mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-24 03:48:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(profiles): remove unused user role & mappings
Some checks are pending
Ubuntu / check (push) Waiting to run
Details
Ubuntu / build (default, ubuntu-22.04) (push) Blocked by required conditions
Details
Ubuntu / build (default, ubuntu-24.04) (push) Blocked by required conditions
Details
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Blocked by required conditions
Details
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Blocked by required conditions
Details
Ubuntu / tests (push) Blocked by required conditions
Details

Browse source 
- Not enabled, tested.
- Will come back under another form later.
This commit is contained in:
Alexandre Pujol 2025-01-15 00:08:43 +01:00
parent ba067a0214
commit d20435eb21
Failed to generate hash of commit
4 changed files with 0 additions and 160 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
apparmor.d/groups/children/user_confined
View file

@ -1,31 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow confined users to read, write, lock and link to their own files
# anywhere, and execute from some places.
abi <abi/4.0>,
include <tunables/global>
profile user_confined flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/shells>
deny capability sys_ptrace,
@{bin}/** Pixmr,
owner /** rwkl,
owner @{HOMEDIRS}/bin/** ixmr,
owner @{user_bin_dirs}/** ixmr,
@{PROC}/** r,
include if exists <local/user_confined>
}
# vim:syntax=apparmor

32
apparmor.d/groups/children/user_default
View file

@ -1,32 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# By default, allow users to read, lock and link to their own files anywhere,
# but only write to files in their home directory. Only allow limited execution
# of files.
abi <abi/4.0>,
include <tunables/global>
profile user_default flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/shells>
deny capability sys_ptrace,
@{bin}/** Pixmr,
owner /** rkl,
owner @{HOMEDIRS}/ w,
owner @{HOMEDIRS}/** w,
@{PROC}/** r,
include if exists <local/user_default>
}
# vim:syntax=apparmor

25
apparmor.d/groups/children/user_unconfined
View file

@ -1,25 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
profile user_unconfined flags=(attach_disconnected,mediate_deleted) {
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
file,
include if exists <local/user_unconfined>
}
# vim:syntax=apparmor

72
apparmor.d/profiles-m-r/pam/mappings
View file

@ -1,72 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor. Users
# without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
^DEFAULT {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability setgid,
capability setuid,
/etc/default/su r,
@{etc_ro}/environment r,
@{shells_path} rPx -> user_default,
include if exists <local/pam_default>
}
# USER is a confined user. The hat contains only the permissions necessary
# to transition to gray's login shell. All other permissions have been
# moved into the confined_user profile.
^USER {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
@{shells_path} rPx -> user_confined,
/etc/default/su r,
@{etc_ro}/environment r,
include if exists <local/pam_user>
}
# Don't confine members whose primary group is 'admin' who are not specifically
# confined. Systems without this special primary group may want to define an
# unconfined 'root' hat in this manner (depending on site policy).
^root {
include <abstractions/authentication>
include <abstractions/nameservice>
include <abstractions/wutmp>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
@{shells_path} rUx,
/etc/default/su r,
@{etc_ro}/environment r,
include if exists <local/pam_root>
}
# vim:syntax=apparmor