diff --git a/apparmor.d/apache2.d/phpsysinfo b/apparmor.d/apache2.d/phpsysinfo deleted file mode 100644 index afd1ff34..00000000 --- a/apparmor.d/apache2.d/phpsysinfo +++ /dev/null @@ -1,50 +0,0 @@ -# Last Modified: Fri Sep 11 13:27:22 2009 -# Author: Marc Deslauriers - - abi , - - ^phpsysinfo { - include - include - include - include - include - - /{,usr/}bin/dash ixr, - /{,usr/}bin/df ixr, - /{,usr/}bin/mount ixr, - /{,usr/}bin/uname ixr, - /dev/bus/usb/ r, - /dev/bus/usb/** r, - /etc/debian_version r, - /etc/lsb-release r, - /etc/mtab r, - /etc/phpsysinfo/config.php r, - /etc/udev/udev.conf r, - @{PROC}/** r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/** r, - @{sys}/bus/usb/devices/ r, - @{sys}/class/ r, - @{sys}/devices/** r, - /usr/bin/ r, - /usr/bin/apt-cache ixr, - /usr/bin/dpkg-query ixr, - /usr/bin/lsb_release ixr, - /usr/bin/lspci ixr, - /usr/bin/who ixr, - /usr/{,s}bin/lsusb ixr, - /usr/share/phpsysinfo/** r, - /var/lib/dpkg/arch r, - /var/lib/dpkg/available r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/* r, - /var/lib/dpkg/updates/ r, - /var/lib/{misc,usbutils}/usb.ids r, - /var/log/apache2/access.log w, - /var/log/apache2/error.log w, - @{run}/utmp rk, - /usr/share/misc/pci.ids r, - } diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping deleted file mode 100644 index 684510af..00000000 --- a/apparmor.d/bin.ping +++ /dev/null @@ -1,31 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# Copyright (C) 2020-2021 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include -profile ping /{usr/,}bin/{,iputils-}ping { - include - include - include - - #capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set - #capability setuid, # Not needed anymore since it's not SETUID binary - network inet raw, - network inet6 raw, - - /{usr/,}bin/{,iputils-}ping mixr, - /etc/modules.conf r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/lsb_release b/apparmor.d/lsb_release deleted file mode 100644 index c32357e3..00000000 --- a/apparmor.d/lsb_release +++ /dev/null @@ -1,43 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2015-2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -@{exec_path} = /{usr/,}bin/lsb_release -profile lsb_release @{exec_path} { - include - include - include - - @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, - - /{usr/,}bin/ r, - /{usr/,}bin/apt-cache rPx, - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, - - /etc/lsb-release r, - /etc/debian_version r, - /etc/dpkg/origins/debian r, - /usr/share/distro-info/debian.csv r, - - owner @{PROC}/@{pid}/fd/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists -} diff --git a/apparmor.d/nvidia_modprobe b/apparmor.d/nvidia_modprobe deleted file mode 100644 index 2502c49d..00000000 --- a/apparmor.d/nvidia_modprobe +++ /dev/null @@ -1,67 +0,0 @@ -# vim:syntax=apparmor - -abi , - -include - -profile nvidia_modprobe { - include - - # Capabilities - - capability chown, - capability mknod, - capability setuid, - capability sys_admin, - - # Main executable - - /usr/bin/nvidia-modprobe mr, - - # Other executables - - /usr/bin/kmod Cx -> kmod, - - # System files - - /dev/nvidia-modeset w, - /dev/nvidia-uvm w, - /dev/nvidia-uvm-tools w, - @{sys}/bus/pci/devices/ r, - @{sys}/devices/pci[0-9]*/**/config r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/kernel/modprobe r, - - # Child profiles - - profile kmod { - include - - # Capabilities - - capability sys_module, - - # Main executable - - /usr/bin/kmod mrix, - - # Other executables - - /{,usr/}bin/{,ba,da}sh ix, - - # System files - - /etc/modprobe.d/{,*.conf} r, - /etc/nvidia/current/*.conf r, - @{sys}/module/ipmi_devintf/initstate r, - @{sys}/module/ipmi_msghandler/initstate r, - @{sys}/module/nvidia/initstate r, - @{PROC}/cmdline r, - } - - # Site-specific additions and overrides. See local/README for details. - include if exists -} - diff --git a/apparmor.d/php-fpm b/apparmor.d/php-fpm deleted file mode 100644 index 32a78640..00000000 --- a/apparmor.d/php-fpm +++ /dev/null @@ -1,60 +0,0 @@ -# vim: ft=apparmor - -abi , - -include - -profile php-fpm /usr/sbin/php-fpm* flags=(complain,attach_disconnected) { - # load common libraries and their support files - include - # resolve hostnames/usernames - include - # common php files and support files that php needs - include - # read openssl configuration - include - # read the system certificates - include - - /etc/php{,5,7}/** r, - - capability net_admin, - # change user/group of a pool - capability setuid, - capability setgid, - # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by - capability chown, - # we want to be able to kill our child processes - capability kill, - # to provide sockets with acls different than root - capability dac_override, - - # we need write access here to move it into a different apparmor sub profile - @{PROC}/@{pid}/attr/{apparmor/,}current rw, - - # the main log file - /var/log/php*-fpm.log rw, - - # we need to be able to create all sockets - @{run}/php{,-fpm}/php*-fpm.pid rw, - @{run}/php{,-fpm}/php*-fpm.sock rwlk, - - # to reload - /usr/sbin/php-fpm* rix, - - # no idea why php tries to open / read/write - deny / rw, - - # allow sending signals to our subprocesses - signal (send) peer=php-fpm//*, - - # allow switching processes to those subprofiles - change_profile -> php-fpm//*, - - # load all files from this directory - # store your configurations per pool in this dir - include if exists - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/sbin.klogd b/apparmor.d/sbin.klogd deleted file mode 100644 index b44c4da0..00000000 --- a/apparmor.d/sbin.klogd +++ /dev/null @@ -1,37 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) { - include - - capability sys_admin, # for backward compatibility with kernel <= 2.6.37 - capability syslog, - - network inet stream, - - /boot/System.map* r, - @{PROC}/kmsg r, - @{PROC}/kallsyms r, - /dev/tty rw, - - /{usr/,}{bin,sbin}/klogd rmix, - /var/log/boot.msg rwl, - @{run}/klogd.pid krwl, - @{run}/klogd/klogd.pid krwl, - @{run}/klogd/kmsg r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/sbin.syslog-ng b/apparmor.d/sbin.syslog-ng deleted file mode 100644 index 1f0d229e..00000000 --- a/apparmor.d/sbin.syslog-ng +++ /dev/null @@ -1,69 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2006-2009 Novell/SUSE -# Copyright (C) 2006 Christian Boltz -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -#define this to be where syslog-ng is chrooted -@{CHROOT_BASE}="" - -profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) { - include - include - include - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fsetid, - capability fowner, - capability sys_tty_config, - capability sys_resource, - capability syslog, - - unix (receive) type=dgram, - unix (receive) type=stream, - - /dev/log w, - /dev/syslog w, - /dev/tty10 rw, - /dev/xconsole rw, - /dev/kmsg r, - /etc/machine-id r, - /etc/syslog-ng/* r, - /etc/syslog-ng/conf.d/ r, - /etc/syslog-ng/conf.d/* r, - @{PROC}/kmsg r, - /{usr/,}{bin,sbin}/syslog-ng mr, - @{sys}/devices/system/cpu/online r, - /usr/share/syslog-ng/** r, - /var/lib/syslog-ng/syslog-ng-?????.qf rw, - # chrooted applications - @{CHROOT_BASE}/var/lib/*/dev/log w, - @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, - @{CHROOT_BASE}/var/log/** w, - @{CHROOT_BASE}/@{run}/syslog-ng.pid krw, - @{CHROOT_BASE}/@{run}/syslog-ng.ctl rw, - /{var,var/run,run}/log/journal/ r, - /{var,var/run,run}/log/journal/*/ r, - /{var,var/run,run}/log/journal/*/*.journal r, - @{run}/syslog-ng.ctl a, - @{run}/syslog-ng/additional-log-sockets.conf r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/sbin.syslogd b/apparmor.d/sbin.syslogd deleted file mode 100644 index bcd632aa..00000000 --- a/apparmor.d/sbin.syslogd +++ /dev/null @@ -1,45 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) { - include - include - include - - capability sys_tty_config, - capability dac_override, - capability dac_read_search, - capability setuid, - capability setgid, - capability syslog, - - unix (receive) type=dgram, - unix (receive) type=stream, - - /dev/log wl, - /var/lib/*/dev/log wl, - - /dev/tty* w, - /dev/xconsole rw, - /etc/syslog.conf r, - /{usr/,}{bin,sbin}/syslogd rmix, - /var/log/** rw, - @{run}/syslogd.pid krwl, - @{run}/utmp rw, - /var/spool/compaq/nic/messages_fifo rw, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.avahi-daemon b/apparmor.d/usr.sbin.avahi-daemon deleted file mode 100644 index 7de07d3e..00000000 --- a/apparmor.d/usr.sbin.avahi-daemon +++ /dev/null @@ -1,35 +0,0 @@ -abi , - -include -profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) { - include - include - include - include - - capability chown, - capability dac_override, - capability kill, - capability setuid, - capability setgid, - capability sys_chroot, - - network netlink dgram, - - /etc/avahi/ r, - /etc/avahi/avahi-daemon.conf r, - /etc/avahi/hosts r, - /etc/avahi/services/ r, - /etc/avahi/services/*.service r, - @{PROC}/@{pid}/fd/ r, - /usr/{bin,sbin}/avahi-daemon mr, - /usr/share/avahi/introspection/*.introspect r, - /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, - @{run}/avahi-daemon/ w, - @{run}/avahi-daemon/pid krw, - @{run}/avahi-daemon/socket w, - @{run}/systemd/notify w, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq deleted file mode 100644 index 7ae9a148..00000000 --- a/apparmor.d/usr.sbin.dnsmasq +++ /dev/null @@ -1,134 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2009 John Dong -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot - -include -profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { - include - include - include - - capability chown, - capability net_bind_service, - capability setgid, - capability setuid, - capability dac_override, - capability net_admin, # for DHCP server - capability net_raw, # for DHCP server ping checks - network inet raw, - network inet6 raw, - - signal (receive) peer=/usr/{bin,sbin}/libvirtd, - signal (receive) peer=libvirtd, - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, - ptrace (readby) peer=libvirtd, - - owner /dev/tty rw, - - @{PROC}/@{pid}/fd/ r, - - /etc/dnsmasq.conf r, - /etc/dnsmasq.d/ r, - /etc/dnsmasq.d/* r, - /etc/dnsmasq.d-available/ r, - /etc/dnsmasq.d-available/* r, - /etc/ethers r, - /etc/NetworkManager/dnsmasq.d/ r, - /etc/NetworkManager/dnsmasq.d/* r, - /etc/NetworkManager/dnsmasq-shared.d/ r, - /etc/NetworkManager/dnsmasq-shared.d/* r, - /etc/dnsmasq-conf.conf r, - /etc/dnsmasq-resolv.conf r, - - /usr/{bin,sbin}/dnsmasq mr, - - /var/log/dnsmasq*.log w, - - /usr/share/dnsmasq{-base,}/ r, - /usr/share/dnsmasq{-base,}/* r, - - @{run}/*dnsmasq*.pid w, - @{run}/dnsmasq-forwarders.conf r, - @{run}/dnsmasq/ r, - @{run}/dnsmasq/* rw, - - /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - - /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument - - # access to iface mtu needed for Router Advertisement messages in IPv6 - # Neighbor Discovery protocol (RFC 2461) - @{PROC}/sys/net/ipv6/conf/*/mtu r, - - # for the read-only TFTP server - @{TFTP_DIR}/ r, - @{TFTP_DIR}/** r, - - # libvirt config and hosts file for dnsmasq - /var/lib/libvirt/dnsmasq/ r, - /var/lib/libvirt/dnsmasq/* r, - - # libvirt pid files for dnsmasq - @{run}/libvirt/network/ r, - @{run}/libvirt/network/*.pid rw, - - # libvirt lease helper - /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, - /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper, - - # lxc-net pid and lease files - @{run}/lxc/dnsmasq.pid rw, - /var/lib/misc/dnsmasq.*.leases rw, - - # lxd-bridge pid and lease files - @{run}/lxd-bridge/dnsmasq.pid rw, - /var/lib/lxd-bridge/dnsmasq.*.leases rw, - /var/lib/lxd/networks/*/dnsmasq.* r, - /var/lib/lxd/networks/*/dnsmasq.leases rw, - /var/lib/lxd/networks/*/dnsmasq.pid rw, - - # NetworkManager integration - /var/lib/NetworkManager/dnsmasq-*.leases rw, - @{run}/nm-dns-dnsmasq.conf r, - @{run}/nm-dnsmasq-*.pid rw, - @{run}/sendsigs.omit.d/*dnsmasq.pid w, - @{run}/NetworkManager/dnsmasq.conf r, - @{run}/NetworkManager/dnsmasq.pid w, - @{run}/NetworkManager/NetworkManager.pid w, - - profile libvirt_leaseshelper { - include - - /etc/libnl-3/classid r, - - /usr/lib{,64}/libvirt/libvirt_leaseshelper m, - /usr/libexec/libvirt_leaseshelper m, - - owner @{PROC}/@{pid}/net/psched r, - owner @{PROC}/@{pid}/status r, - - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/*/meminfo r, - - # libvirt lease and status files for dnsmasq - /var/lib/libvirt/dnsmasq/*.leases rw, - /var/lib/libvirt/dnsmasq/*.status* rw, - - @{run}/leaseshelper.pid rwk, - } - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.identd b/apparmor.d/usr.sbin.identd deleted file mode 100644 index 09c478e7..00000000 --- a/apparmor.d/usr.sbin.identd +++ /dev/null @@ -1,35 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -profile identd /usr/{bin,sbin}/identd flags=(complain) { - include - include - capability net_bind_service, - capability setgid, - capability setuid, - network netlink dgram, - /etc/identd.conf r, - /etc/identd.key r, - /etc/identd.pid w, - /usr/{bin,sbin}/identd rmix, - @{PROC}/net/tcp r, - @{PROC}/net/tcp6 r, - @{run}/identd.pid w, - @{run}/identd/ w, - @{run}/identd/identd.pid w, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.mdnsd b/apparmor.d/usr.sbin.mdnsd deleted file mode 100644 index 9852fbf3..00000000 --- a/apparmor.d/usr.sbin.mdnsd +++ /dev/null @@ -1,38 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include - -profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) { - include - include - include - - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - - network netlink dgram, - - /usr/{bin,sbin}/mdnsd rmix, - - @{PROC}/net/ r, - @{PROC}/net/unix r, - @{run}/mdnsd lw, - @{run}/mdnsd.pid w, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.nmbd b/apparmor.d/usr.sbin.nmbd deleted file mode 100644 index a796d242..00000000 --- a/apparmor.d/usr.sbin.nmbd +++ /dev/null @@ -1,36 +0,0 @@ -abi , - -include - -profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) { - include - include - include - - capability net_bind_service, - - @{PROC}/sys/kernel/core_pattern r, - - /usr/{bin,sbin}/nmbd mr, - - /var/cache/samba/gencache.tdb rwk, - /var/cache/samba/gencache_notrans.tdb rwk, - /var/cache/samba/names.tdb rwk, - /var/{cache,lib}/samba/browse.dat* rw, - /var/{cache,lib}/samba/gencache.dat rw, - /var/{cache,lib}/samba/wins.dat* rw, - /var/{cache,lib}/samba/smb_krb5/ rw, - /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw, - /var/{cache,lib}/samba/smb_tmp_krb5.* rw, - /var/{cache,lib}/samba/sync.* rw, - /var/{cache,lib}/samba/unexpected rw, - /var/cache/samba/msg/ rw, - /var/cache/samba/msg/* w, - - @{run}/nmbd.pid rwk, - @{run}/samba/** rwk, - @{run}/systemd/notify w, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.nscd b/apparmor.d/usr.sbin.nscd deleted file mode 100644 index b2cc6a72..00000000 --- a/apparmor.d/usr.sbin.nscd +++ /dev/null @@ -1,45 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2005 Novell/SUSE -# Copyright (C) 2009-2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include -profile nscd /usr/{bin,sbin}/nscd flags=(complain) { - include - include - include - include - - deny capability block_suspend, - capability net_bind_service, - capability setgid, - capability setuid, - - /etc/netgroup r, - /etc/nscd.conf r, - /usr/{bin,sbin}/nscd rmix, - @{run}/.nscd_socket wl, - @{run}/nscd/ rw, - @{run}/nscd/db* rwl, - @{run}/nscd/socket wl, - /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, - @{run}/{nscd/,}nscd.pid rwl, - /var/lib/libvirt/dnsmasq/ r, - /var/lib/libvirt/dnsmasq/*.status r, - /var/log/nscd.log rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fd/* r, - @{PROC}/@{pid}/mounts r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.ntpd b/apparmor.d/usr.sbin.ntpd deleted file mode 100644 index 3ab64d74..00000000 --- a/apparmor.d/usr.sbin.ntpd +++ /dev/null @@ -1,91 +0,0 @@ -# vim:syntax=apparmor -# Updated for Ubuntu by: Jamie Strandboge -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2005 Novell/SUSE -# Copyright (C) 2009-2012 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#include -#include -/usr/sbin/ntpd flags=(attach_disconnected) { - #include - #include - #include - #include - - capability ipc_lock, - capability net_admin, - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - capability sys_time, - capability sys_nice, - - # Needed to create logs - #capability dac_override, - - # ntp uses AF_INET, AF_INET6 and AF_UNSPEC - network dgram, - network stream, - - @{PROC}/net/if_inet6 r, - @{PROC}/*/net/if_inet6 r, - @{NTPD_DEVICE} rw, - # pps devices are almost exclusively used with NTP - /dev/pps[0-9]* rw, - - /{,s}bin/ r, - /usr/{,s}bin/ r, - /usr/local/{,s}bin/ r, - /usr/sbin/ntpd rmix, - - /etc/ntpsec/ntp.conf r, - /etc/ntpsec/ntp.d/ r, - /etc/ntpsec/ntp.d/*.conf r, - /run/ntpsec/ntp.conf.dhcp r, - - /etc/ntpsec/cert-chain.pem r, - /etc/ntpsec/key.pem r, - /etc/ntpsec/ntp.keys r, - - /var/lib/ntpsec/ntp.drift rw, - /var/lib/ntpsec/ntp.drift-tmp rw, - /var/lib/ntpsec/nts-keys rw, - /usr/share/zoneinfo/leap-seconds.list rw, - - /var/log/ntp w, - /var/log/ntp.log w, - /var/log/ntpd w, - /var/log/ntpsec/clockstats* rwl, - /var/log/ntpsec/loopstats* rwl, - /var/log/ntpsec/peerstats* rwl, - /var/log/ntpsec/protostats* rwl, - /var/log/ntpsec/rawstats* rwl, - /var/log/ntpsec/sysstats* rwl, - /var/log/ntpsec/usestats* rwl, - - /{,var/}run/ntpd.pid w, - - # to be able to check for running ntpdate - /run/lock/ntpsec-ntpdate wk, - - # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba - /var/lib/samba/ntp_signd/socket rw, - - # For use with clocks that report via shared memory (e.g. gpsd), - # you may need to give ntpd access to all of shared memory, though - # this can be considered dangerous. See https://launchpad.net/bugs/722815 - # for details. To enable, add this to local/usr.sbin.ntpd: - # capability ipc_owner, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/apparmor.d/usr.sbin.smbd b/apparmor.d/usr.sbin.smbd deleted file mode 100644 index aed862ac..00000000 --- a/apparmor.d/usr.sbin.smbd +++ /dev/null @@ -1,65 +0,0 @@ -abi , - -include - -profile smbd /usr/{bin,sbin}/smbd flags=(complain) { - include - include - include - include - include - include - include - include - - capability audit_write, - capability dac_override, - capability dac_read_search, - capability fowner, - capability lease, - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_admin, - capability sys_resource, - capability sys_tty_config, - - /etc/mtab r, - /etc/netgroup r, - /etc/printcap r, - /etc/samba/* rwk, - @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, - /usr/lib*/samba/vfs/*.so mr, - /usr/lib*/samba/auth/*.so mr, - /usr/lib*/samba/charset/*.so mr, - /usr/lib*/samba/gensec/*.so mr, - /usr/lib*/samba/pdb/*.so mr, - /usr/lib*/samba/{lowcase,upcase,valid}.dat r, - /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, - /usr/lib/@{multiarch}/samba/**/ r, - /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, - /usr/{bin,sbin}/smbd mr, - /usr/{bin,sbin}/smbldap-useradd Px, - /var/cache/samba/** rwk, - /var/{cache,lib}/samba/printing/printers.tdb mrw, - /var/lib/samba/** rwk, - /var/lib/sss/pubconf/kdcinfo.* r, - @{run}/dbus/system_bus_socket rw, - @{run}/smbd.pid rwk, - @{run}/samba/** rk, - @{run}/samba/ncalrpc/ rw, - @{run}/samba/ncalrpc/** rw, - @{run}/samba/smbd.pid rw, - /var/spool/samba/** rw, - - @{HOMEDIRS}/** lrwk, - /var/lib/samba/usershares/{,**} lrwk, - - # Permissions for all configured shares (file autogenerated by - # update-apparmor-samba-profile on service startup. - include if exists - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/apparmor.d/usr.sbin.smbldap-useradd b/apparmor.d/usr.sbin.smbldap-useradd deleted file mode 100644 index d1f75740..00000000 --- a/apparmor.d/usr.sbin.smbldap-useradd +++ /dev/null @@ -1,40 +0,0 @@ -# Last Modified: Tue Jan 3 00:17:40 2012 - -abi , - -include - -profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) { - include - include - include - include - - /dev/tty rw, - /{,usr/}bin/bash ix, - /etc/init.d/nscd Cx, - /etc/shadow r, - /etc/smbldap-tools/smbldap.conf r, - /etc/smbldap-tools/smbldap_bind.conf r, - /usr/{bin,sbin}/smbldap-useradd r, - /usr/{bin,sbin}/smbldap_tools.pm r, - /var/log/samba/log.smbd w, - - # Site-specific additions and overrides. See local/README for details. - include if exists - - profile /etc/init.d/nscd flags=(complain) { - include - include - - capability sys_ptrace, - - /{,usr/}bin/bash r, - /{,usr/}bin/mountpoint rix, - /{,usr/}bin/systemctl rix, - /dev/tty rw, - /etc/init.d/nscd r, - /etc/rc.status r, - - } -} diff --git a/apparmor.d/usr.sbin.traceroute b/apparmor.d/usr.sbin.traceroute deleted file mode 100644 index 926ccdaf..00000000 --- a/apparmor.d/usr.sbin.traceroute +++ /dev/null @@ -1,32 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -abi , - -include -profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} { - include - include - include - - deny capability net_admin, # noisy setsockopt() calls - capability net_raw, - - network inet raw, - network inet6 raw, - - /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix, - @{PROC}/net/route r, - @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -}