# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2019-2021 Mikhail Morfikov # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi , include @{exec_path} = /{usr/,}sbin/cron profile cron @{exec_path} { include include include include capability setuid, capability setgid, capability dac_read_search, capability audit_write, capability sys_resource, network netlink raw, @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/nice rix, /{usr/,}bin/ionice rix, /etc/crontab r, # All stuff that is executed via the /etc/cron.d/ dir /etc/cron.d/{,*} r, /{usr/,}sbin/cron-apt rPx, /{usr/,}bin/debsecan rPx, /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, /{usr/,}sbin/e2scrub_all rPUx, /etc/cron.daily/popularity-contest rPx, /{usr/,}lib/sysstat/debian-sa1 rPUx, # All stuff that is executed via the user crontab files /{usr/,}bin/apt-file rPx, /{usr/,}bin/apt-key rPx, /{usr/,}bin/rsync rPUx, /usr/share/rsync/scripts/rrsync rPUx, /{usr/,}bin/gpg rPx, /{usr/,}sbin/update-pciids rPx, /{usr/,}bin/borg rPx, # Cron scripts in the /etc/cron.*/ dir to execute /{usr/,}bin/run-parts rCx -> run-parts, # Send results using email /{usr/,}sbin/exim4 rPx, /var/spool/cron/crontabs/{,*} r, owner @{run}/crond.pid rwk, owner @{run}/crond.reboot rw, owner /tmp/#[0-9]*[0-9] rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, /etc/environment r, /etc/default/locale r, @{PROC}/1/limits r, /etc/security/limits.d/ r, profile run-parts { include /{usr/,}bin/run-parts mr, /etc/cron.{hourly,daily,weekly,monthly}/ r, /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, /etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, /etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx, /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, /etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx, /etc/cron.{hourly,daily,weekly,monthly}/man-db rPx, /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, /etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx, /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx, /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, #/etc/cron.{hourly,daily,weekly,monthly}/opera-browser rPUx, #/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable} rPUx, #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx, #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev} rPUx, #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev} rPUx, # file_inherit owner /tmp/#[0-9]*[0-9] rw, include if exists } include if exists }