mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
Update profiles.
This commit is contained in:
parent
2cdd954613
commit
d7be27411b
@ -9,6 +9,7 @@ include <tunables/global>
|
|||||||
@{exec_path} = /{usr/,}bin/aa-enabled
|
@{exec_path} = /{usr/,}bin/aa-enabled
|
||||||
profile aa-enabled @{exec_path} {
|
profile aa-enabled @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2021 Mikhail Morfikov
|
# Copyright (C) 2021-2022 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -10,15 +11,15 @@ include <tunables/global>
|
|||||||
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
|
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
|
||||||
profile adb @{exec_path} {
|
profile adb @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
|
||||||
# For adb kill-server:
|
|
||||||
# cannot connect to daemon at tcp:5037: Permission denied
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
|
signal (receive) set=(kill) peer=scrcpy,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
/usr/share/scrcpy/scrcpy-server r,
|
/usr/share/scrcpy/scrcpy-server r,
|
||||||
|
@ -13,13 +13,14 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
|
||||||
/{usr/,}bin/getconf rix,
|
|
||||||
/{usr/,}bin/{,e}grep rix,
|
|
||||||
/{usr/,}bin/ls rix,
|
|
||||||
/{usr/,}bin/xargs rix,
|
|
||||||
/{usr/,}{s,}bin/aa-status rPx,
|
/{usr/,}{s,}bin/aa-status rPx,
|
||||||
/{usr/,}{s,}bin/apparmor_parser rPx,
|
/{usr/,}{s,}bin/apparmor_parser rPx,
|
||||||
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
/{usr/,}bin/{,e}grep rix,
|
||||||
|
/{usr/,}bin/getconf rix,
|
||||||
|
/{usr/,}bin/ls rix,
|
||||||
|
/{usr/,}bin/systemd-detect-virt rPx,
|
||||||
|
/{usr/,}bin/xargs rix,
|
||||||
|
|
||||||
/{usr/,}lib/apparmor/rc.apparmor.functions r,
|
/{usr/,}lib/apparmor/rc.apparmor.functions r,
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/apparmor_parser
|
@{exec_path} = /{usr/,}{s,}bin/apparmor_parser
|
||||||
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
|||||||
/etc/apparmor.d/{,**} r,
|
/etc/apparmor.d/{,**} r,
|
||||||
/etc/apparmor.d/cache.d/{,**} rw,
|
/etc/apparmor.d/cache.d/{,**} rw,
|
||||||
|
|
||||||
|
/usr/share/apparmor-features/{,**} r,
|
||||||
/usr/share/apparmor/{,**} r,
|
/usr/share/apparmor/{,**} r,
|
||||||
|
|
||||||
owner /var/cache/apparmor/{,**} rw,
|
owner /var/cache/apparmor/{,**} rw,
|
||||||
|
@ -57,7 +57,8 @@ profile dhclient-script @{exec_path} {
|
|||||||
/{usr/,}bin/ip rix,
|
/{usr/,}bin/ip rix,
|
||||||
|
|
||||||
# For loadbalance
|
# For loadbalance
|
||||||
/etc/iproute2/** r,
|
/etc/iproute2/rt_tables r,
|
||||||
|
/etc/iproute2/rt_tables.d/{,*} r,
|
||||||
owner @{PROC}/@{pid}/loginuid r,
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
|
|
||||||
# For updating the /etc/resolv.conf file
|
# For updating the /etc/resolv.conf file
|
||||||
@ -90,8 +91,7 @@ profile dhclient-script @{exec_path} {
|
|||||||
@{run}/chrony-dhcp/ rw,
|
@{run}/chrony-dhcp/ rw,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
/var/lib/dhcp/*.leases r,
|
/var/lib/dhcp/dhclient.leases r,
|
||||||
|
|
||||||
|
|
||||||
profile run-parts {
|
profile run-parts {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
@ -101,7 +101,7 @@ profile dhclient-script @{exec_path} {
|
|||||||
/etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
|
/etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
/var/lib/dhcp/*.leases r,
|
owner /var/lib/dhcp/dhclient.leases r,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||||
# 2021 Alexandre Pujol <alexandre@pujol.io>
|
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -23,5 +23,8 @@ profile dmesg @{exec_path} {
|
|||||||
/dev/kmsg r,
|
/dev/kmsg r,
|
||||||
/usr/share/terminfo/{,**} r,
|
/usr/share/terminfo/{,**} r,
|
||||||
|
|
||||||
|
deny /{usr/,}local/bin/ r,
|
||||||
|
deny /{usr/,}bin/{,*/} r,
|
||||||
|
|
||||||
include if exists <local/dmesg>
|
include if exists <local/dmesg>
|
||||||
}
|
}
|
||||||
|
@ -67,6 +67,7 @@ profile exim4 @{exec_path} {
|
|||||||
@{run}/exim4/ r,
|
@{run}/exim4/ r,
|
||||||
owner @{run}/exim4/exim.pid rw,
|
owner @{run}/exim4/exim.pid rw,
|
||||||
|
|
||||||
|
@{run}/resolvconf/resolv.conf r,
|
||||||
owner @{run}/dbus/system_bus_socket rw,
|
owner @{run}/dbus/system_bus_socket rw,
|
||||||
|
|
||||||
# file_inherit
|
# file_inherit
|
||||||
|
@ -18,7 +18,6 @@ profile htop @{exec_path} {
|
|||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
|
|
||||||
signal (send),
|
signal (send),
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
@ -31,6 +30,7 @@ profile htop @{exec_path} {
|
|||||||
/etc/sensors.d/ r,
|
/etc/sensors.d/ r,
|
||||||
/etc/sensors3.conf r,
|
/etc/sensors3.conf r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/ r,
|
||||||
owner @{user_config_dirs}/htop/ rw,
|
owner @{user_config_dirs}/htop/ rw,
|
||||||
owner @{user_config_dirs}/htop/htoprc rw,
|
owner @{user_config_dirs}/htop/htoprc rw,
|
||||||
|
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||||
|
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
@ -10,9 +11,7 @@ include <tunables/global>
|
|||||||
profile ifup @{exec_path} {
|
profile ifup @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# To be able to manage network interfaces.
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
# Needed?
|
# Needed?
|
||||||
audit deny capability sys_module,
|
audit deny capability sys_module,
|
||||||
|
|
||||||
@ -20,13 +19,15 @@ profile ifup @{exec_path} {
|
|||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}{s,}bin/route rix,
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
/{usr/,}bin/ip rix,
|
/{usr/,}bin/ip rix,
|
||||||
/{usr/,}bin/sleep rix,
|
|
||||||
/{usr/,}bin/seq rix,
|
/{usr/,}bin/seq rix,
|
||||||
|
/{usr/,}bin/sleep rix,
|
||||||
|
/{usr/,}bin/wc rix,
|
||||||
|
|
||||||
/{usr/,}{s,}bin/dhclient rPx,
|
/{usr/,}{s,}bin/dhclient rPx,
|
||||||
/{usr/,}bin/macchanger rPx,
|
/{usr/,}bin/macchanger rPx,
|
||||||
|
|
||||||
/{usr/,}lib/ifupdown/*.sh rix,
|
/{usr/,}lib/ifupdown/*.sh rix,
|
||||||
|
|
||||||
@ -80,9 +81,10 @@ profile ifup @{exec_path} {
|
|||||||
/etc/network/if-pre-up.d/random-secret rPUx,
|
/etc/network/if-pre-up.d/random-secret rPUx,
|
||||||
|
|
||||||
/etc/network/if-up.d/ r,
|
/etc/network/if-up.d/ r,
|
||||||
|
/etc/network/if-up.d/*resolvconf rPUx,
|
||||||
|
/etc/network/if-up.d/chrony rPUx,
|
||||||
/etc/network/if-up.d/ethtool rPUx,
|
/etc/network/if-up.d/ethtool rPUx,
|
||||||
/etc/network/if-up.d/ifenslave rPUx,
|
/etc/network/if-up.d/ifenslave rPUx,
|
||||||
/etc/network/if-up.d/chrony rPUx,
|
|
||||||
/etc/network/if-up.d/openvpn rPUx,
|
/etc/network/if-up.d/openvpn rPUx,
|
||||||
/etc/network/if-up.d/wpasupplicant rPUx,
|
/etc/network/if-up.d/wpasupplicant rPUx,
|
||||||
|
|
||||||
@ -107,7 +109,7 @@ profile ifup @{exec_path} {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
# capability mac_admin,
|
# capability mac_admin,
|
||||||
# capability sys_admin,
|
capability sys_admin,
|
||||||
# capability sys_resource,
|
# capability sys_resource,
|
||||||
|
|
||||||
/{usr/,}sbin/sysctl mr,
|
/{usr/,}sbin/sysctl mr,
|
||||||
|
@ -13,6 +13,8 @@ profile mandb @{exec_path} flags=(complain) {
|
|||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/man_db.conf r,
|
/etc/man_db.conf r,
|
||||||
|
@ -13,6 +13,8 @@ profile nvtop @{exec_path} {
|
|||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/opencl-nvidia>
|
include <abstractions/opencl-nvidia>
|
||||||
|
|
||||||
|
capability sys_ptrace,
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@ -12,8 +12,13 @@ profile resize2fs @{exec_path} {
|
|||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
|
||||||
|
capability sys_resource,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
/.ismount-test-file rw,
|
||||||
|
|
||||||
@{PROC}/swaps r,
|
@{PROC}/swaps r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
@ -27,10 +27,13 @@ profile resolvconf @{exec_path} {
|
|||||||
/usr/lib/resolvconf/{,**} r,
|
/usr/lib/resolvconf/{,**} r,
|
||||||
|
|
||||||
/etc/resolv.conf rw,
|
/etc/resolv.conf rw,
|
||||||
|
/etc/resolvconf/{,**} r,
|
||||||
/etc/resolvconf/update.d/libc rix,
|
/etc/resolvconf/update.d/libc rix,
|
||||||
|
|
||||||
owner @{run}/resolvconf/{,**} rw,
|
owner @{run}/resolvconf/{,**} rw,
|
||||||
owner @{run}/resolvconf/run-lock wk,
|
owner @{run}/resolvconf/run-lock wk,
|
||||||
|
|
||||||
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/resolvconf>
|
include if exists <local/resolvconf>
|
||||||
}
|
}
|
@ -12,10 +12,13 @@ profile scrcpy @{exec_path} {
|
|||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
include <abstractions/dri-enumerate>
|
include <abstractions/dri-enumerate>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/opencl>
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
|
signal (send) set=(kill) peer=adb,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/adb rPx,
|
/{usr/,}bin/adb rPx,
|
||||||
|
@ -1,65 +0,0 @@
|
|||||||
# vim:syntax=apparmor
|
|
||||||
#include <tunables/global>
|
|
||||||
|
|
||||||
profile tcpdump /usr/bin/tcpdump {
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
#include <abstractions/user-tmp>
|
|
||||||
|
|
||||||
capability net_raw,
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
capability dac_override,
|
|
||||||
capability chown,
|
|
||||||
network raw,
|
|
||||||
network packet,
|
|
||||||
|
|
||||||
# for -D
|
|
||||||
@{PROC}/bus/usb/ r,
|
|
||||||
@{PROC}/bus/usb/** r,
|
|
||||||
|
|
||||||
# for finding an interface
|
|
||||||
/dev/ r,
|
|
||||||
@{PROC}/[0-9]*/net/dev r,
|
|
||||||
/sys/bus/usb/devices/ r,
|
|
||||||
/sys/class/net/ r,
|
|
||||||
/sys/devices/**/net/** r,
|
|
||||||
|
|
||||||
# for -j
|
|
||||||
capability net_admin,
|
|
||||||
|
|
||||||
# for tracing USB bus, which libpcap supports
|
|
||||||
/dev/usbmon* r,
|
|
||||||
/dev/bus/usb/ r,
|
|
||||||
/dev/bus/usb/** r,
|
|
||||||
|
|
||||||
# for init_etherarray(), with -e
|
|
||||||
/etc/ethers r,
|
|
||||||
|
|
||||||
# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
|
|
||||||
/dev/bus/usb/**/[0-9]* w,
|
|
||||||
|
|
||||||
# for -z
|
|
||||||
/{usr/,}bin/gzip ixr,
|
|
||||||
/{usr/,}bin/bzip2 ixr,
|
|
||||||
|
|
||||||
# for -F and -w
|
|
||||||
audit deny @{HOME}/.* mrwkl,
|
|
||||||
audit deny @{HOME}/.*/ rw,
|
|
||||||
audit deny @{HOME}/.*/** mrwkl,
|
|
||||||
audit deny @{HOME}/bin/ rw,
|
|
||||||
audit deny @{HOME}/bin/** mrwkl,
|
|
||||||
owner @{HOME}/ r,
|
|
||||||
owner @{HOME}/** rw,
|
|
||||||
|
|
||||||
# for -r, -F and -w
|
|
||||||
/**.[pP][cC][aA][pP] rw,
|
|
||||||
/**.[cC][aA][pP] rw,
|
|
||||||
|
|
||||||
# for convenience with -r (ie, read pcap files from other sources)
|
|
||||||
/var/log/snort/*log* r,
|
|
||||||
|
|
||||||
/usr/bin/tcpdump mr,
|
|
||||||
|
|
||||||
include if exists <local/usr.sbin.tcpdump>
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user