.htaccess r, /**/.htaccess r,
@ -28,7 +30,10 @@
/dev/urandom r, /dev/urandom r,
# sasl-auth # sasl-auth
/run/saslauthd/mux rw, @{run}/saslauthd/mux rw,
# OCSP stapling # OCSP stapling
/var/log/apache2/stapling-cache rw, @{run}/lock/apache2/stapling-cache* rw,
# Include additions to the abstraction
include if exists <abstractions/apache2-common.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# Root app location # Root app location
/ r, / r,

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# User app location # User app location
/ r, / r,

View File

@ -6,6 +6,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/apparmor_api/introspect> abi <abi/3.0>,
@{PROC}/@{tid}/attr/{current,exec} w, include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,

View File

@ -9,4 +9,6 @@
# Make sure to include at least tunables/proc and tunables/kernelvars # Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global. # when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/attr/{current,prev,exec} r, abi <abi/3.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

View File

@ -6,6 +6,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
#permissions needed for aa_find_mountpoint #permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars # Make sure to include at least tunables/proc and tunables/kernelvars

View File

@ -6,7 +6,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars # Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global. # when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{current,prev,exec} r, @{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,

View File

@ -6,12 +6,14 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# permissions needed for aa_is_enabled # permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global # Make sure to include tunables/apparmorfs and tunables/global
# when using this abstraction # when using this abstraction
#include <abstractions/apparmor_api/find_mountpoint> include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
# TODO: add alternate apparmorfs interface for enabled # TODO: add alternate apparmorfs interface for enabled

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,

View File

@ -1,6 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# aspell permissions # aspell permissions
abi <abi/3.0>,
# per-user settings and dictionaries # per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk, owner @{HOME}/.aspell.*.{pws,prepl} rwk,
@ -11,3 +13,6 @@
/usr/share/aspell/ r, /usr/share/aspell/ r,
/usr/share/aspell/* r, /usr/share/aspell/* r,
/var/lib/aspell/* r, /var/lib/aspell/* r,
# Include additions to the abstraction
include if exists <abstractions/aspell.d>

View File

@ -10,6 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/dev/admmidi* rw, /dev/admmidi* rw,
@ -56,13 +57,15 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
# pulse # pulse
/etc/pulse/ r, /etc/pulse/ r,
/etc/pulse/** r, /etc/pulse/** r,
/{run,dev}/shm/ r, /dev/shm/ r,
owner /{run,dev}/shm/pulse-shm* rwk, @{run}/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{run}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk, owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw, owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk, owner @{HOME}/.pulse/* rwk,
owner /{,var/}run/user/*/pulse/ rw, owner @{run}/user/*/pulse/ rw,
owner /{,var/}run/user/*/pulse/{native,pid} rwk, owner @{run}/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/*.conf r, owner @{HOME}/.config/pulse/*.conf r,
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r, owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
owner @{HOME}/.config/pulse/cookie rwk, owner @{HOME}/.config/pulse/cookie rwk,
@ -86,3 +89,6 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi # wildmidi
/etc/wildmidi/wildmidi.cfg r, /etc/wildmidi/wildmidi.cfg r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

View File

@ -10,18 +10,19 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# Some services need to perform authentication of users # Some services need to perform authentication of users
# Such authentication almost certainly needs access to the local users # Such authentication almost certainly needs access to the local users
# databases containing passwords, PAM configuration files, PAM libraries # databases containing passwords, PAM configuration files, PAM libraries
/{usr/,}etc/nologin r, @{etc_ro}/nologin r,
/{usr/,}etc/pam.d/* r, @{etc_ro}/pam.d/* r,
/{usr/,}etc/securetty r, @{etc_ro}/securetty r,
/{usr/,}etc/security/* r, @{etc_ro}/security/* r,
/{usr/,}etc/shadow r, @{etc_ro}/shadow r,
/{usr/,}etc/gshadow r, @{etc_ro}/gshadow r,
/{usr/,}etc/pwdb.conf r, @{etc_ro}/pwdb.conf r,
/{usr/,}lib{,32,64}/security/pam_filter/* mr, /{usr/,}lib{,32,64}/security/pam_filter/* mr,
/{usr/,}lib{,32,64}/security/pam_*.so mr, /{usr/,}lib{,32,64}/security/pam_*.so mr,
@ -31,22 +32,25 @@
/{usr/,}lib/@{multiarch}/security/ r, /{usr/,}lib/@{multiarch}/security/ r,
# kerberos # kerberos
#include <abstractions/kerberosclient> include <abstractions/kerberosclient>
# SuSE's pwdutils are different: # SuSE's pwdutils are different:
/{usr/,}etc/default/passwd r, @{etc_ro}/default/passwd r,
/{usr/,}etc/login.defs r, @{etc_ro}/login.defs r,
# nis # nis
#include <abstractions/nis> include <abstractions/nis>
# winbind # winbind
#include <abstractions/winbind> include <abstractions/winbind>
# likewise # likewise
#include <abstractions/likewise> include <abstractions/likewise>
# smbpass # smbpass
#include <abstractions/smbpass> include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration) # p11-kit (PKCS#11 modules configuration)
#include <abstractions/p11-kit> include <abstractions/p11-kit>
# Include additions to the abstraction
include if exists <abstractions/authentication.d>

View File

@ -10,6 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# (Note that the ldd profile has inlined this file; if you make # (Note that the ldd profile has inlined this file; if you make
@ -26,10 +27,10 @@
# Allow access to the uuidd daemon (this daemon is a thin wrapper around # Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an # time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user). # unprivilged, dedicated user).
/run/uuidd/request r, @{run}/uuidd/request r,
/etc/locale/** r, @{etc_ro}/locale/** r,
/etc/locale.alias r, @{etc_ro}/locale.alias r,
/etc/localtime r, @{etc_ro}/localtime r,
/etc/writable/localtime r, /etc/writable/localtime r,
/usr/share/locale-bundle/** r, /usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r, /usr/share/locale-langpack/** r,
@ -39,13 +40,13 @@
/usr/share/zoneinfo/ r, /usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r, /usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r, /usr/share/X11/locale/** r,
/run/systemd/journal/dev-log w, @{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4)) # systemd native journal API (see sd_journal_print(4))
/run/systemd/journal/socket w, @{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't # Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak # be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok. # anything when reading so this is ok.
/run/systemd/journal/stdout rw, @{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/*.so mr,
@ -54,14 +55,14 @@
/usr/lib/@{multiarch}/gconv/gconv-modules* mr, /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports # used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r, @{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best # ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere # available everywhere
/etc/ld.so.cache mr, @{etc_ro}/ld.so.cache mr,
/etc/ld.so.conf r, @{etc_ro}/ld.so.conf r,
/etc/ld.so.conf.d/{,*.conf} r, @{etc_ro}/ld.so.conf.d/{,*.conf} r,
/etc/ld.so.preload r, @{etc_ro}/ld.so.preload r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
@ -76,6 +77,11 @@
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr, /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used # /dev/null is pretty harmless and frequently used
/dev/null rw, /dev/null rw,
# as is /dev/zero # as is /dev/zero
@ -180,3 +186,6 @@
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, #owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, #owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>

View File

@ -8,6 +8,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# user-specific bash files # user-specific bash files
@{HOMEDIRS} r, @{HOMEDIRS} r,
@{HOME}/.bashrc r, @{HOME}/.bashrc r,
@ -42,3 +44,6 @@
/etc/DIR_COLORS r, /etc/DIR_COLORS r,
/{usr/,}bin/ls mix, /{usr/,}bin/ls mix,
/usr/bin/dircolors mix, /usr/bin/dircolors mix,
# Include additions to the abstraction
include if exists <abstractions/bash.d>

View File

@ -9,6 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# there are three common ways to refer to consoles # there are three common ways to refer to consoles
@ -21,4 +22,6 @@
/dev/pts/[0-9]* rw, /dev/pts/[0-9]* rw,
/dev/pts/ r, /dev/pts/ r,
/dev/ptmx rw,
# Include additions to the abstraction
include if exists <abstractions/consoles.d>

View File

@ -9,10 +9,15 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# discoverable system configuration for non-local cupsd # discoverable system configuration for non-local cupsd
/etc/cups/client.conf r, /etc/cups/client.conf r,
# client should be able to talk the local cupsd # client should be able to talk the local cupsd
/{,var/}run/cups/cups.sock rw, @{run}/cups/cups.sock rw,
# client should be able to read user-specified cups configuration # client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r, owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r, owner @{HOME}/.cups/lpoptions r,
# Include additions to the abstraction
include if exists <abstractions/cups-client.d>

View File

@ -9,8 +9,13 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full system bus access. Consider using the # This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation. # dbus-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-strict> include <abstractions/dbus-strict>
dbus bus=system, dbus bus=system,
# Include additions to the abstraction
include if exists <abstractions/dbus.d>

View File

@ -9,8 +9,13 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full accessibility bus access. Consider using the # This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation. # dbus-accessibility-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
dbus bus=accessibility, dbus bus=accessibility,
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility.d>

View File

@ -9,9 +9,14 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
dbus send dbus send
bus=accessibility bus=accessibility
path=/org/freedesktop/DBus path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility-strict.d>

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
dbus send dbus send
bus=system bus=system
path=/org/freedesktop/NetworkManager path=/org/freedesktop/NetworkManager
@ -42,4 +44,4 @@
member=GetSettings member=GetSettings
peer=(name=org.freedesktop.NetworkManager), peer=(name=org.freedesktop.NetworkManager),
#include if exists <abstractions/dbus-network-manager-strict.d> include if exists <abstractions/dbus-network-manager-strict.d>

View File

@ -9,9 +9,14 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full session bus access. Consider using the # This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation. # dbus-session-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
/usr/bin/dbus-launch ix, /usr/bin/dbus-launch ix,
dbus bus=session, dbus bus=session,
# Include additions to the abstraction
include if exists <abstractions/dbus-session.d>

View File

@ -9,17 +9,18 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# unique per-machine identifier # unique per-machine identifier
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner /run/user/*/bus rw,
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/tmp/dbus-*"), peer=(addr="@/tmp/dbus-*"),
# dbus with systemd and --enable-user-session # dbus with systemd and --enable-user-session
owner /run/user/[0-9]*/bus rw, owner @{run}/user/[0-9]*/bus rw,
dbus send dbus send
bus=session bus=session
@ -27,3 +28,6 @@
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-session-strict.d>

View File

@ -9,7 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
/{,var/}run/dbus/system_bus_socket rw, abi <abi/3.0>,
@{run}/dbus/system_bus_socket rw,
dbus send dbus send
bus=system bus=system
@ -17,3 +19,6 @@
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-strict.d>

View File

@ -1,8 +1,13 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# permissions for querying dconf settings; granting write access should # permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile. # be specified in a specific application's profile.
/etc/dconf/** r, /etc/dconf/** r,
owner /{,var/}run/user/*/dconf/user r, owner @{run}/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r, owner @{HOME}/.config/dconf/user r,
# Include additions to the abstraction
include if exists <abstractions/dconf.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
deny /etc/dconf/{,**} r, deny /etc/dconf/{,**} r,

View File

@ -17,7 +17,7 @@
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
# needed files in the user home dir. # needed files in the user home dir.
#abi <abi/3.0>, abi <abi/3.0>,
# Use audit for now to see whether some apps are trying to get access to the /root/ dir. # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
audit deny /root/{,**} rwkmlx, audit deny /root/{,**} rwkmlx,

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# The /sys/ entries probably should be tightened # The /sys/ entries probably should be tightened

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# The /sys/ entries probably should be tightened # The /sys/ entries probably should be tightened

View File

@ -9,6 +9,8 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# used with dovecot/* # used with dovecot/*
abi <abi/3.0>,
capability setgid, capability setgid,
deny capability block_suspend, deny capability block_suspend,
@ -16,4 +18,7 @@
# dovecot's master can send us signals # dovecot's master can send us signals
signal receive peer=dovecot, signal receive peer=dovecot,
/{var/,}run/dovecot/config rw, owner @{run}/dovecot/config rw,
# Include additions to the abstraction
include if exists <abstractions/dovecot-common.d>

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications # This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar). # (needed by libdrm and similar).
@ -12,3 +14,6 @@
/usr/share/drirc.d/{,*.conf} r, /usr/share/drirc.d/{,*.conf} r,
owner @{HOME}/.drirc r, owner @{HOME}/.drirc r,
# Include additions to the abstraction
include if exists <abstractions/dri-common.d>

View File

@ -1,8 +1,13 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications that # This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm). # libdrm).
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction
include if exists <abstractions/dri-enumerate.d>

View File

@ -9,14 +9,18 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for Enchant spellchecking frontend # abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r, /usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r, /usr/share/enchant/enchant.ordering r,
/usr/share/enchant-[0-9]*/enchant.ordering r,
/usr/share/enchant-2/ r,
/usr/share/enchant-2/enchant.ordering r,
# aspell # aspell
#include <abstractions/aspell> include <abstractions/aspell>
/var/lib/dictionaries-common/aspell/ r, /var/lib/dictionaries-common/aspell/ r,
/var/lib/dictionaries-common/aspell/* r, /var/lib/dictionaries-common/aspell/* r,
@ -55,3 +59,6 @@
# per-user dictionaries # per-user dictionaries
owner @{HOME}/.config/enchant/ rw, owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk, owner @{HOME}/.config/enchant/* rwk,
# Include additions to the abstraction
include if exists <abstractions/enchant.d>

View File

@ -3,9 +3,9 @@
# abstraction used by evince binaries # abstraction used by evince binaries
# #
#include <abstractions/gnome> include <abstractions/gnome>
#include <abstractions/p11-kit> include <abstractions/p11-kit>
#include <abstractions/ubuntu-helpers> include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/mountinfo r,
@ -94,7 +94,7 @@
# access to the Cache directory, which the browser may tell evince to open # access to the Cache directory, which the browser may tell evince to open
# from directly. # from directly.
#include <abstractions/private-files> include <abstractions/private-files>
audit deny @{HOME}/.gnupg/** mrwkl, audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl, audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl, audit deny @{HOME}/.gnome2_private/** mrwkl,
@ -117,8 +117,8 @@
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl, audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
# When LP: #451422 is fixed, change the above to simply be: # When LP: #451422 is fixed, change the above to simply be:
##include <abstractions/private-files-strict> include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r, #owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.evince> include <local/usr.bin.evince>

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper. # confined application can invoke via exo-open helper.
# #
@ -18,27 +20,27 @@
# #
# # out-of-line child profile # # out-of-line child profile
# profile foo//exo-open { # profile foo//exo-open {
# #include <abstractions/exo-open> # include <abstractions/exo-open>
# #
# # needed for ubuntu-* abstractions # # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
# #
# # Only allow to handle http[s]: and mailto: links # # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email> # include <abstractions/ubuntu-email>
# #
# # Add if accesibility access is considered as required # # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails) # # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility> # include <abstractions/dbus-accessibility>
# #
# # < add additional allowed applications here > # # < add additional allowed applications here >
# } # }
#include <abstractions/X> include <abstractions/X>
#include <abstractions/audio> # for alert messages include <abstractions/audio> # for alert messages
#include <abstractions/base> include <abstractions/base>
#include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
#include <abstractions/gnome> include <abstractions/gnome>
# Main executables # Main executables
@ -71,4 +73,4 @@
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction # Include additions to the abstraction
#include if exists <abstractions/exo-open.d> include if exists <abstractions/exo-open.d>

View File

@ -9,5 +9,10 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/fcitx-strict> abi <abi/3.0>,
include <abstractions/fcitx-strict>
dbus bus=fcitx, dbus bus=fcitx,
# Include additions to the abstraction
include if exists <abstractions/fcitx.d>

View File

@ -9,7 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/dbus-session-strict> abi <abi/3.0>,
include <abstractions/dbus-session-strict>
dbus send dbus send
bus=fcitx bus=fcitx
@ -19,3 +21,6 @@
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r, owner @{HOME}/.config/fcitx/dbus/* r,
# Include additions to the abstraction
include if exists <abstractions/fcitx-strict.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r, deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r, deny @{PROC}/@{pid}/mounts r,

View File

@ -11,7 +11,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# Flatpak # Flatpak
/var/lib/flatpak/exports/share/{,**} r, /var/lib/flatpak/exports/share/{,**} r,

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# The fontconfig cache can be generated via the following command: # The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v # $ fc-cache -f -v

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ rw, owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,

View File

@ -10,6 +10,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/AbiSuite/fonts/** r, /usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr, /usr/lib/xorg/modules/fonts/**.so* mr,
@ -59,3 +61,6 @@
# data files for LibThai # data files for LibThai
/usr/share/libthai/thbrk.tri r, /usr/share/libthai/thbrk.tri r,
# Include additions to the abstraction
include if exists <abstractions/fonts.d>

View File

@ -9,6 +9,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# system configuration # system configuration
@{system_share_dirs}/applications/{**,} r, @{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r, @{system_share_dirs}/icons/{**,} r,
@ -18,7 +20,8 @@
@{system_share_dirs}/mime/** r, @{system_share_dirs}/mime/** r,
# per-user configurations # per-user configurations
owner @{HOME}/.icons/{**,} r, owner @{HOME}/.icons/ r,
owner @{HOME}/.icons/default/index.theme r,
owner @{HOME}/.recently-used.xbel* rw, owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r, owner @{HOME}/.config/user-dirs.dirs r,
@ -26,3 +29,6 @@
owner @{user_share_dirs}/applications/{**,} r, owner @{user_share_dirs}/applications/{**,} r,
owner @{user_share_dirs}/icons/{**,} r, owner @{user_share_dirs}/icons/{**,} r,
owner @{user_share_dirs}/mime/{**,} r, owner @{user_share_dirs}/mime/{**,} r,
# Include additions to the abstraction
include if exists <abstractions/freedesktop.org.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r, owner @{HOME}/.fzf/{,**} r,

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper. # confined application can invoke via gio helper.
# #
@ -18,20 +20,20 @@
# #
# # out-of-line child profile # # out-of-line child profile
# profile foo//gio-open { # profile foo//gio-open {
# #include <abstractions/gio-open> # include <abstractions/gio-open>
# #
# # needed for ubuntu-* abstractions # # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
# #
# # Only allow to handle http[s]: and mailto: links # # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email> # include <abstractions/ubuntu-email>
# #
# # < add additional allowed applications here > # # < add additional allowed applications here >
# } # }
#include <abstractions/base> include <abstractions/base>
#include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
# Main executables # Main executables
@ -54,4 +56,4 @@
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction # Include additions to the abstraction
#include if exists <abstractions/gio-open.d> include if exists <abstractions/gio-open.d>

View File

@ -9,13 +9,16 @@
# License published by the Free Software Foundation. # License published by the Free Software Foundation.
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/base>
#include <abstractions/fonts> abi <abi/3.0>,
#include <abstractions/X>
#include <abstractions/freedesktop.org> include <abstractions/base>
#include <abstractions/xdg-desktop> include <abstractions/fonts>
#include <abstractions/user-tmp> include <abstractions/X>
#include <abstractions/wayland> include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults # systemwide gtk defaults
/etc/gnome/gtkrc* r, /etc/gnome/gtkrc* r,
@ -88,7 +91,7 @@
/usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r, /usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
/run/mount/utab r, @{run}/mount/utab r,
# printing # printing
/etc/papersize r, /etc/papersize r,
@ -96,7 +99,7 @@
/usr/share/cups/charmaps/** r, /usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome # holds MIT-MAGIC-COOKIE for gnome
owner /{,var/}run/gdm/auth*/database r, owner @{run}/gdm/auth*/database r,
# mime-types # mime-types
/etc/gnome/defaults.list r, /etc/gnome/defaults.list r,
@ -109,3 +112,6 @@
unix (send, receive, connect) unix (send, receive, connect)
type=stream type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"), peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>

View File

@ -1,6 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# gnupg sub-process running permissions # gnupg sub-process running permissions
abi <abi/3.0>,
# user configurations # user configurations
owner @{HOME}/.gnupg/options r, owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r, owner @{HOME}/.gnupg/pubring.gpg r,
@ -9,3 +11,6 @@
owner @{HOME}/.gnupg/secring.gpg r, owner @{HOME}/.gnupg/secring.gpg r,
owner @{HOME}/.gnupg/so/*.x86_64 mr, owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw, owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
include if exists <abstractions/gnupg.d>

View File

@ -1,8 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
#include <abstractions/base> include <abstractions/base>
#include <abstractions/p11-kit> include <abstractions/p11-kit>
#include <abstractions/X> include <abstractions/X>
# TODO: adjust when support finer-grained netlink rules # TODO: adjust when support finer-grained netlink rules
network netlink raw, network netlink raw,

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper. # confined application can invoke via gvfs-open helper.
# #
@ -18,23 +20,23 @@
# #
# # out-of-line child profile # # out-of-line child profile
# profile foo//gvfs-open { # profile foo//gvfs-open {
# #include <abstractions/gvfs-open> # include <abstractions/gvfs-open>
# #
# # needed for ubuntu-* abstractions # # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
# #
# # Only allow to handle http[s]: and mailto: links # # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email> # include <abstractions/ubuntu-email>
# #
# # < add additional allowed applications here > # # < add additional allowed applications here >
# } # }
# ``` # ```
#include <abstractions/base> include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri> # gvfs-open is deprecated, it launches gio open <uri>
#include <abstractions/gio-open> include <abstractions/gio-open>
# Main executables # Main executables
@ -42,4 +44,4 @@
/{,usr/}bin/dash mr, /{,usr/}bin/dash mr,
# Include additions to the abstraction # Include additions to the abstraction
#include if exists <abstractions/gvfs-open.d> include if exists <abstractions/gvfs-open.d>

View File

@ -9,5 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts.deny r, /etc/hosts.deny r,
/etc/hosts.allow r, /etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

View File

@ -9,6 +9,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for ibus input methods # abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw, owner @{HOME}/.config/ibus/bus/ rw,
@ -27,3 +29,6 @@
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"), peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# Include additions to the abstraction
include if exists <abstractions/ibus.d>

View File

@ -9,13 +9,15 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/base> abi <abi/3.0>,
#include <abstractions/fonts>
#include <abstractions/X> include <abstractions/base>
#include <abstractions/freedesktop.org> include <abstractions/fonts>
#include <abstractions/xdg-desktop> include <abstractions/X>
#include <abstractions/user-tmp> include <abstractions/freedesktop.org>
#include <abstractions/qt5> include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/qt5>
/etc/qt3/kstylerc r, /etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r, /etc/qt3/qt_plugins_3.3rc r,
@ -75,3 +77,6 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr, /usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr, /usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r, /usr/share/qt4/** r,
# Include additions to the abstraction
include if exists <abstractions/kde.d>

View File

@ -1,10 +1,15 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other). # Rules for changing KDE settings (for KFileDialog and other).
abi <abi/3.0>,
# User files # User files
owner @{HOME}/.config/#[0-9]* rw, owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw, owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*, owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk, owner @{HOME}/.config/kdeglobals.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-globals-write.d>

View File

@ -1,7 +1,12 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for writing KDE icon cache # Rules for writing KDE icon cache
abi <abi/3.0>,
# User files # User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Include additions to the abstraction
include if exists <abstractions/kde-icon-cache-write.d>

View File

@ -1,4 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# Rules for changing per-application language settings on KDE. Some KDE # Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs # applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file. # write access to language settings file.
@ -7,6 +10,9 @@
owner @{HOME}/.config/#[0-9]* rw, owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/klanguageoverridesrc rw, owner @{HOME}/.config/klanguageoverridesrc rw,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*, owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.lock rwk, owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-language-write.d>

View File

@ -1,5 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper. # confined application can invoke via kde-open5 helper.
# #
@ -18,40 +20,40 @@
# #
# # out-of-line child profile # # out-of-line child profile
# profile foo//kde-open5 { # profile foo//kde-open5 {
# #include <abstractions/kde-open5> # include <abstractions/kde-open5>
# #
# # needed for ubuntu-* abstractions # # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
# #
# # Only allow to handle http[s]: and mailto: links # # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email> # include <abstractions/ubuntu-email>
# #
# # Add if accesibility access is considered as required # # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails) # # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility> # include <abstractions/dbus-accessibility>
# #
# # Add if audio support for message box is # # Add if audio support for message box is
# # considered as required. # # considered as required.
# #include if exists <abstractions/gstreamer> # include if exists <abstractions/gstreamer>
# #
# # < add additional allowed applications here > # # < add additional allowed applications here >
# } # }
# ``` # ```
#include <abstractions/audio> # for alert messages include <abstractions/audio> # for alert messages
#include <abstractions/base> include <abstractions/base>
#include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
#include <abstractions/dbus-network-manager-strict> include <abstractions/dbus-network-manager-strict>
#include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict> include <abstractions/dbus-strict>
#include <abstractions/kde-icon-cache-write> include <abstractions/kde-icon-cache-write>
#include <abstractions/kde> include <abstractions/kde>
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so) include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
#include <abstractions/openssl> include <abstractions/openssl>
#include <abstractions/qt5> include <abstractions/qt5>
#include <abstractions/recent-documents-write> include <abstractions/recent-documents-write>
#include <abstractions/X> include <abstractions/X>
# Main executables # Main executables
@ -96,9 +98,9 @@
# User files # User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw, owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction # Include additions to the abstraction
#include if exists <abstractions/kde-open5.d> include if exists <abstractions/kde-open5.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
/usr/share/kde4/** r, /usr/share/kde4/** r,

View File

@ -9,9 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
#include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes # KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr, #/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
@ -52,7 +52,7 @@
# Think what to do about this #FIXME# # Think what to do about this #FIXME#
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following. # It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
##include <abstractions/recent-documents-write> include <abstractions/recent-documents-write>
#signal (send) set=(term, kill) peer=unconfined, #signal (send) set=(term, kill) peer=unconfined,
#deny @{sys}/bus/ r, #deny @{sys}/bus/ r,
#deny @{sys}/bus/usb/devices/ r, #deny @{sys}/bus/usb/devices/ r,

View File

@ -9,6 +9,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# files required by kerberos client programs # files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
@ -32,3 +34,6 @@
# credential caches # credential caches
/tmp/krb5cc* r, /tmp/krb5cc* r,
# Include additions to the abstraction
include if exists <abstractions/kerberosclient.d>

View File

@ -8,6 +8,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap) # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r, /etc/ldap.conf r,
/etc/ldap.secret r, /etc/ldap.secret r,
@ -19,6 +21,9 @@
/usr/lib{,32,64}/sasl2/* r, /usr/lib{,32,64}/sasl2/* r,
# local LDAP name service daemon # local LDAP name service daemon
/{,var/}run/nslcd/socket rw, @{run}/nslcd/socket rw,
#include <abstractions/ssl_certs> include <abstractions/ssl_certs>
# Include additions to the abstraction
include if exists <abstractions/ldapclient.d>

View File

@ -9,7 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#include <abstractions/dbus-strict> abi <abi/3.0>,
include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts # libpam-systemd notifies systemd-logind about session logins/logouts
dbus send dbus send
@ -17,3 +19,6 @@
path=/org/freedesktop/login1 path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession}, member={CreateSession,ReleaseSession},
# Include additions to the abstraction
include if exists <abstractions/libpam-systemd.d>

View File

@ -1,4 +1,4 @@
#include <abstractions/base> include <abstractions/base>
umount, umount,

View File

@ -1,6 +1,6 @@
#include <abstractions/base> include <abstractions/base>
#include <abstractions/consoles> include <abstractions/consoles>
#include <abstractions/nameservice> include <abstractions/nameservice>
# required for reading disk images # required for reading disk images
capability dac_override, capability dac_override,

View File

@ -9,13 +9,13 @@
# Requires apparmor 2.9 # Requires apparmor 2.9
#include <abstractions/authentication> include <abstractions/authentication>
#include <abstractions/cups-client> include <abstractions/cups-client>
#include <abstractions/dbus> include <abstractions/dbus>
#include <abstractions/dbus-session> include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility> include <abstractions/dbus-accessibility>
#include <abstractions/nameservice> include <abstractions/nameservice>
#include <abstractions/wutmp> include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678 # bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw, /etc/compizconfig/config rw,

View File

@ -31,7 +31,7 @@
profile chromium { profile chromium {
# Allow all the same accesses as other applications in the guest session # Allow all the same accesses as other applications in the guest session
#include <abstractions/lightdm> include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that # but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications. # are not appropriate to other guest session applications.

View File

@ -9,5 +9,10 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/tmp/.lwidentity/pipe rw, /tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw, /var/lib/likewise-open/lwidentity_privileged/pipe rw,
# Include additions to the abstraction
include if exists <abstractions/likewise.d>

View File

@ -8,7 +8,12 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# mdnsd # mdnsd
/etc/mdns.allow r, /etc/mdns.allow r,
/etc/nss_mdns.conf r, /etc/nss_mdns.conf r,
/{,var/}run/mdnsd w, @{run}/mdnsd w,
# Include additions to the abstraction
include if exists <abstractions/mdns.d>

View File

@ -1,6 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API # Rules for Mesa implementation of the OpenGL API
abi <abi/3.0>,
# System files # System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
@ -15,3 +17,6 @@
owner @{HOME}/.cache/mesa_shader_cache/??/ w, owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk, owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
# System files # System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()

View File

@ -9,9 +9,14 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# mir libraries sometimes do not have a lib prefix # mir libraries sometimes do not have a lib prefix
# see LP: #1422521 # see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr, /usr/lib/@{multiarch}/mir/*.so* mr,
/usr/lib/@{multiarch}/mir/**/*.so* mr, /usr/lib/@{multiarch}/mir/**/*.so* mr,
# unprivileged mir socket for clients # unprivileged mir socket for clients
# Include additions to the abstraction
include if exists <abstractions/mir.d>

View File

@ -9,4 +9,9 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"), unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction
include if exists <abstractions/mozc.d>

View File

@ -9,7 +9,12 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw, /var/lib/mysql{,d}/mysql{,d}.sock rw,
/{var/,}run/mysql{,d}/mysql{,d}.sock rw, @{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
# Include additions to the abstraction
include if exists <abstractions/mysql.d>

View File

@ -9,31 +9,28 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# Many programs wish to perform nameservice-like operations, such as # Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name # looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns, # or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
/etc/group r, @{etc_ro}/group r,
/etc/host.conf r, @{etc_ro}/host.conf r,
/etc/hosts r, @{etc_ro}/hosts r,
/etc/nsswitch.conf r, @{etc_ro}/nsswitch.conf r,
/etc/gai.conf r, @{etc_ro}/gai.conf r,
/etc/passwd r, @{etc_ro}/passwd r,
/etc/protocols r, @{etc_ro}/protocols r,
# libtirpc (used for NIS/YP login) needs this # libtirpc (used for NIS/YP login) needs this
/etc/netconfig r, @{etc_ro}/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from # When using libnss-extrausers, the passwd and group files are merged from
# an alternate path # an alternate path
/var/lib/extrausers/group r, /var/lib/extrausers/group r,
/var/lib/extrausers/passwd r, /var/lib/extrausers/passwd r,
# NSS records from systemd-userdbd.service
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
# When using sssd, the passwd and group files are stored in an alternate path # When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe # and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r, /var/lib/sss/mc/group r,
@ -41,56 +38,68 @@
/var/lib/sss/mc/passwd r, /var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw, /var/lib/sss/pipes/nss rw,
/etc/resolv.conf r, @{etc_ro}/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is # On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
/{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r, @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r, @{etc_ro}/resolvconf/run/resolv.conf r,
/{,var/}run/systemd/resolve/stub-resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r,
/etc/samba/lmhosts r, @{etc_ro}/samba/lmhosts r,
/etc/services r, @{etc_ro}/services r,
# db backend # db backend
/var/lib/misc/*.db r, /var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading # The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups. # to vast speed increases when working with network-based lookups.
/{,var/}run/.nscd_socket rw, @{run}/.nscd_socket rw,
/{,var/}run/nscd/socket rw, @{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will # nscd renames and unlinks files in it's operation that clients will
# have open # have open
/{,var/}run/nscd/db* rmix, @{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure # The nss libraries are sometimes used in addition to PAM; make sure
# they are available # they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr, /{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr, /{usr/,}lib/@{multiarch}/libnss_*.so* mr,
/etc/default/nss r, @{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution # avahi-daemon is used for mdns4 resolution
/{,var/}run/avahi-daemon/socket rw, @{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name # libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r, @{PROC}/@{pid}/net/psched r,
/etc/libnl-*/classid r, @{etc_ro}/libnl-*/classid r,
# nis # nis
#include <abstractions/nis> include <abstractions/nis>
# ldap # ldap
#include <abstractions/ldapclient> include <abstractions/ldapclient>
# winbind # winbind
#include <abstractions/winbind> include <abstractions/winbind>
# likewise # likewise
#include <abstractions/likewise> include <abstractions/likewise>
# mdnsd # mdnsd
#include <abstractions/mdns> include <abstractions/mdns>
# kerberos # kerberos
#include <abstractions/kerberosclient> include <abstractions/kerberosclient>
#libnss-systemd
include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# TCP/UDP network access # TCP/UDP network access
network inet stream, network inet stream,
@ -104,3 +113,6 @@
# interface details # interface details
@{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
include if exists <abstractions/nameservice.d>

View File

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
#abi <abi/3.0>, abi <abi/3.0>,
/etc/hosts r, /etc/hosts r,
/etc/host.conf r, /etc/host.conf r,

View File

@ -8,8 +8,13 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# NIS rules # NIS rules
/var/yp/binding/* r, /var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports # portmapper may ask root processes to do nis/ldap at low ports
capability net_bind_service, capability net_bind_service,
# Include additions to the abstraction
include if exists <abstractions/nis.d>

View File

@ -0,0 +1,30 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nss-systemd.d>

View File

@ -1,6 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# nvidia access requirements # nvidia access requirements
abi <abi/3.0>,
# configuration queries # configuration queries
capability ipc_lock, capability ipc_lock,
@ -26,3 +28,6 @@
owner @{HOME}/.nv/GLCache/** rwk, owner @{HOME}/.nv/GLCache/** rwk,
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"), unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
# Include additions to the abstraction
include if exists <abstractions/nvidia.d>

View File

@ -1,9 +1,15 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements # OpenCL access requirements
# TODO: use conditionals to select allowed implementations # TODO: use conditionals to select allowed implementations
#include <abstractions/opencl-intel> include <abstractions/opencl-intel>
#include <abstractions/opencl-mesa> include <abstractions/opencl-mesa>
#include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
#include <abstractions/opencl-pocl> include <abstractions/opencl-pocl>
# Include additions to the abstraction
include if exists <abstractions/opencl.d>

View File

@ -1,4 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# implementation-independent OpenCL access requirements # implementation-independent OpenCL access requirements
# System files # System files
@ -8,3 +11,6 @@
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
# Include additions to the abstraction
include if exists <abstractions/opencl-common.d>

View File

@ -1,13 +1,16 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Intel implementation # OpenCL access requirements for Intel implementation
#include <abstractions/opencl-common> include <abstractions/opencl-common>
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay()) # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
#include <abstractions/X> include <abstractions/X>
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
#include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
# System files # System files
@ -15,3 +18,6 @@
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?) @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r, /usr/lib/@{multiarch}/beignet/** r,
# Include additions to the abstraction
include if exists <abstractions/opencl-intel.d>

View File

@ -1,7 +1,10 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Mesa implementation # OpenCL access requirements for Mesa implementation
#include <abstractions/opencl-common> include <abstractions/opencl-common>
# Additional libraries # Additional libraries
@ -18,3 +21,6 @@
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
# Include additions to the abstraction
include if exists <abstractions/opencl-mesa.d>

View File

@ -1,8 +1,11 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for NVIDIA implementation # OpenCL access requirements for NVIDIA implementation
#include <abstractions/nvidia> include <abstractions/nvidia>
#include <abstractions/opencl-common> include <abstractions/opencl-common>
# Executables # Executables
@ -28,3 +31,6 @@
owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/** rw,
owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/ComputeCache/index rwk,
# Include additions to the abstraction
include if exists <abstractions/opencl-nvidia.d>

View File

@ -1,7 +1,9 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# OpenCL access requirements for POCL implementation # OpenCL access requirements for POCL implementation
#include <abstractions/opencl-common> abi <abi/3.0>,
include <abstractions/opencl-common>
# Executables # Executables
@ -28,7 +30,7 @@
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r, /usr/share/pocl/** r,
/{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so @{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files # User files
@ -41,7 +43,7 @@
# Child profiles # Child profiles
profile opencl_pocl_ld { profile opencl_pocl_ld {
#include <abstractions/base> include <abstractions/base>
# Main executables # Main executables
@ -54,7 +56,7 @@
} }
profile opencl_pocl_clang { profile opencl_pocl_clang {
#include <abstractions/base> include <abstractions/base>
# Main executables # Main executables
@ -74,3 +76,6 @@
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw, owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
} }
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>

View File

@ -8,7 +8,12 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/etc/ssl/openssl.cnf r, /etc/ssl/openssl.cnf r,
/usr/share/ssl/openssl.cnf r, /usr/share/ssl/openssl.cnf r,
@{PROC}/sys/crypto/fips_enabled r, @{PROC}/sys/crypto/fips_enabled r,
# Include additions to the abstraction
include if exists <abstractions/openssl.d>

View File

@ -1,5 +1,10 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# orbit2 permissions # orbit2 permissions
abi <abi/3.0>,
# system library # system library
/usr/lib/orbit-2.0/*.so mr, /usr/lib/orbit-2.0/*.so mr,
# Include additions to the abstraction
include if exists <abstractions/orbit2.d>

View File

@ -8,6 +8,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/etc/pkcs11/ r, /etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r, /etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r, /etc/pkcs11/modules/ r,
@ -20,8 +22,11 @@
/usr/share/p11-kit/modules/* r, /usr/share/p11-kit/modules/* r,
# gnome-keyring pkcs11 module # gnome-keyring pkcs11 module
owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw, owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending # p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction. # included in this abstraction.
# Include additions to the abstraction
include if exists <abstractions/p11-kit.d>

View File

@ -9,6 +9,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# a few files typically required for perl scripts # a few files typically required for perl scripts
/usr/bin/perl rmix, /usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix, /usr/bin/perl[0-9].[0-9].[0-9] rmix,
@ -21,3 +23,6 @@
/usr/share/perl/** r, /usr/share/perl/** r,
/usr/share/perl5/** r, /usr/share/perl5/** r,
/etc/perl/** r, /etc/perl/** r,
# Include additions to the abstraction
include if exists <abstractions/perl.d>

View File

@ -10,6 +10,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
# shared snippets for config files # shared snippets for config files
/etc/php{,5,7}/**/ r, /etc/php{,5,7}/**/ r,
/etc/php{,5,7}/**.ini r, /etc/php{,5,7}/**.ini r,
@ -37,3 +39,6 @@
# Zend opcache # Zend opcache
/tmp/.ZendSem.* rwlk, /tmp/.ZendSem.* rwlk,
# Include additions to the abstraction
include if exists <abstractions/php.d>

View File

@ -0,0 +1,22 @@
# vim:syntax=apparmor
# This file contains basic permissions for php-fpm workers
abi <abi/3.0>,
# load common libraries and their support files
include <abstractions/base>
# common php files and support files that php needs
include <abstractions/php>
signal (receive) peer=php-fpm,
# This is some php opcaching file
/tmp/.ZendSem.* rwk,
# I think this is adaptive memory management
/sys/devices/system/node/* r,
/sys/devices/system/node/*/meminfo r,
/sys/devices/system/node/ r,
include if exists <abstractions/php-worker.d>

View File

@ -1,3 +1,8 @@
#backwards compatibility include, actual abstraction moved from php5 to php #backwards compatibility include, actual abstraction moved from php5 to php
#include <abstractions/php> abi <abi/3.0>,
include <abstractions/php>
# Include additions to the abstraction
include if exists <abstractions/php5.d>

View File

@ -11,16 +11,16 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# used with postfix/* # used with postfix/*
abi <abi/3.0>,
capability setuid, capability setuid,
capability setgid, capability setgid,
capability sys_chroot, capability sys_chroot,
# postfix's master can send us signals # postfix's master can send us signals
signal receive peer=/usr/lib/postfix/master,
signal receive peer=postfix-master, signal receive peer=postfix-master,
unix (send, receive) peer=(label=/usr/lib/postfix/master),
unix (send, receive) peer=(label=postfix-master), unix (send, receive) peer=(label=postfix-master),
/etc/mailname r, /etc/mailname r,
@ -37,3 +37,8 @@
/var/spool/postfix/etc/* r, /var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr, /var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr, /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# Include additions to the abstraction
include if exists <abstractions/postfix-common.d>

View File

@ -2,6 +2,8 @@
# privacy-violations contains rules for common files that you want to # privacy-violations contains rules for common files that you want to
# explicitly deny access # explicitly deny access
abi <abi/3.0>,
# privacy violations (don't audit files under $HOME otherwise get a # privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories) # lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl, deny @{HOME}/.*history mrwkl,
@ -45,3 +47,6 @@
deny @{HOME}/.zshenv mrk, deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl, audit deny @{HOME}/.zshenv wl,
# Include additions to the abstraction
include if exists <abstractions/private-files.d>

View File

@ -2,7 +2,9 @@
# privacy-violations-strict contains additional rules for sensitive # privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access # files that you want to explicitly deny access
#include <abstractions/private-files> abi <abi/3.0>,
include <abstractions/private-files>
# potentially extremely sensitive files # potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl, audit deny @{HOME}/.aws/{,**} mrwkl,
@ -12,7 +14,7 @@
audit deny @{HOME}/.gnome2/ w, audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules # don't allow access to any gnome-keyring modules
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl, audit deny @{run}/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl, audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w, audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl, audit deny @{HOME}/.config/chromium/{,**} mrwkl,
@ -23,3 +25,6 @@
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl, audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>

View File

@ -10,6 +10,8 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr, /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r, /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r, /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
@ -37,5 +39,5 @@
# python build configuration and headers # python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
# Silencer # Include additions to the abstraction
deny /usr/lib{,32,64}/python*/** w, include if exists <abstractions/python.d>

View File

@ -1,6 +1,8 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Common rules for Qt5-based applications # Common rules for Qt5-based applications
abi <abi/3.0>,
# Additional libraries # Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr, /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
@ -20,3 +22,6 @@
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access) owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# Include additions to the abstraction
include if exists <abstractions/qt5.d>

View File

@ -1,8 +1,13 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins # Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/3.0>,
# User files # User files
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Include additions to the abstraction
include if exists <abstractions/qt5-compose-cache-write.d>

Some files were not shown because too many files have changed in this diff Show More