mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-23 21:46:44 +01:00
update apparmor profiles
This commit is contained in:
parent
b29f579865
commit
b9343c50c2
8 changed files with 118 additions and 6 deletions
|
@ -32,6 +32,8 @@ profile dh @{exec_path} flags=(complain) {
|
|||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/mkdir rix,
|
||||
|
||||
/{usr/,}bin/dpkg-vendor rPx,
|
||||
|
||||
/usr/share/python/pyversions.py rCx -> python,
|
||||
/usr/share/python3/py3versions.py rCx -> python,
|
||||
/usr/share/dh-python/* rCx -> python,
|
||||
|
|
|
@ -85,6 +85,9 @@ profile dhclient-script @{exec_path} {
|
|||
/{usr/,}bin/printenv rix,
|
||||
owner /tmp/variables.txt w,
|
||||
|
||||
# For ntpd/ntpsec
|
||||
/{var/,}run/systemd/netif/leases/ r,
|
||||
|
||||
# file_inherit
|
||||
/var/lib/dhcp/dhclient.leases r,
|
||||
|
||||
|
|
|
@ -58,8 +58,8 @@ profile firefox @{exec_path} {
|
|||
@{MOZ_LIBDIR}/*.so mr,
|
||||
@{MOZ_LIBDIR}/crashreporter rPx,
|
||||
@{MOZ_LIBDIR}/minidump-analyzer rPx,
|
||||
@{MOZ_LIBDIR}/pingsender rPx,
|
||||
@{MOZ_LIBDIR}/plugin-container rPx,
|
||||
#@{MOZ_LIBDIR}/pingsender rPx,
|
||||
#@{MOZ_LIBDIR}/plugin-container rPx,
|
||||
/usr/share/firefox/{,**} r,
|
||||
/etc/firefox/{,**} r,
|
||||
|
||||
|
|
|
@ -52,6 +52,7 @@ profile lintian @{exec_path} flags=(complain) {
|
|||
/{usr/,}bin/gunzip rix,
|
||||
/{usr/,}bin/filterdiff rix,
|
||||
/{usr/,}bin/lexgrog rix,
|
||||
/{usr/,}bin/mv rix,
|
||||
|
||||
/{usr/,}bin/{,@{multiarch}-}ar rix,
|
||||
/{usr/,}bin/{,@{multiarch}-}readelf rix,
|
||||
|
|
|
@ -73,6 +73,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
|
|||
owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
|
||||
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
|
||||
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
|
||||
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,
|
||||
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,
|
||||
|
||||
# parent Firefox process when restarting after upgrade, Web Content processes
|
||||
owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,
|
||||
|
|
15
apparmor.d/tunables/ntpd
Normal file
15
apparmor.d/tunables/ntpd
Normal file
|
@ -0,0 +1,15 @@
|
|||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2011 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#Add your ntpd devices here eg. if you have a DCF clock
|
||||
# @{NTPD_DEVICE}="/dev/ttyS1"
|
||||
@{NTPD_DEVICE}="/dev/null"
|
|
@ -41,10 +41,8 @@ profile update-pciids @{exec_path} {
|
|||
/{usr/,}bin/curl rCx -> browse,
|
||||
/{usr/,}bin/lynx rCx -> browse,
|
||||
|
||||
/usr/share/misc/ r,
|
||||
/usr/share/misc/pci.ids* rw,
|
||||
link /usr/share/misc/pci.ids.gz.old -> /usr/share/misc/pci.ids.gz,
|
||||
link /usr/share/misc/pci.ids.old -> /usr/share/misc/pci.ids,
|
||||
/usr/share/misc/ r,
|
||||
/usr/share/misc/* rwl -> /usr/share/misc/*,
|
||||
|
||||
|
||||
profile browse {
|
||||
|
|
91
apparmor.d/usr.sbin.ntpd
Normal file
91
apparmor.d/usr.sbin.ntpd
Normal file
|
@ -0,0 +1,91 @@
|
|||
# vim:syntax=apparmor
|
||||
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2009-2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/ntpd>
|
||||
/usr/sbin/ntpd flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/openssl>
|
||||
|
||||
capability ipc_lock,
|
||||
capability net_admin,
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
capability sys_time,
|
||||
capability sys_nice,
|
||||
|
||||
# Needed to create logs
|
||||
#capability dac_override,
|
||||
|
||||
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
|
||||
network dgram,
|
||||
network stream,
|
||||
|
||||
@{PROC}/net/if_inet6 r,
|
||||
@{PROC}/*/net/if_inet6 r,
|
||||
@{NTPD_DEVICE} rw,
|
||||
# pps devices are almost exclusively used with NTP
|
||||
/dev/pps[0-9]* rw,
|
||||
|
||||
/{,s}bin/ r,
|
||||
/usr/{,s}bin/ r,
|
||||
/usr/local/{,s}bin/ r,
|
||||
/usr/sbin/ntpd rmix,
|
||||
|
||||
/etc/ntpsec/ntp.conf r,
|
||||
/etc/ntpsec/ntp.d/ r,
|
||||
/etc/ntpsec/ntp.d/*.conf r,
|
||||
/run/ntpsec/ntp.conf.dhcp r,
|
||||
|
||||
/etc/ntpsec/cert-chain.pem r,
|
||||
/etc/ntpsec/key.pem r,
|
||||
/etc/ntpsec/ntp.keys r,
|
||||
|
||||
/var/lib/ntpsec/ntp.drift rw,
|
||||
/var/lib/ntpsec/ntp.drift-tmp rw,
|
||||
/var/lib/ntpsec/nts-keys rw,
|
||||
/usr/share/zoneinfo/leap-seconds.list rw,
|
||||
|
||||
/var/log/ntp w,
|
||||
/var/log/ntp.log w,
|
||||
/var/log/ntpd w,
|
||||
/var/log/ntpsec/clockstats* rwl,
|
||||
/var/log/ntpsec/loopstats* rwl,
|
||||
/var/log/ntpsec/peerstats* rwl,
|
||||
/var/log/ntpsec/protostats* rwl,
|
||||
/var/log/ntpsec/rawstats* rwl,
|
||||
/var/log/ntpsec/sysstats* rwl,
|
||||
/var/log/ntpsec/usestats.* rwl,
|
||||
|
||||
/{,var/}run/ntpd.pid w,
|
||||
|
||||
# to be able to check for running ntpdate
|
||||
/run/lock/ntpsec-ntpdate wk,
|
||||
|
||||
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
|
||||
/var/lib/samba/ntp_signd/socket rw,
|
||||
|
||||
# For use with clocks that report via shared memory (e.g. gpsd),
|
||||
# you may need to give ntpd access to all of shared memory, though
|
||||
# this can be considered dangerous. See https://launchpad.net/bugs/722815
|
||||
# for details. To enable, add this to local/usr.sbin.ntpd:
|
||||
# capability ipc_owner,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.ntpd>
|
||||
}
|
Loading…
Reference in a new issue