mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update profiles.

Browse Source
This commit is contained in:
Alexandre Pujol 2022-03-23 19:56:11 +00:00
parent 2cdd954613
commit d7be27411b
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
15 changed files with 49 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apparmor.d/profiles-a-f/aa-enabled
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/aa-enabled @{exec_path} = /{usr/,}bin/aa-enabled
profile aa-enabled @{exec_path} { profile aa-enabled @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr, @{exec_path} mr,

9
apparmor.d/profiles-a-f/adb
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,15 +11,15 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb @{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
profile adb @{exec_path} { profile adb @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb> include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
# For adb kill-server:
# cannot connect to daemon at tcp:5037: Permission denied
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
signal (receive) set=(kill) peer=scrcpy,
@{exec_path} mrix, @{exec_path} mrix,
/usr/share/scrcpy/scrcpy-server r, /usr/share/scrcpy/scrcpy-server r,

13
apparmor.d/profiles-a-f/apparmor.systemd
View File

@ -13,14 +13,15 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/xargs rix,
/{usr/,}{s,}bin/aa-status rPx, /{usr/,}{s,}bin/aa-status rPx,
/{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/xargs rix,
/{usr/,}lib/apparmor/rc.apparmor.functions r, /{usr/,}lib/apparmor/rc.apparmor.functions r,
/etc/apparmor.d/ r, /etc/apparmor.d/ r,

3
apparmor.d/profiles-a-f/apparmor_parser
View File

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/apparmor_parser @{exec_path} = /{usr/,}{s,}bin/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) { profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
/etc/apparmor.d/{,**} r, /etc/apparmor.d/{,**} r,
/etc/apparmor.d/cache.d/{,**} rw, /etc/apparmor.d/cache.d/{,**} rw,
/usr/share/apparmor-features/{,**} r,
/usr/share/apparmor/{,**} r, /usr/share/apparmor/{,**} r,
owner /var/cache/apparmor/{,**} rw, owner /var/cache/apparmor/{,**} rw,

8
apparmor.d/profiles-a-f/dhclient-script
View File

@ -57,7 +57,8 @@ profile dhclient-script @{exec_path} {
/{usr/,}bin/ip rix, /{usr/,}bin/ip rix,
# For loadbalance # For loadbalance
/etc/iproute2/** r, /etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/{,*} r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
# For updating the /etc/resolv.conf file # For updating the /etc/resolv.conf file
@ -90,8 +91,7 @@ profile dhclient-script @{exec_path} {
@{run}/chrony-dhcp/ rw, @{run}/chrony-dhcp/ rw,
# file_inherit # file_inherit
/var/lib/dhcp/*.leases r, /var/lib/dhcp/dhclient.leases r,
profile run-parts { profile run-parts {
include <abstractions/base> include <abstractions/base>
@ -101,7 +101,7 @@ profile dhclient-script @{exec_path} {
/etc/dhcp/dhclient-{enter,exit}-hooks.d/ r, /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
# file_inherit # file_inherit
/var/lib/dhcp/*.leases r, owner /var/lib/dhcp/dhclient.leases r,
} }

7
apparmor.d/profiles-a-f/dmesg
View File

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -23,5 +23,8 @@ profile dmesg @{exec_path} {
/dev/kmsg r, /dev/kmsg r,
/usr/share/terminfo/{,**} r, /usr/share/terminfo/{,**} r,
deny /{usr/,}local/bin/ r,
deny /{usr/,}bin/{,*/} r,
include if exists <local/dmesg> include if exists <local/dmesg>
} }

1
apparmor.d/profiles-a-f/exim4
View File

@ -67,6 +67,7 @@ profile exim4 @{exec_path} {
@{run}/exim4/ r, @{run}/exim4/ r,
owner @{run}/exim4/exim.pid rw, owner @{run}/exim4/exim.pid rw,
@{run}/resolvconf/resolv.conf r,
owner @{run}/dbus/system_bus_socket rw, owner @{run}/dbus/system_bus_socket rw,
# file_inherit # file_inherit

2
apparmor.d/profiles-g-l/htop
View File

@ -18,7 +18,6 @@ profile htop @{exec_path} {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
signal (send), signal (send),
ptrace (read), ptrace (read),
@ -31,6 +30,7 @@ profile htop @{exec_path} {
/etc/sensors.d/ r, /etc/sensors.d/ r,
/etc/sensors3.conf r, /etc/sensors3.conf r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/ rw,
owner @{user_config_dirs}/htop/htoprc rw, owner @{user_config_dirs}/htop/htoprc rw,

14
apparmor.d/profiles-g-l/ifup
View File

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -10,9 +11,7 @@ include <tunables/global>
profile ifup @{exec_path} { profile ifup @{exec_path} {
include <abstractions/base> include <abstractions/base>
# To be able to manage network interfaces.
capability net_admin, capability net_admin,
# Needed? # Needed?
audit deny capability sys_module, audit deny capability sys_module,
@ -20,13 +19,15 @@ profile ifup @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/route rix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ip rix, /{usr/,}bin/ip rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/seq rix, /{usr/,}bin/seq rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/wc rix,
/{usr/,}{s,}bin/dhclient rPx, /{usr/,}{s,}bin/dhclient rPx,
/{usr/,}bin/macchanger rPx, /{usr/,}bin/macchanger rPx,
/{usr/,}lib/ifupdown/*.sh rix, /{usr/,}lib/ifupdown/*.sh rix,
@ -80,9 +81,10 @@ profile ifup @{exec_path} {
/etc/network/if-pre-up.d/random-secret rPUx, /etc/network/if-pre-up.d/random-secret rPUx,
/etc/network/if-up.d/ r, /etc/network/if-up.d/ r,
/etc/network/if-up.d/*resolvconf rPUx,
/etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/ifenslave rPUx,
/etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/openvpn rPUx,
/etc/network/if-up.d/wpasupplicant rPUx, /etc/network/if-up.d/wpasupplicant rPUx,
@ -107,7 +109,7 @@ profile ifup @{exec_path} {
include <abstractions/base> include <abstractions/base>
# capability mac_admin, # capability mac_admin,
# capability sys_admin, capability sys_admin,
# capability sys_resource, # capability sys_resource,
/{usr/,}sbin/sysctl mr, /{usr/,}sbin/sysctl mr,

2
apparmor.d/profiles-m-r/mandb
View File

@ -13,6 +13,8 @@ profile mandb @{exec_path} flags=(complain) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mr, @{exec_path} mr,
/etc/man_db.conf r, /etc/man_db.conf r,

2
apparmor.d/profiles-m-r/nvtop
View File

@ -13,6 +13,8 @@ profile nvtop @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia> include <abstractions/opencl-nvidia>
capability sys_ptrace,
ptrace (read), ptrace (read),
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/profiles-m-r/resize2fs
View File

@ -12,8 +12,13 @@ profile resize2fs @{exec_path} {
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
capability sys_resource,
@{exec_path} mr, @{exec_path} mr,
/ r,
/.ismount-test-file rw,
@{PROC}/swaps r, @{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

3
apparmor.d/profiles-m-r/resolvconf
View File

@ -27,10 +27,13 @@ profile resolvconf @{exec_path} {
/usr/lib/resolvconf/{,**} r, /usr/lib/resolvconf/{,**} r,
/etc/resolv.conf rw, /etc/resolv.conf rw,
/etc/resolvconf/{,**} r,
/etc/resolvconf/update.d/libc rix, /etc/resolvconf/update.d/libc rix,
owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/{,**} rw,
owner @{run}/resolvconf/run-lock wk, owner @{run}/resolvconf/run-lock wk,
/dev/tty rw,
include if exists <local/resolvconf> include if exists <local/resolvconf>
} }

3
apparmor.d/profiles-s-z/scrcpy
View File

@ -12,10 +12,13 @@ profile scrcpy @{exec_path} {
include <abstractions/dri-common> include <abstractions/dri-common>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/opencl>
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
signal (send) set=(kill) peer=adb,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/adb rPx, /{usr/,}bin/adb rPx,

65
apparmor.d/profiles-s-z/usr.bin.tcpdump
View File

@ -1,65 +0,0 @@
# vim:syntax=apparmor
#include <tunables/global>
profile tcpdump /usr/bin/tcpdump {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability net_raw,
capability setuid,
capability setgid,
capability dac_override,
capability chown,
network raw,
network packet,
# for -D
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
# for finding an interface
/dev/ r,
@{PROC}/[0-9]*/net/dev r,
/sys/bus/usb/devices/ r,
/sys/class/net/ r,
/sys/devices/**/net/** r,
# for -j
capability net_admin,
# for tracing USB bus, which libpcap supports
/dev/usbmon* r,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
# for init_etherarray(), with -e
/etc/ethers r,
# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
/dev/bus/usb/**/[0-9]* w,
# for -z
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
# for -F and -w
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
owner @{HOME}/ r,
owner @{HOME}/** rw,
# for -r, -F and -w
/**.[pP][cC][aA][pP] rw,
/**.[cC][aA][pP] rw,
# for convenience with -r (ie, read pcap files from other sources)
/var/log/snort/*log* r,
/usr/bin/tcpdump mr,
include if exists <local/usr.sbin.tcpdump>
}