diff --git a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng deleted file mode 100644 index c4ceb489..00000000 --- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Felix Geyer -# SPDX-License-Identifier: GPL-2.0-only - -@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng - -include - -profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { - include - include - include - include - - /etc/apt-cacher-ng/ r, - /etc/apt-cacher-ng/** r, - /etc/hosts.{deny,allow} r, - /usr/sbin/apt-cacher-ng mr, - - /var/lib/apt-cacher-ng/** r, - /{,var/}run/apt-cacher-ng/* rw, - @{APT_CACHER_NG_CACHE_DIR}/ r, - @{APT_CACHER_NG_CACHE_DIR}/** rwl, - /var/log/apt-cacher-ng/ r, - /var/log/apt-cacher-ng/* rw, - /{,var/}run/systemd/notify w, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/ed ixr, - /{usr/,}bin/red ixr, - /{usr/,}bin/sed ixr, - - /usr/lib/apt-cacher-ng/acngtool ixr, - - # Allow serving local documentation - /etc/mime.types r, - /usr/share/doc/apt-cacher-ng/html/** r, - - # used by libevent - @{PROC}/sys/kernel/random/uuid r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/usr.sbin.cupsd b/apparmor.d/profiles-s-z/usr.sbin.cupsd deleted file mode 100644 index 975e8146..00000000 --- a/apparmor.d/profiles-s-z/usr.sbin.cupsd +++ /dev/null @@ -1,222 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2007 Martin Pitt -# SPDX-License-Identifier: GPL-2.0-only - -#include - -/usr/sbin/cupsd flags=(attach_disconnected) { - #include - #include - #include - #include - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability kill, - capability net_bind_service, - capability setgid, - capability setuid, - capability audit_write, - capability wake_alarm, - deny capability block_suspend, - - # noisy - deny signal (send) set=("term") peer=unconfined, - - # nasty, but we limit file access pretty tightly, and cups chowns a - # lot of files to 'lp' which it cannot read/write afterwards any - # more - capability dac_override, - capability dac_read_search, - - # the bluetooth backend needs this - network bluetooth, - - # the dnssd backend uses those - network x25 seqpacket, - network ax25 dgram, - network netrom seqpacket, - network rose dgram, - network ipx dgram, - network appletalk dgram, - network econet dgram, - network ash dgram, - - # CUPS is of systemd service type "notify" now, meaning that cupsd notifies - # systemd when it is up and running, give CUPS access to systemd's - # notification socket - @{run}/systemd/notify w, - - /{usr/,}bin/bash ixr, - /{usr/,}bin/dash ixr, - /{usr/,}bin/hostname ixr, - /dev/lp* rw, - deny /dev/tty rw, # silence noise - /dev/ttyS* rw, - /dev/ttyUSB* rw, - /dev/usb/lp* rw, - /dev/bus/usb/ r, - /dev/bus/usb/** rw, - /dev/parport* rw, - /etc/cups/ rw, - /etc/cups/** rw, - /etc/cups/interfaces/* ixrw, - /etc/foomatic/* r, - /etc/gai.conf r, - /etc/papersize r, - /etc/pnm2ppa.conf r, - /etc/printcap rwl, - /etc/ssl/** r, - /etc/letsencrypt/archive/** r, - @{PROC}/net/ r, - @{PROC}/net/* r, - @{PROC}/sys/dev/parport/** r, - @{PROC}/*/net/ r, - @{PROC}/*/net/** r, - @{PROC}/*/auxv r, - @{PROC}/sys/crypto/** r, - /sys/** r, - /usr/bin/* ixr, - /usr/sbin/* ixr, - /{usr/,}bin/* ixr, - /{usr/,}{s,}bin/* ixr, - /usr/lib/** rm, - - # backends which come with CUPS can be confined - /usr/lib/cups/backend/bluetooth ixr, - /usr/lib/cups/backend/dnssd ixr, - /usr/lib/cups/backend/http ixr, - /usr/lib/cups/backend/ipp ixr, - /usr/lib/cups/backend/lpd ixr, - /usr/lib/cups/backend/mdns ixr, - /usr/lib/cups/backend/parallel ixr, - /usr/lib/cups/backend/serial ixr, - /usr/lib/cups/backend/snmp ixr, - /usr/lib/cups/backend/socket ixr, - /usr/lib/cups/backend/usb ixr, - - # we treat cups-pdf specially, since it needs to write into /home - # and thus needs extra paranoia - /usr/lib/cups/backend/cups-pdf Px, - - # allow communicating with cups-pdf via Unix sockets - unix peer=(label=/usr/lib/cups/backend/cups-pdf), - - # third party backends get no restrictions as they often need high - # privileges and this is beyond our control - /usr/lib/cups/backend/* Cx -> third_party, - - /usr/lib/cups/cgi-bin/* ixr, - /usr/lib/cups/daemon/* ixr, - /usr/lib/cups/monitor/* ixr, - /usr/lib/cups/notifier/* ixr, - # filters and drivers (PPD generators) are always run as non-root, - # and there are a lot of third-party drivers which we cannot predict - /usr/lib/cups/filter/** Cxr -> third_party, - /usr/lib/cups/driver/* Cxr -> third_party, - /usr/local/** rm, - /usr/local/lib/cups/** rix, - /usr/share/** r, - /{,var/}run/** rm, - /{,var/}run/avahi-daemon/socket rw, - deny /{,var/}run/samba/ rw, - /{,var/}run/samba/** rw, - /var/cache/samba/*.tdb r, - /var/{cache,lib}/samba/printing/printers.tdb r, - /{,var/}run/cups/ rw, - /{,var/}run/cups/** rw, - /var/cache/cups/ rw, - /var/cache/cups/** rwk, - /var/log/cups/ rw, - /var/log/cups/* rw, - /var/spool/cups/ rw, - /var/spool/cups/** rw, - - # third-party printer drivers; no known structure here - /opt/** rix, - - # FIXME: no policy ATM for hplip and Brother drivers - /usr/bin/hpijs Cx -> third_party, - /usr/Brother/** Cx -> third_party, - - # Kerberos authentication - /etc/krb5.conf r, - deny /etc/krb5.conf w, - /etc/krb5.keytab rk, - /etc/cups/krb5.keytab rwk, - /tmp/krb5cc* k, - - # likewise authentication - /etc/likewise r, - /etc/likewise/* r, - - # silence noise - deny /etc/udev/udev.conf r, - - signal peer=/usr/sbin/cupsd//third_party, - unix peer=(label=/usr/sbin/cupsd//third_party), - profile third_party flags=(attach_disconnected) { - # third party backends, filters, and drivers get relatively no restrictions - # as they often need high privileges, are unpredictable or otherwise beyond - # our control - file, - capability, - audit deny capability mac_admin, - network, - dbus, - signal, - ptrace, - unix, - } - - include if exists -} - -# separate profile since this needs to write into /home -/usr/lib/cups/backend/cups-pdf { - #include - #include - #include - #include - - capability chown, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - # unfortunate, but required for when $HOME is 700 - capability dac_override, - capability dac_read_search, - - # allow communicating with cupsd via Unix sockets - unix peer=(label=/usr/sbin/cupsd), - - @{PROC}/*/auxv r, - - /{usr/,}bin/dash ixr, - /{usr/,}bin/bash ixr, - /{usr/,}bin/cp ixr, - /etc/papersize r, - /etc/cups/cups-pdf.conf r, - /etc/cups/ppd/*.ppd r, - /usr/bin/gs ixr, - /usr/lib/cups/backend/cups-pdf mr, - /usr/lib/ghostscript/** mr, - /usr/share/** r, - /var/log/cups/cups-pdf*_log w, - /var/spool/cups/** r, - /var/spool/cups-pdf/** rw, - - # allow read and write on almost anything in @{HOME} (lenient, but - # private-files-strict is in effect), to support customized "Out" - # setting in cups-pdf.conf (Debian#940578) - #include - @{HOME}/[^.]*/{,**/} rw, - @{HOME}/[^.]*/** rw, -}