mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
Remove profiles already present in deps.
This commit is contained in:
parent
2129e23596
commit
c408a878b7
18 changed files with 0 additions and 953 deletions
|
@ -1,50 +0,0 @@
|
||||||
# Last Modified: Fri Sep 11 13:27:22 2009
|
|
||||||
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
^phpsysinfo {
|
|
||||||
include <abstractions/apache2-common>
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/php5>
|
|
||||||
include <abstractions/python>
|
|
||||||
|
|
||||||
/{,usr/}bin/dash ixr,
|
|
||||||
/{,usr/}bin/df ixr,
|
|
||||||
/{,usr/}bin/mount ixr,
|
|
||||||
/{,usr/}bin/uname ixr,
|
|
||||||
/dev/bus/usb/ r,
|
|
||||||
/dev/bus/usb/** r,
|
|
||||||
/etc/debian_version r,
|
|
||||||
/etc/lsb-release r,
|
|
||||||
/etc/mtab r,
|
|
||||||
/etc/phpsysinfo/config.php r,
|
|
||||||
/etc/udev/udev.conf r,
|
|
||||||
@{PROC}/** r,
|
|
||||||
@{sys}/bus/ r,
|
|
||||||
@{sys}/bus/pci/devices/ r,
|
|
||||||
@{sys}/bus/pci/slots/ r,
|
|
||||||
@{sys}/bus/pci/slots/** r,
|
|
||||||
@{sys}/bus/usb/devices/ r,
|
|
||||||
@{sys}/class/ r,
|
|
||||||
@{sys}/devices/** r,
|
|
||||||
/usr/bin/ r,
|
|
||||||
/usr/bin/apt-cache ixr,
|
|
||||||
/usr/bin/dpkg-query ixr,
|
|
||||||
/usr/bin/lsb_release ixr,
|
|
||||||
/usr/bin/lspci ixr,
|
|
||||||
/usr/bin/who ixr,
|
|
||||||
/usr/{,s}bin/lsusb ixr,
|
|
||||||
/usr/share/phpsysinfo/** r,
|
|
||||||
/var/lib/dpkg/arch r,
|
|
||||||
/var/lib/dpkg/available r,
|
|
||||||
/var/lib/dpkg/status r,
|
|
||||||
/var/lib/dpkg/triggers/* r,
|
|
||||||
/var/lib/dpkg/updates/ r,
|
|
||||||
/var/lib/{misc,usbutils}/usb.ids r,
|
|
||||||
/var/log/apache2/access.log w,
|
|
||||||
/var/log/apache2/error.log w,
|
|
||||||
@{run}/utmp rk,
|
|
||||||
/usr/share/misc/pci.ids r,
|
|
||||||
}
|
|
|
@ -1,31 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
# Copyright (C) 2020-2021 Mikhail Morfikov
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
profile ping /{usr/,}bin/{,iputils-}ping {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
#capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set
|
|
||||||
#capability setuid, # Not needed anymore since it's not SETUID binary
|
|
||||||
network inet raw,
|
|
||||||
network inet6 raw,
|
|
||||||
|
|
||||||
/{usr/,}bin/{,iputils-}ping mixr,
|
|
||||||
/etc/modules.conf r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/bin.ping>
|
|
||||||
}
|
|
|
@ -1,43 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2015-2020 Mikhail Morfikov
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/lsb_release
|
|
||||||
profile lsb_release @{exec_path} {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/python>
|
|
||||||
|
|
||||||
@{exec_path} r,
|
|
||||||
/{usr/,}bin/python3.[0-9]* r,
|
|
||||||
|
|
||||||
/{usr/,}bin/ r,
|
|
||||||
/{usr/,}bin/apt-cache rPx,
|
|
||||||
# Do not strip env to avoid errors like the following:
|
|
||||||
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
|
|
||||||
# shared object file): ignored.
|
|
||||||
/{usr/,}bin/dpkg-query rpx,
|
|
||||||
|
|
||||||
/etc/lsb-release r,
|
|
||||||
/etc/debian_version r,
|
|
||||||
/etc/dpkg/origins/debian r,
|
|
||||||
/usr/share/distro-info/debian.csv r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
|
||||||
|
|
||||||
# file_inherit
|
|
||||||
owner @{HOME}/.xsession-errors w,
|
|
||||||
|
|
||||||
include if exists <local/lsb_release>
|
|
||||||
}
|
|
|
@ -1,67 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile nvidia_modprobe {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
# Capabilities
|
|
||||||
|
|
||||||
capability chown,
|
|
||||||
capability mknod,
|
|
||||||
capability setuid,
|
|
||||||
capability sys_admin,
|
|
||||||
|
|
||||||
# Main executable
|
|
||||||
|
|
||||||
/usr/bin/nvidia-modprobe mr,
|
|
||||||
|
|
||||||
# Other executables
|
|
||||||
|
|
||||||
/usr/bin/kmod Cx -> kmod,
|
|
||||||
|
|
||||||
# System files
|
|
||||||
|
|
||||||
/dev/nvidia-modeset w,
|
|
||||||
/dev/nvidia-uvm w,
|
|
||||||
/dev/nvidia-uvm-tools w,
|
|
||||||
@{sys}/bus/pci/devices/ r,
|
|
||||||
@{sys}/devices/pci[0-9]*/**/config r,
|
|
||||||
@{PROC}/devices r,
|
|
||||||
@{PROC}/driver/nvidia/params r,
|
|
||||||
@{PROC}/modules r,
|
|
||||||
@{PROC}/sys/kernel/modprobe r,
|
|
||||||
|
|
||||||
# Child profiles
|
|
||||||
|
|
||||||
profile kmod {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
# Capabilities
|
|
||||||
|
|
||||||
capability sys_module,
|
|
||||||
|
|
||||||
# Main executable
|
|
||||||
|
|
||||||
/usr/bin/kmod mrix,
|
|
||||||
|
|
||||||
# Other executables
|
|
||||||
|
|
||||||
/{,usr/}bin/{,ba,da}sh ix,
|
|
||||||
|
|
||||||
# System files
|
|
||||||
|
|
||||||
/etc/modprobe.d/{,*.conf} r,
|
|
||||||
/etc/nvidia/current/*.conf r,
|
|
||||||
@{sys}/module/ipmi_devintf/initstate r,
|
|
||||||
@{sys}/module/ipmi_msghandler/initstate r,
|
|
||||||
@{sys}/module/nvidia/initstate r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/nvidia_modprobe>
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
# vim: ft=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile php-fpm /usr/sbin/php-fpm* flags=(complain,attach_disconnected) {
|
|
||||||
# load common libraries and their support files
|
|
||||||
include <abstractions/base>
|
|
||||||
# resolve hostnames/usernames
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
# common php files and support files that php needs
|
|
||||||
include <abstractions/php>
|
|
||||||
# read openssl configuration
|
|
||||||
include <abstractions/openssl>
|
|
||||||
# read the system certificates
|
|
||||||
include <abstractions/ssl_certs>
|
|
||||||
|
|
||||||
/etc/php{,5,7}/** r,
|
|
||||||
|
|
||||||
capability net_admin,
|
|
||||||
# change user/group of a pool
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
# change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
|
|
||||||
capability chown,
|
|
||||||
# we want to be able to kill our child processes
|
|
||||||
capability kill,
|
|
||||||
# to provide sockets with acls different than root
|
|
||||||
capability dac_override,
|
|
||||||
|
|
||||||
# we need write access here to move it into a different apparmor sub profile
|
|
||||||
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
|
|
||||||
|
|
||||||
# the main log file
|
|
||||||
/var/log/php*-fpm.log rw,
|
|
||||||
|
|
||||||
# we need to be able to create all sockets
|
|
||||||
@{run}/php{,-fpm}/php*-fpm.pid rw,
|
|
||||||
@{run}/php{,-fpm}/php*-fpm.sock rwlk,
|
|
||||||
|
|
||||||
# to reload
|
|
||||||
/usr/sbin/php-fpm* rix,
|
|
||||||
|
|
||||||
# no idea why php tries to open / read/write
|
|
||||||
deny / rw,
|
|
||||||
|
|
||||||
# allow sending signals to our subprocesses
|
|
||||||
signal (send) peer=php-fpm//*,
|
|
||||||
|
|
||||||
# allow switching processes to those subprofiles
|
|
||||||
change_profile -> php-fpm//*,
|
|
||||||
|
|
||||||
# load all files from this directory
|
|
||||||
# store your configurations per pool in this dir
|
|
||||||
include if exists <php-fpm.d>
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/php-fpm>
|
|
||||||
}
|
|
|
@ -1,37 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
capability sys_admin, # for backward compatibility with kernel <= 2.6.37
|
|
||||||
capability syslog,
|
|
||||||
|
|
||||||
network inet stream,
|
|
||||||
|
|
||||||
/boot/System.map* r,
|
|
||||||
@{PROC}/kmsg r,
|
|
||||||
@{PROC}/kallsyms r,
|
|
||||||
/dev/tty rw,
|
|
||||||
|
|
||||||
/{usr/,}{bin,sbin}/klogd rmix,
|
|
||||||
/var/log/boot.msg rwl,
|
|
||||||
@{run}/klogd.pid krwl,
|
|
||||||
@{run}/klogd/klogd.pid krwl,
|
|
||||||
@{run}/klogd/kmsg r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/sbin.klogd>
|
|
||||||
}
|
|
|
@ -1,69 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2006-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2006 Christian Boltz
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
#define this to be where syslog-ng is chrooted
|
|
||||||
@{CHROOT_BASE}=""
|
|
||||||
|
|
||||||
profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/mysql>
|
|
||||||
include <abstractions/openssl>
|
|
||||||
include <abstractions/python>
|
|
||||||
include <abstractions/hosts_access>
|
|
||||||
|
|
||||||
capability chown,
|
|
||||||
capability dac_override,
|
|
||||||
capability dac_read_search,
|
|
||||||
capability fsetid,
|
|
||||||
capability fowner,
|
|
||||||
capability sys_tty_config,
|
|
||||||
capability sys_resource,
|
|
||||||
capability syslog,
|
|
||||||
|
|
||||||
unix (receive) type=dgram,
|
|
||||||
unix (receive) type=stream,
|
|
||||||
|
|
||||||
/dev/log w,
|
|
||||||
/dev/syslog w,
|
|
||||||
/dev/tty10 rw,
|
|
||||||
/dev/xconsole rw,
|
|
||||||
/dev/kmsg r,
|
|
||||||
/etc/machine-id r,
|
|
||||||
/etc/syslog-ng/* r,
|
|
||||||
/etc/syslog-ng/conf.d/ r,
|
|
||||||
/etc/syslog-ng/conf.d/* r,
|
|
||||||
@{PROC}/kmsg r,
|
|
||||||
/{usr/,}{bin,sbin}/syslog-ng mr,
|
|
||||||
@{sys}/devices/system/cpu/online r,
|
|
||||||
/usr/share/syslog-ng/** r,
|
|
||||||
/var/lib/syslog-ng/syslog-ng-?????.qf rw,
|
|
||||||
# chrooted applications
|
|
||||||
@{CHROOT_BASE}/var/lib/*/dev/log w,
|
|
||||||
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
|
|
||||||
@{CHROOT_BASE}/var/log/** w,
|
|
||||||
@{CHROOT_BASE}/@{run}/syslog-ng.pid krw,
|
|
||||||
@{CHROOT_BASE}/@{run}/syslog-ng.ctl rw,
|
|
||||||
/{var,var/run,run}/log/journal/ r,
|
|
||||||
/{var,var/run,run}/log/journal/*/ r,
|
|
||||||
/{var,var/run,run}/log/journal/*/*.journal r,
|
|
||||||
@{run}/syslog-ng.ctl a,
|
|
||||||
@{run}/syslog-ng/additional-log-sockets.conf r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/sbin.syslog-ng>
|
|
||||||
}
|
|
|
@ -1,45 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
|
|
||||||
capability sys_tty_config,
|
|
||||||
capability dac_override,
|
|
||||||
capability dac_read_search,
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
capability syslog,
|
|
||||||
|
|
||||||
unix (receive) type=dgram,
|
|
||||||
unix (receive) type=stream,
|
|
||||||
|
|
||||||
/dev/log wl,
|
|
||||||
/var/lib/*/dev/log wl,
|
|
||||||
|
|
||||||
/dev/tty* w,
|
|
||||||
/dev/xconsole rw,
|
|
||||||
/etc/syslog.conf r,
|
|
||||||
/{usr/,}{bin,sbin}/syslogd rmix,
|
|
||||||
/var/log/** rw,
|
|
||||||
@{run}/syslogd.pid krwl,
|
|
||||||
@{run}/utmp rw,
|
|
||||||
/var/spool/compaq/nic/messages_fifo rw,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/sbin.syslogd>
|
|
||||||
}
|
|
|
@ -1,35 +0,0 @@
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/dbus>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
capability chown,
|
|
||||||
capability dac_override,
|
|
||||||
capability kill,
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
capability sys_chroot,
|
|
||||||
|
|
||||||
network netlink dgram,
|
|
||||||
|
|
||||||
/etc/avahi/ r,
|
|
||||||
/etc/avahi/avahi-daemon.conf r,
|
|
||||||
/etc/avahi/hosts r,
|
|
||||||
/etc/avahi/services/ r,
|
|
||||||
/etc/avahi/services/*.service r,
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
/usr/{bin,sbin}/avahi-daemon mr,
|
|
||||||
/usr/share/avahi/introspection/*.introspect r,
|
|
||||||
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
|
|
||||||
@{run}/avahi-daemon/ w,
|
|
||||||
@{run}/avahi-daemon/pid krw,
|
|
||||||
@{run}/avahi-daemon/socket w,
|
|
||||||
@{run}/systemd/notify w,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.avahi-daemon>
|
|
||||||
}
|
|
|
@ -1,134 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/dbus>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
capability chown,
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
capability dac_override,
|
|
||||||
capability net_admin, # for DHCP server
|
|
||||||
capability net_raw, # for DHCP server ping checks
|
|
||||||
network inet raw,
|
|
||||||
network inet6 raw,
|
|
||||||
|
|
||||||
signal (receive) peer=/usr/{bin,sbin}/libvirtd,
|
|
||||||
signal (receive) peer=libvirtd,
|
|
||||||
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
|
|
||||||
ptrace (readby) peer=libvirtd,
|
|
||||||
|
|
||||||
owner /dev/tty rw,
|
|
||||||
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
|
|
||||||
/etc/dnsmasq.conf r,
|
|
||||||
/etc/dnsmasq.d/ r,
|
|
||||||
/etc/dnsmasq.d/* r,
|
|
||||||
/etc/dnsmasq.d-available/ r,
|
|
||||||
/etc/dnsmasq.d-available/* r,
|
|
||||||
/etc/ethers r,
|
|
||||||
/etc/NetworkManager/dnsmasq.d/ r,
|
|
||||||
/etc/NetworkManager/dnsmasq.d/* r,
|
|
||||||
/etc/NetworkManager/dnsmasq-shared.d/ r,
|
|
||||||
/etc/NetworkManager/dnsmasq-shared.d/* r,
|
|
||||||
/etc/dnsmasq-conf.conf r,
|
|
||||||
/etc/dnsmasq-resolv.conf r,
|
|
||||||
|
|
||||||
/usr/{bin,sbin}/dnsmasq mr,
|
|
||||||
|
|
||||||
/var/log/dnsmasq*.log w,
|
|
||||||
|
|
||||||
/usr/share/dnsmasq{-base,}/ r,
|
|
||||||
/usr/share/dnsmasq{-base,}/* r,
|
|
||||||
|
|
||||||
@{run}/*dnsmasq*.pid w,
|
|
||||||
@{run}/dnsmasq-forwarders.conf r,
|
|
||||||
@{run}/dnsmasq/ r,
|
|
||||||
@{run}/dnsmasq/* rw,
|
|
||||||
|
|
||||||
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
|
|
||||||
|
|
||||||
/{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
|
|
||||||
|
|
||||||
# access to iface mtu needed for Router Advertisement messages in IPv6
|
|
||||||
# Neighbor Discovery protocol (RFC 2461)
|
|
||||||
@{PROC}/sys/net/ipv6/conf/*/mtu r,
|
|
||||||
|
|
||||||
# for the read-only TFTP server
|
|
||||||
@{TFTP_DIR}/ r,
|
|
||||||
@{TFTP_DIR}/** r,
|
|
||||||
|
|
||||||
# libvirt config and hosts file for dnsmasq
|
|
||||||
/var/lib/libvirt/dnsmasq/ r,
|
|
||||||
/var/lib/libvirt/dnsmasq/* r,
|
|
||||||
|
|
||||||
# libvirt pid files for dnsmasq
|
|
||||||
@{run}/libvirt/network/ r,
|
|
||||||
@{run}/libvirt/network/*.pid rw,
|
|
||||||
|
|
||||||
# libvirt lease helper
|
|
||||||
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
|
||||||
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
|
||||||
|
|
||||||
# lxc-net pid and lease files
|
|
||||||
@{run}/lxc/dnsmasq.pid rw,
|
|
||||||
/var/lib/misc/dnsmasq.*.leases rw,
|
|
||||||
|
|
||||||
# lxd-bridge pid and lease files
|
|
||||||
@{run}/lxd-bridge/dnsmasq.pid rw,
|
|
||||||
/var/lib/lxd-bridge/dnsmasq.*.leases rw,
|
|
||||||
/var/lib/lxd/networks/*/dnsmasq.* r,
|
|
||||||
/var/lib/lxd/networks/*/dnsmasq.leases rw,
|
|
||||||
/var/lib/lxd/networks/*/dnsmasq.pid rw,
|
|
||||||
|
|
||||||
# NetworkManager integration
|
|
||||||
/var/lib/NetworkManager/dnsmasq-*.leases rw,
|
|
||||||
@{run}/nm-dns-dnsmasq.conf r,
|
|
||||||
@{run}/nm-dnsmasq-*.pid rw,
|
|
||||||
@{run}/sendsigs.omit.d/*dnsmasq.pid w,
|
|
||||||
@{run}/NetworkManager/dnsmasq.conf r,
|
|
||||||
@{run}/NetworkManager/dnsmasq.pid w,
|
|
||||||
@{run}/NetworkManager/NetworkManager.pid w,
|
|
||||||
|
|
||||||
profile libvirt_leaseshelper {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
/etc/libnl-3/classid r,
|
|
||||||
|
|
||||||
/usr/lib{,64}/libvirt/libvirt_leaseshelper m,
|
|
||||||
/usr/libexec/libvirt_leaseshelper m,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/net/psched r,
|
|
||||||
owner @{PROC}/@{pid}/status r,
|
|
||||||
|
|
||||||
@{sys}/devices/system/cpu/ r,
|
|
||||||
@{sys}/devices/system/node/ r,
|
|
||||||
@{sys}/devices/system/node/*/meminfo r,
|
|
||||||
|
|
||||||
# libvirt lease and status files for dnsmasq
|
|
||||||
/var/lib/libvirt/dnsmasq/*.leases rw,
|
|
||||||
/var/lib/libvirt/dnsmasq/*.status* rw,
|
|
||||||
|
|
||||||
@{run}/leaseshelper.pid rwk,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.dnsmasq>
|
|
||||||
}
|
|
|
@ -1,35 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile identd /usr/{bin,sbin}/identd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
network netlink dgram,
|
|
||||||
/etc/identd.conf r,
|
|
||||||
/etc/identd.key r,
|
|
||||||
/etc/identd.pid w,
|
|
||||||
/usr/{bin,sbin}/identd rmix,
|
|
||||||
@{PROC}/net/tcp r,
|
|
||||||
@{PROC}/net/tcp6 r,
|
|
||||||
@{run}/identd.pid w,
|
|
||||||
@{run}/identd/ w,
|
|
||||||
@{run}/identd/identd.pid w,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.identd>
|
|
||||||
}
|
|
|
@ -1,38 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
capability sys_chroot,
|
|
||||||
capability sys_resource,
|
|
||||||
|
|
||||||
network netlink dgram,
|
|
||||||
|
|
||||||
/usr/{bin,sbin}/mdnsd rmix,
|
|
||||||
|
|
||||||
@{PROC}/net/ r,
|
|
||||||
@{PROC}/net/unix r,
|
|
||||||
@{run}/mdnsd lw,
|
|
||||||
@{run}/mdnsd.pid w,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.mdnsd>
|
|
||||||
}
|
|
|
@ -1,36 +0,0 @@
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/samba>
|
|
||||||
|
|
||||||
capability net_bind_service,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
|
|
||||||
/usr/{bin,sbin}/nmbd mr,
|
|
||||||
|
|
||||||
/var/cache/samba/gencache.tdb rwk,
|
|
||||||
/var/cache/samba/gencache_notrans.tdb rwk,
|
|
||||||
/var/cache/samba/names.tdb rwk,
|
|
||||||
/var/{cache,lib}/samba/browse.dat* rw,
|
|
||||||
/var/{cache,lib}/samba/gencache.dat rw,
|
|
||||||
/var/{cache,lib}/samba/wins.dat* rw,
|
|
||||||
/var/{cache,lib}/samba/smb_krb5/ rw,
|
|
||||||
/var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
|
|
||||||
/var/{cache,lib}/samba/smb_tmp_krb5.* rw,
|
|
||||||
/var/{cache,lib}/samba/sync.* rw,
|
|
||||||
/var/{cache,lib}/samba/unexpected rw,
|
|
||||||
/var/cache/samba/msg/ rw,
|
|
||||||
/var/cache/samba/msg/* w,
|
|
||||||
|
|
||||||
@{run}/nmbd.pid rwk,
|
|
||||||
@{run}/samba/** rwk,
|
|
||||||
@{run}/systemd/notify w,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.nmbd>
|
|
||||||
}
|
|
|
@ -1,45 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2005 Novell/SUSE
|
|
||||||
# Copyright (C) 2009-2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/ssl_certs>
|
|
||||||
|
|
||||||
deny capability block_suspend,
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
|
|
||||||
/etc/netgroup r,
|
|
||||||
/etc/nscd.conf r,
|
|
||||||
/usr/{bin,sbin}/nscd rmix,
|
|
||||||
@{run}/.nscd_socket wl,
|
|
||||||
@{run}/nscd/ rw,
|
|
||||||
@{run}/nscd/db* rwl,
|
|
||||||
@{run}/nscd/socket wl,
|
|
||||||
/{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
|
|
||||||
@{run}/{nscd/,}nscd.pid rwl,
|
|
||||||
/var/lib/libvirt/dnsmasq/ r,
|
|
||||||
/var/lib/libvirt/dnsmasq/*.status r,
|
|
||||||
/var/log/nscd.log rw,
|
|
||||||
@{PROC}/@{pid}/cmdline r,
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
@{PROC}/@{pid}/fd/* r,
|
|
||||||
@{PROC}/@{pid}/mounts r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.nscd>
|
|
||||||
}
|
|
|
@ -1,91 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2005 Novell/SUSE
|
|
||||||
# Copyright (C) 2009-2012 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
#include <tunables/global>
|
|
||||||
#include <tunables/ntpd>
|
|
||||||
/usr/sbin/ntpd flags=(attach_disconnected) {
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/openssl>
|
|
||||||
#include <abstractions/user-tmp>
|
|
||||||
|
|
||||||
capability ipc_lock,
|
|
||||||
capability net_admin,
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
capability sys_chroot,
|
|
||||||
capability sys_resource,
|
|
||||||
capability sys_time,
|
|
||||||
capability sys_nice,
|
|
||||||
|
|
||||||
# Needed to create logs
|
|
||||||
#capability dac_override,
|
|
||||||
|
|
||||||
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
|
|
||||||
network dgram,
|
|
||||||
network stream,
|
|
||||||
|
|
||||||
@{PROC}/net/if_inet6 r,
|
|
||||||
@{PROC}/*/net/if_inet6 r,
|
|
||||||
@{NTPD_DEVICE} rw,
|
|
||||||
# pps devices are almost exclusively used with NTP
|
|
||||||
/dev/pps[0-9]* rw,
|
|
||||||
|
|
||||||
/{,s}bin/ r,
|
|
||||||
/usr/{,s}bin/ r,
|
|
||||||
/usr/local/{,s}bin/ r,
|
|
||||||
/usr/sbin/ntpd rmix,
|
|
||||||
|
|
||||||
/etc/ntpsec/ntp.conf r,
|
|
||||||
/etc/ntpsec/ntp.d/ r,
|
|
||||||
/etc/ntpsec/ntp.d/*.conf r,
|
|
||||||
/run/ntpsec/ntp.conf.dhcp r,
|
|
||||||
|
|
||||||
/etc/ntpsec/cert-chain.pem r,
|
|
||||||
/etc/ntpsec/key.pem r,
|
|
||||||
/etc/ntpsec/ntp.keys r,
|
|
||||||
|
|
||||||
/var/lib/ntpsec/ntp.drift rw,
|
|
||||||
/var/lib/ntpsec/ntp.drift-tmp rw,
|
|
||||||
/var/lib/ntpsec/nts-keys rw,
|
|
||||||
/usr/share/zoneinfo/leap-seconds.list rw,
|
|
||||||
|
|
||||||
/var/log/ntp w,
|
|
||||||
/var/log/ntp.log w,
|
|
||||||
/var/log/ntpd w,
|
|
||||||
/var/log/ntpsec/clockstats* rwl,
|
|
||||||
/var/log/ntpsec/loopstats* rwl,
|
|
||||||
/var/log/ntpsec/peerstats* rwl,
|
|
||||||
/var/log/ntpsec/protostats* rwl,
|
|
||||||
/var/log/ntpsec/rawstats* rwl,
|
|
||||||
/var/log/ntpsec/sysstats* rwl,
|
|
||||||
/var/log/ntpsec/usestats* rwl,
|
|
||||||
|
|
||||||
/{,var/}run/ntpd.pid w,
|
|
||||||
|
|
||||||
# to be able to check for running ntpdate
|
|
||||||
/run/lock/ntpsec-ntpdate wk,
|
|
||||||
|
|
||||||
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
|
|
||||||
/var/lib/samba/ntp_signd/socket rw,
|
|
||||||
|
|
||||||
# For use with clocks that report via shared memory (e.g. gpsd),
|
|
||||||
# you may need to give ntpd access to all of shared memory, though
|
|
||||||
# this can be considered dangerous. See https://launchpad.net/bugs/722815
|
|
||||||
# for details. To enable, add this to local/usr.sbin.ntpd:
|
|
||||||
# capability ipc_owner,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/usr.sbin.ntpd>
|
|
||||||
}
|
|
|
@ -1,65 +0,0 @@
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
|
|
||||||
include <abstractions/authentication>
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/cups-client>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/samba>
|
|
||||||
include <abstractions/user-tmp>
|
|
||||||
include <abstractions/wutmp>
|
|
||||||
|
|
||||||
capability audit_write,
|
|
||||||
capability dac_override,
|
|
||||||
capability dac_read_search,
|
|
||||||
capability fowner,
|
|
||||||
capability lease,
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
capability sys_admin,
|
|
||||||
capability sys_resource,
|
|
||||||
capability sys_tty_config,
|
|
||||||
|
|
||||||
/etc/mtab r,
|
|
||||||
/etc/netgroup r,
|
|
||||||
/etc/printcap r,
|
|
||||||
/etc/samba/* rwk,
|
|
||||||
@{PROC}/@{pid}/mounts r,
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
/usr/lib*/samba/vfs/*.so mr,
|
|
||||||
/usr/lib*/samba/auth/*.so mr,
|
|
||||||
/usr/lib*/samba/charset/*.so mr,
|
|
||||||
/usr/lib*/samba/gensec/*.so mr,
|
|
||||||
/usr/lib*/samba/pdb/*.so mr,
|
|
||||||
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
|
|
||||||
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
|
|
||||||
/usr/lib/@{multiarch}/samba/**/ r,
|
|
||||||
/usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
|
|
||||||
/usr/{bin,sbin}/smbd mr,
|
|
||||||
/usr/{bin,sbin}/smbldap-useradd Px,
|
|
||||||
/var/cache/samba/** rwk,
|
|
||||||
/var/{cache,lib}/samba/printing/printers.tdb mrw,
|
|
||||||
/var/lib/samba/** rwk,
|
|
||||||
/var/lib/sss/pubconf/kdcinfo.* r,
|
|
||||||
@{run}/dbus/system_bus_socket rw,
|
|
||||||
@{run}/smbd.pid rwk,
|
|
||||||
@{run}/samba/** rk,
|
|
||||||
@{run}/samba/ncalrpc/ rw,
|
|
||||||
@{run}/samba/ncalrpc/** rw,
|
|
||||||
@{run}/samba/smbd.pid rw,
|
|
||||||
/var/spool/samba/** rw,
|
|
||||||
|
|
||||||
@{HOMEDIRS}/** lrwk,
|
|
||||||
/var/lib/samba/usershares/{,**} lrwk,
|
|
||||||
|
|
||||||
# Permissions for all configured shares (file autogenerated by
|
|
||||||
# update-apparmor-samba-profile on service startup.
|
|
||||||
include if exists <samba/smbd-shares>
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.smbd>
|
|
||||||
}
|
|
|
@ -1,40 +0,0 @@
|
||||||
# Last Modified: Tue Jan 3 00:17:40 2012
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/bash>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/perl>
|
|
||||||
|
|
||||||
/dev/tty rw,
|
|
||||||
/{,usr/}bin/bash ix,
|
|
||||||
/etc/init.d/nscd Cx,
|
|
||||||
/etc/shadow r,
|
|
||||||
/etc/smbldap-tools/smbldap.conf r,
|
|
||||||
/etc/smbldap-tools/smbldap_bind.conf r,
|
|
||||||
/usr/{bin,sbin}/smbldap-useradd r,
|
|
||||||
/usr/{bin,sbin}/smbldap_tools.pm r,
|
|
||||||
/var/log/samba/log.smbd w,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.smbldap-useradd>
|
|
||||||
|
|
||||||
profile /etc/init.d/nscd flags=(complain) {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
capability sys_ptrace,
|
|
||||||
|
|
||||||
/{,usr/}bin/bash r,
|
|
||||||
/{,usr/}bin/mountpoint rix,
|
|
||||||
/{,usr/}bin/systemctl rix,
|
|
||||||
/dev/tty rw,
|
|
||||||
/etc/init.d/nscd r,
|
|
||||||
/etc/rc.status r,
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,32 +0,0 @@
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2002-2009 Novell/SUSE
|
|
||||||
# Copyright (C) 2010 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
|
|
||||||
deny capability net_admin, # noisy setsockopt() calls
|
|
||||||
capability net_raw,
|
|
||||||
|
|
||||||
network inet raw,
|
|
||||||
network inet6 raw,
|
|
||||||
|
|
||||||
/usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
|
|
||||||
@{PROC}/net/route r,
|
|
||||||
@{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.sbin.traceroute>
|
|
||||||
}
|
|
Loading…
Reference in a new issue