Remove profiles already present in deps.

This commit is contained in:
Alexandre Pujol 2021-04-01 16:01:57 +01:00
parent 2129e23596
commit c408a878b7
Failed to generate hash of commit
18 changed files with 0 additions and 953 deletions

View file

@ -1,50 +0,0 @@
# Last Modified: Fri Sep 11 13:27:22 2009
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
abi <abi/3.0>,
^phpsysinfo {
include <abstractions/apache2-common>
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/php5>
include <abstractions/python>
/{,usr/}bin/dash ixr,
/{,usr/}bin/df ixr,
/{,usr/}bin/mount ixr,
/{,usr/}bin/uname ixr,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
/etc/debian_version r,
/etc/lsb-release r,
/etc/mtab r,
/etc/phpsysinfo/config.php r,
/etc/udev/udev.conf r,
@{PROC}/** r,
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/** r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/** r,
/usr/bin/ r,
/usr/bin/apt-cache ixr,
/usr/bin/dpkg-query ixr,
/usr/bin/lsb_release ixr,
/usr/bin/lspci ixr,
/usr/bin/who ixr,
/usr/{,s}bin/lsusb ixr,
/usr/share/phpsysinfo/** r,
/var/lib/dpkg/arch r,
/var/lib/dpkg/available r,
/var/lib/dpkg/status r,
/var/lib/dpkg/triggers/* r,
/var/lib/dpkg/updates/ r,
/var/lib/{misc,usbutils}/usb.ids r,
/var/log/apache2/access.log w,
/var/log/apache2/error.log w,
@{run}/utmp rk,
/usr/share/misc/pci.ids r,
}

View file

@ -1,31 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
# Copyright (C) 2020-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile ping /{usr/,}bin/{,iputils-}ping {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
#capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set
#capability setuid, # Not needed anymore since it's not SETUID binary
network inet raw,
network inet6 raw,
/{usr/,}bin/{,iputils-}ping mixr,
/etc/modules.conf r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/bin.ping>
}

View file

@ -1,43 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015-2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lsb_release
profile lsb_release @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/apt-cache rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/etc/lsb-release r,
/etc/debian_version r,
/etc/dpkg/origins/debian r,
/usr/share/distro-info/debian.csv r,
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/lsb_release>
}

View file

@ -1,67 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
include <tunables/global>
profile nvidia_modprobe {
include <abstractions/base>
# Capabilities
capability chown,
capability mknod,
capability setuid,
capability sys_admin,
# Main executable
/usr/bin/nvidia-modprobe mr,
# Other executables
/usr/bin/kmod Cx -> kmod,
# System files
/dev/nvidia-modeset w,
/dev/nvidia-uvm w,
/dev/nvidia-uvm-tools w,
@{sys}/bus/pci/devices/ r,
@{sys}/devices/pci[0-9]*/**/config r,
@{PROC}/devices r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
@{PROC}/sys/kernel/modprobe r,
# Child profiles
profile kmod {
include <abstractions/base>
# Capabilities
capability sys_module,
# Main executable
/usr/bin/kmod mrix,
# Other executables
/{,usr/}bin/{,ba,da}sh ix,
# System files
/etc/modprobe.d/{,*.conf} r,
/etc/nvidia/current/*.conf r,
@{sys}/module/ipmi_devintf/initstate r,
@{sys}/module/ipmi_msghandler/initstate r,
@{sys}/module/nvidia/initstate r,
@{PROC}/cmdline r,
}
# Site-specific additions and overrides. See local/README for details.
include if exists <local/nvidia_modprobe>
}

View file

@ -1,60 +0,0 @@
# vim: ft=apparmor
abi <abi/3.0>,
include <tunables/global>
profile php-fpm /usr/sbin/php-fpm* flags=(complain,attach_disconnected) {
# load common libraries and their support files
include <abstractions/base>
# resolve hostnames/usernames
include <abstractions/nameservice>
# common php files and support files that php needs
include <abstractions/php>
# read openssl configuration
include <abstractions/openssl>
# read the system certificates
include <abstractions/ssl_certs>
/etc/php{,5,7}/** r,
capability net_admin,
# change user/group of a pool
capability setuid,
capability setgid,
# change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
capability chown,
# we want to be able to kill our child processes
capability kill,
# to provide sockets with acls different than root
capability dac_override,
# we need write access here to move it into a different apparmor sub profile
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
# the main log file
/var/log/php*-fpm.log rw,
# we need to be able to create all sockets
@{run}/php{,-fpm}/php*-fpm.pid rw,
@{run}/php{,-fpm}/php*-fpm.sock rwlk,
# to reload
/usr/sbin/php-fpm* rix,
# no idea why php tries to open / read/write
deny / rw,
# allow sending signals to our subprocesses
signal (send) peer=php-fpm//*,
# allow switching processes to those subprofiles
change_profile -> php-fpm//*,
# load all files from this directory
# store your configurations per pool in this dir
include if exists <php-fpm.d>
# Site-specific additions and overrides. See local/README for details.
include if exists <local/php-fpm>
}

View file

@ -1,37 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
include <abstractions/base>
capability sys_admin, # for backward compatibility with kernel <= 2.6.37
capability syslog,
network inet stream,
/boot/System.map* r,
@{PROC}/kmsg r,
@{PROC}/kallsyms r,
/dev/tty rw,
/{usr/,}{bin,sbin}/klogd rmix,
/var/log/boot.msg rwl,
@{run}/klogd.pid krwl,
@{run}/klogd/klogd.pid krwl,
@{run}/klogd/kmsg r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.klogd>
}

View file

@ -1,69 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2006 Christian Boltz
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
#define this to be where syslog-ng is chrooted
@{CHROOT_BASE}=""
profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/mysql>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/hosts_access>
capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability fowner,
capability sys_tty_config,
capability sys_resource,
capability syslog,
unix (receive) type=dgram,
unix (receive) type=stream,
/dev/log w,
/dev/syslog w,
/dev/tty10 rw,
/dev/xconsole rw,
/dev/kmsg r,
/etc/machine-id r,
/etc/syslog-ng/* r,
/etc/syslog-ng/conf.d/ r,
/etc/syslog-ng/conf.d/* r,
@{PROC}/kmsg r,
/{usr/,}{bin,sbin}/syslog-ng mr,
@{sys}/devices/system/cpu/online r,
/usr/share/syslog-ng/** r,
/var/lib/syslog-ng/syslog-ng-?????.qf rw,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/@{run}/syslog-ng.pid krw,
@{CHROOT_BASE}/@{run}/syslog-ng.ctl rw,
/{var,var/run,run}/log/journal/ r,
/{var,var/run,run}/log/journal/*/ r,
/{var,var/run,run}/log/journal/*/*.journal r,
@{run}/syslog-ng.ctl a,
@{run}/syslog-ng/additional-log-sockets.conf r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.syslog-ng>
}

View file

@ -1,45 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/consoles>
capability sys_tty_config,
capability dac_override,
capability dac_read_search,
capability setuid,
capability setgid,
capability syslog,
unix (receive) type=dgram,
unix (receive) type=stream,
/dev/log wl,
/var/lib/*/dev/log wl,
/dev/tty* w,
/dev/xconsole rw,
/etc/syslog.conf r,
/{usr/,}{bin,sbin}/syslogd rmix,
/var/log/** rw,
@{run}/syslogd.pid krwl,
@{run}/utmp rw,
/var/spool/compaq/nic/messages_fifo rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/sbin.syslogd>
}

View file

@ -1,35 +0,0 @@
abi <abi/3.0>,
include <tunables/global>
profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus>
include <abstractions/nameservice>
capability chown,
capability dac_override,
capability kill,
capability setuid,
capability setgid,
capability sys_chroot,
network netlink dgram,
/etc/avahi/ r,
/etc/avahi/avahi-daemon.conf r,
/etc/avahi/hosts r,
/etc/avahi/services/ r,
/etc/avahi/services/*.service r,
@{PROC}/@{pid}/fd/ r,
/usr/{bin,sbin}/avahi-daemon mr,
/usr/share/avahi/introspection/*.introspect r,
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
@{run}/avahi-daemon/ w,
@{run}/avahi-daemon/pid krw,
@{run}/avahi-daemon/socket w,
@{run}/systemd/notify w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.avahi-daemon>
}

View file

@ -1,134 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
include <tunables/global>
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus>
include <abstractions/nameservice>
capability chown,
capability net_bind_service,
capability setgid,
capability setuid,
capability dac_override,
capability net_admin, # for DHCP server
capability net_raw, # for DHCP server ping checks
network inet raw,
network inet6 raw,
signal (receive) peer=/usr/{bin,sbin}/libvirtd,
signal (receive) peer=libvirtd,
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
ptrace (readby) peer=libvirtd,
owner /dev/tty rw,
@{PROC}/@{pid}/fd/ r,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/etc/dnsmasq.d-available/ r,
/etc/dnsmasq.d-available/* r,
/etc/ethers r,
/etc/NetworkManager/dnsmasq.d/ r,
/etc/NetworkManager/dnsmasq.d/* r,
/etc/NetworkManager/dnsmasq-shared.d/ r,
/etc/NetworkManager/dnsmasq-shared.d/* r,
/etc/dnsmasq-conf.conf r,
/etc/dnsmasq-resolv.conf r,
/usr/{bin,sbin}/dnsmasq mr,
/var/log/dnsmasq*.log w,
/usr/share/dnsmasq{-base,}/ r,
/usr/share/dnsmasq{-base,}/* r,
@{run}/*dnsmasq*.pid w,
@{run}/dnsmasq-forwarders.conf r,
@{run}/dnsmasq/ r,
@{run}/dnsmasq/* rw,
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
/{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
@{PROC}/sys/net/ipv6/conf/*/mtu r,
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,
# libvirt config and hosts file for dnsmasq
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/* r,
# libvirt pid files for dnsmasq
@{run}/libvirt/network/ r,
@{run}/libvirt/network/*.pid rw,
# libvirt lease helper
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
# lxc-net pid and lease files
@{run}/lxc/dnsmasq.pid rw,
/var/lib/misc/dnsmasq.*.leases rw,
# lxd-bridge pid and lease files
@{run}/lxd-bridge/dnsmasq.pid rw,
/var/lib/lxd-bridge/dnsmasq.*.leases rw,
/var/lib/lxd/networks/*/dnsmasq.* r,
/var/lib/lxd/networks/*/dnsmasq.leases rw,
/var/lib/lxd/networks/*/dnsmasq.pid rw,
# NetworkManager integration
/var/lib/NetworkManager/dnsmasq-*.leases rw,
@{run}/nm-dns-dnsmasq.conf r,
@{run}/nm-dnsmasq-*.pid rw,
@{run}/sendsigs.omit.d/*dnsmasq.pid w,
@{run}/NetworkManager/dnsmasq.conf r,
@{run}/NetworkManager/dnsmasq.pid w,
@{run}/NetworkManager/NetworkManager.pid w,
profile libvirt_leaseshelper {
include <abstractions/base>
/etc/libnl-3/classid r,
/usr/lib{,64}/libvirt/libvirt_leaseshelper m,
/usr/libexec/libvirt_leaseshelper m,
owner @{PROC}/@{pid}/net/psched r,
owner @{PROC}/@{pid}/status r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,
# libvirt lease and status files for dnsmasq
/var/lib/libvirt/dnsmasq/*.leases rw,
/var/lib/libvirt/dnsmasq/*.status* rw,
@{run}/leaseshelper.pid rwk,
}
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.dnsmasq>
}

View file

@ -1,35 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile identd /usr/{bin,sbin}/identd flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
network netlink dgram,
/etc/identd.conf r,
/etc/identd.key r,
/etc/identd.pid w,
/usr/{bin,sbin}/identd rmix,
@{PROC}/net/tcp r,
@{PROC}/net/tcp6 r,
@{run}/identd.pid w,
@{run}/identd/ w,
@{run}/identd/identd.pid w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.identd>
}

View file

@ -1,38 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
network netlink dgram,
/usr/{bin,sbin}/mdnsd rmix,
@{PROC}/net/ r,
@{PROC}/net/unix r,
@{run}/mdnsd lw,
@{run}/mdnsd.pid w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.mdnsd>
}

View file

@ -1,36 +0,0 @@
abi <abi/3.0>,
include <tunables/global>
profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/samba>
capability net_bind_service,
@{PROC}/sys/kernel/core_pattern r,
/usr/{bin,sbin}/nmbd mr,
/var/cache/samba/gencache.tdb rwk,
/var/cache/samba/gencache_notrans.tdb rwk,
/var/cache/samba/names.tdb rwk,
/var/{cache,lib}/samba/browse.dat* rw,
/var/{cache,lib}/samba/gencache.dat rw,
/var/{cache,lib}/samba/wins.dat* rw,
/var/{cache,lib}/samba/smb_krb5/ rw,
/var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
/var/{cache,lib}/samba/smb_tmp_krb5.* rw,
/var/{cache,lib}/samba/sync.* rw,
/var/{cache,lib}/samba/unexpected rw,
/var/cache/samba/msg/ rw,
/var/cache/samba/msg/* w,
@{run}/nmbd.pid rwk,
@{run}/samba/** rwk,
@{run}/systemd/notify w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nmbd>
}

View file

@ -1,45 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
deny capability block_suspend,
capability net_bind_service,
capability setgid,
capability setuid,
/etc/netgroup r,
/etc/nscd.conf r,
/usr/{bin,sbin}/nscd rmix,
@{run}/.nscd_socket wl,
@{run}/nscd/ rw,
@{run}/nscd/db* rwl,
@{run}/nscd/socket wl,
/{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
@{run}/{nscd/,}nscd.pid rwl,
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.status r,
/var/log/nscd.log rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/mounts r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nscd>
}

View file

@ -1,91 +0,0 @@
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
capability ipc_lock,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,
# Needed to create logs
#capability dac_override,
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,
/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/local/{,s}bin/ r,
/usr/sbin/ntpd rmix,
/etc/ntpsec/ntp.conf r,
/etc/ntpsec/ntp.d/ r,
/etc/ntpsec/ntp.d/*.conf r,
/run/ntpsec/ntp.conf.dhcp r,
/etc/ntpsec/cert-chain.pem r,
/etc/ntpsec/key.pem r,
/etc/ntpsec/ntp.keys r,
/var/lib/ntpsec/ntp.drift rw,
/var/lib/ntpsec/ntp.drift-tmp rw,
/var/lib/ntpsec/nts-keys rw,
/usr/share/zoneinfo/leap-seconds.list rw,
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpsec/clockstats* rwl,
/var/log/ntpsec/loopstats* rwl,
/var/log/ntpsec/peerstats* rwl,
/var/log/ntpsec/protostats* rwl,
/var/log/ntpsec/rawstats* rwl,
/var/log/ntpsec/sysstats* rwl,
/var/log/ntpsec/usestats* rwl,
/{,var/}run/ntpd.pid w,
# to be able to check for running ntpdate
/run/lock/ntpsec-ntpdate wk,
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd/socket rw,
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}

View file

@ -1,65 +0,0 @@
abi <abi/3.0>,
include <tunables/global>
profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
include <abstractions/authentication>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/cups-client>
include <abstractions/nameservice>
include <abstractions/samba>
include <abstractions/user-tmp>
include <abstractions/wutmp>
capability audit_write,
capability dac_override,
capability dac_read_search,
capability fowner,
capability lease,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_resource,
capability sys_tty_config,
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/auth/*.so mr,
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/gensec/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
/usr/lib/@{multiarch}/samba/**/ r,
/usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
/usr/{bin,sbin}/smbd mr,
/usr/{bin,sbin}/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/{cache,lib}/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
/var/lib/sss/pubconf/kdcinfo.* r,
@{run}/dbus/system_bus_socket rw,
@{run}/smbd.pid rwk,
@{run}/samba/** rk,
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
@{run}/samba/smbd.pid rw,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,
/var/lib/samba/usershares/{,**} lrwk,
# Permissions for all configured shares (file autogenerated by
# update-apparmor-samba-profile on service startup.
include if exists <samba/smbd-shares>
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.smbd>
}

View file

@ -1,40 +0,0 @@
# Last Modified: Tue Jan 3 00:17:40 2012
abi <abi/3.0>,
include <tunables/global>
profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/nameservice>
include <abstractions/perl>
/dev/tty rw,
/{,usr/}bin/bash ix,
/etc/init.d/nscd Cx,
/etc/shadow r,
/etc/smbldap-tools/smbldap.conf r,
/etc/smbldap-tools/smbldap_bind.conf r,
/usr/{bin,sbin}/smbldap-useradd r,
/usr/{bin,sbin}/smbldap_tools.pm r,
/var/log/samba/log.smbd w,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.smbldap-useradd>
profile /etc/init.d/nscd flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice>
capability sys_ptrace,
/{,usr/}bin/bash r,
/{,usr/}bin/mountpoint rix,
/{,usr/}bin/systemctl rix,
/dev/tty rw,
/etc/init.d/nscd r,
/etc/rc.status r,
}
}

View file

@ -1,32 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
deny capability net_admin, # noisy setsockopt() calls
capability net_raw,
network inet raw,
network inet6 raw,
/usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
@{PROC}/net/route r,
@{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.traceroute>
}