mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update apparmor profiles

Browse Source
This commit is contained in:
Mikhail Morfikov 2021-03-13 16:52:36 +01:00
parent 5b12c89dba
commit e1f16545e0
No known key found for this signature in database
GPG Key ID: 32D9CB634796CCA1
15 changed files with 190 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apparmor.d/abstractions/wutmp
View File

@ -2,6 +2,7 @@
# #
# Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd. # Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2021 Mikhail Morfikov
# #
# This program is free software; you can redistribute it and/or # This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public # modify it under the terms of version 2 of the GNU General Public
@ -14,7 +15,8 @@
# some services update wtmp, utmp, and lastlog with per-user # some services update wtmp, utmp, and lastlog with per-user
# connection information # connection information
/var/log/lastlog rwk, /var/log/lastlog rwk,
/var/log/wtmp wk, /var/log/wtmp rwk,
/var/log/btmp rwk,
@{run}/utmp rwk, @{run}/utmp rwk,
# Include additions to the abstraction # Include additions to the abstraction

2
apparmor.d/accounts-daemon
View File

@ -35,7 +35,5 @@ profile accounts-daemon @{exec_path} {
/etc/shells r, /etc/shells r,
/etc/shadow r, /etc/shadow r,
/var/log/wtmp r,
include if exists <local/accounts-daemon> include if exists <local/accounts-daemon>
} }

38
apparmor.d/adb Normal file
View File

@ -0,0 +1,38 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/adb
@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
profile adb @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/devices-usb>
include <abstractions/user-download-strict>
# For adb kill-server:
# cannot connect to daemon at tcp:5037: Permission denied
network inet stream,
network inet6 stream,
@{exec_path} mrix,
owner /tmp/adb.[0-9]*.log rw,
owner @{HOME}/.android/ rw,
owner @{HOME}/.android/adb.[0-9]* rw,
owner @{HOME}/.android/adbkey rw,
include if exists <local/adb>
}

2
apparmor.d/cron-apt-compat
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apt-compat @{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apt-compat
profile cron-apt-compat @{exec_path} flags=(complain) { profile cron-apt-compat @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,

2
apparmor.d/cron-debtags
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/debtags @{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/debtags
profile cron-debtags @{exec_path} flags=(complain) { profile cron-debtags @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,

2
apparmor.d/cron-exim4-base
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/cron.daily/exim4-base @{exec_path} = /etc/cron.daily/exim4-base
profile cron-exim4-base @{exec_path} flags=(complain) { profile cron-exim4-base @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability dac_read_search, capability dac_read_search,

2
apparmor.d/cron-man-db
View File

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/man-db @{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/man-db
profile cron-man-db @{exec_path} flags=(complain) { profile cron-man-db @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

24
apparmor.d/id Normal file
View File

@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/id
profile id @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
include if exists <local/id>
}

32
apparmor.d/last Normal file
View File

@ -0,0 +1,32 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/last{,b}
profile last @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
# For the --dns flag
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
@{PROC}/@{pids}/loginuid r,
include if exists <local/last>
}

29
apparmor.d/lastlog Normal file
View File

@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lastlog
profile lastlog @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network netlink raw,
@{exec_path} mr,
/var/log/lastlog r,
/etc/login.defs r,
include if exists <local/lastlog>
}

1
apparmor.d/lightdm
View File

@ -97,7 +97,6 @@ profile lightdm @{exec_path} {
# LightDM logs # LightDM logs
/var/log/lightdm/{,**} rw, /var/log/lightdm/{,**} rw,
/var/log/btmp wk,
@{run}/lightdm/{,**} rw, @{run}/lightdm/{,**} rw,
@{run}/lightdm.pid rw, @{run}/lightdm.pid rw,

1
apparmor.d/sddm
View File

@ -101,7 +101,6 @@ profile sddm @{exec_path} {
owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw, owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw,
@{HOME}/.local/share/kwalletd/kdewallet.salt r, @{HOME}/.local/share/kwalletd/kdewallet.salt r,
owner @{run}/user/[0-9]*/kwallet5.socket rw, owner @{run}/user/[0-9]*/kwallet5.socket rw,
/var/log/btmp wk,
# Themes # Themes
/usr/share/sddm/themes/** r, /usr/share/sddm/themes/** r,

2
apparmor.d/su
View File

@ -60,8 +60,6 @@ profile su @{exec_path} {
/etc/shells r, /etc/shells r,
owner /var/log/btmp wk,
# For pam_securetty # For pam_securetty
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/console/active r,

26
apparmor.d/utmpdump Normal file
View File

@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/utmpdump
profile utmpdump @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/var/log/wtmp{,.[0-9]*} r,
/var/log/btmp{,.[0-9]*} r,
include if exists <local/utmpdump>
}

34
apparmor.d/w Normal file
View File

@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/w
profile w @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
ptrace (read),
@{exec_path} mr,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/loadavg r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
include if exists <local/w>
}