mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
339 lines
9.9 KiB
Go
339 lines
9.9 KiB
Go
// apparmor.d - Full set of apparmor profiles
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
package aa
|
|
|
|
var (
|
|
// Include
|
|
include1 = &Include{IsMagic: true, Path: "abstraction/base"}
|
|
include2 = &Include{IsMagic: false, Path: "abstraction/base"}
|
|
include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"}
|
|
includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"}
|
|
|
|
// Rlimit
|
|
rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"}
|
|
rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"}
|
|
rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"}
|
|
|
|
// Capability
|
|
capability1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "cap",
|
|
"operation": "capable",
|
|
"capname": "net_admin",
|
|
"capability": "12",
|
|
"profile": "pkexec",
|
|
"comm": "pkexec",
|
|
}
|
|
capability1 = &Capability{Names: []string{"net_admin"}}
|
|
capability2 = &Capability{Names: []string{"sys_ptrace"}}
|
|
|
|
// Network
|
|
network1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "net",
|
|
"operation": "create",
|
|
"family": "netlink",
|
|
"profile": "sddm-greeter",
|
|
"sock_type": "raw",
|
|
"protocol": "15",
|
|
"requested_mask": "create",
|
|
"denied_mask": "create",
|
|
"comm": "sddm-greeter",
|
|
}
|
|
network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"}
|
|
network2 = &Network{Domain: "inet", Type: "dgram"}
|
|
|
|
// Mount
|
|
mount1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "mount",
|
|
"operation": "mount",
|
|
"info": "failed perms check",
|
|
"error": "-13",
|
|
"profile": "dockerd",
|
|
"name": "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
|
|
"comm": "dockerd",
|
|
"fstype": "overlay",
|
|
"srcname": "overlay",
|
|
}
|
|
mount2Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "mount",
|
|
"operation": "mount",
|
|
"info": "failed perms check",
|
|
"error": "-13",
|
|
"profile": "loupe",
|
|
"name": "/newroot/dev/tty",
|
|
"comm": "bwrap",
|
|
"srcname": "/oldroot/dev/tty",
|
|
"flags": "rw, rbind",
|
|
}
|
|
mount1 = &Mount{
|
|
RuleBase: RuleBase{Comment: " failed perms check"},
|
|
MountConditions: MountConditions{FsType: "overlay"},
|
|
Source: "overlay",
|
|
MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
|
|
}
|
|
mount2 = &Mount{
|
|
RuleBase: RuleBase{Comment: " failed perms check"},
|
|
MountConditions: MountConditions{Options: []string{"rw", "rbind"}},
|
|
Source: "/oldroot/dev/tty",
|
|
MountPoint: "/newroot/dev/tty",
|
|
}
|
|
|
|
// Umount
|
|
umount1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "mount",
|
|
"operation": "umount",
|
|
"profile": "systemd",
|
|
"name": "/",
|
|
"comm": "(ostnamed)",
|
|
}
|
|
umount1 = &Umount{MountPoint: "/"}
|
|
umount2 = &Umount{MountPoint: "/oldroot/"}
|
|
|
|
// PivotRoot
|
|
// pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/" comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"`
|
|
pivotroot1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "mount",
|
|
"profile": "systemd",
|
|
"operation": "pivotroot",
|
|
"comm": "(ostnamed)",
|
|
"name": "@{run}/systemd/mount-rootfs/",
|
|
"srcname": "@{run}/systemd/mount-rootfs/",
|
|
}
|
|
pivotroot1 = &PivotRoot{
|
|
OldRoot: "@{run}/systemd/mount-rootfs/",
|
|
NewRoot: "@{run}/systemd/mount-rootfs/",
|
|
}
|
|
pivotroot2 = &PivotRoot{
|
|
OldRoot: "@{run}/systemd/mount-rootfs/",
|
|
NewRoot: "/newroot",
|
|
TargetProfile: "brwap",
|
|
}
|
|
pivotroot3 = &PivotRoot{
|
|
NewRoot: "/newroot",
|
|
}
|
|
|
|
// Change Profile
|
|
// changeprofile1LogStr = `apparmor="ALLOWED" operation="change_onexec" class="file" profile="systemd" name="systemd-user" comm="(systemd)" target="systemd-user"`
|
|
changeprofile1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "file",
|
|
"profile": "systemd",
|
|
"operation": "change_onexec",
|
|
"comm": "(systemd)",
|
|
"name": "systemd-user",
|
|
"target": "systemd-user",
|
|
}
|
|
changeprofile1 = &ChangeProfile{ProfileName: "systemd-user"}
|
|
changeprofile2 = &ChangeProfile{ProfileName: "brwap"}
|
|
changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"}
|
|
|
|
// Signal
|
|
signal1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "signal",
|
|
"profile": "firefox",
|
|
"operation": "signal",
|
|
"comm": "49504320492F4F20506172656E74",
|
|
"requested_mask": "receive",
|
|
"denied_mask": "receive",
|
|
"signal": "kill",
|
|
"peer": "firefox//&firejail-default",
|
|
}
|
|
signal1 = &Signal{
|
|
Access: []string{"receive"},
|
|
Set: []string{"kill"},
|
|
Peer: "firefox//&firejail-default",
|
|
}
|
|
signal2 = &Signal{
|
|
Access: []string{"receive"},
|
|
Set: []string{"up"},
|
|
Peer: "firefox//&firejail-default",
|
|
}
|
|
|
|
// Ptrace
|
|
ptrace1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "ptrace",
|
|
"profile": "xdg-document-portal",
|
|
"operation": "ptrace",
|
|
"comm": "pool-/usr/lib/x",
|
|
"requested_mask": "read",
|
|
"denied_mask": "read",
|
|
"peer": "nautilus",
|
|
}
|
|
ptrace2Log = map[string]string{
|
|
"apparmor": "DENIED",
|
|
"class": "ptrace",
|
|
"operation": "ptrace",
|
|
"comm": "systemd-journal",
|
|
"requested_mask": "readby",
|
|
"denied_mask": "readby",
|
|
"peer": "systemd-journald",
|
|
}
|
|
ptrace1 = &Ptrace{Access: []string{"read"}, Peer: "nautilus"}
|
|
ptrace2 = &Ptrace{Access: []string{"readby"}, Peer: "systemd-journald"}
|
|
|
|
// Unix
|
|
unix1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"class": "unix",
|
|
"family": "unix",
|
|
"operation": "file_perm",
|
|
"profile": "gsettings",
|
|
"comm": "dbus-daemon",
|
|
"requested_mask": "send receive",
|
|
"addr": "none",
|
|
"peer_addr": "@/tmp/dbus-AaKMpxzC4k",
|
|
"peer": "dbus-daemon",
|
|
"denied_mask": "send receive",
|
|
"sock_type": "stream",
|
|
"protocol": "0",
|
|
}
|
|
unix1 = &Unix{
|
|
Access: []string{"send", "receive"},
|
|
Type: "stream",
|
|
Protocol: "0",
|
|
Address: "none",
|
|
PeerAddr: "@/tmp/dbus-AaKMpxzC4k",
|
|
PeerLabel: "dbus-daemon",
|
|
}
|
|
unix2 = &Unix{
|
|
RuleBase: RuleBase{FileInherit: true},
|
|
Access: []string{"receive"},
|
|
Type: "stream",
|
|
}
|
|
|
|
// Dbus
|
|
dbus1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "dbus_method_call",
|
|
"bus": "session",
|
|
"path": "/org/gtk/vfs/metadata",
|
|
"interface": "org.gtk.vfs.Metadata",
|
|
"member": "Remove",
|
|
"name": ":1.15",
|
|
"mask": "receive",
|
|
"label": "gvfsd-metadata",
|
|
"peer_pid": "3888",
|
|
"peer_label": "tracker-extract",
|
|
}
|
|
dbus2Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "dbus_bind",
|
|
"bus": "session",
|
|
"name": "org.gnome.evolution.dataserver.Sources5",
|
|
"mask": "bind",
|
|
"pid": "3442",
|
|
"label": "evolution-source-registry",
|
|
}
|
|
dbus1 = &Dbus{
|
|
Access: []string{"receive"},
|
|
Bus: "session",
|
|
Path: "/org/gtk/vfs/metadata",
|
|
Interface: "org.gtk.vfs.Metadata",
|
|
Member: "Remove",
|
|
PeerName: ":1.15",
|
|
PeerLabel: "tracker-extract",
|
|
}
|
|
dbus2 = &Dbus{
|
|
Access: []string{"bind"},
|
|
Bus: "session",
|
|
Name: "org.gnome.evolution.dataserver.Sources5",
|
|
}
|
|
dbus3 = &Dbus{
|
|
Access: []string{"bind"},
|
|
Bus: "session",
|
|
Name: "org.gnome.evolution.dataserver",
|
|
}
|
|
|
|
// File
|
|
file1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "open",
|
|
"class": "file",
|
|
"profile": "cupsd",
|
|
"name": "/usr/share/poppler/cMap/Identity-H",
|
|
"comm": "gs",
|
|
"requested_mask": "r",
|
|
"denied_mask": "r",
|
|
"fsuid": "209",
|
|
"FSUID": "cups",
|
|
"ouid": "0",
|
|
"OUID": "root",
|
|
}
|
|
file2Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "open",
|
|
"class": "file",
|
|
"profile": "gsd-print-notifications",
|
|
"name": "@{PROC}/4163/cgroup",
|
|
"comm": "gsd-print-notif",
|
|
"requested_mask": "r",
|
|
"denied_mask": "r",
|
|
"fsuid": "1000",
|
|
"FSUID": "user",
|
|
"ouid": "1000",
|
|
"OUID": "user",
|
|
"error": "-1",
|
|
}
|
|
file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}
|
|
file2 = &File{
|
|
RuleBase: RuleBase{NoNewPrivs: true},
|
|
Owner: true,
|
|
Path: "@{PROC}/4163/cgroup",
|
|
Access: []string{"r"},
|
|
}
|
|
|
|
// Link
|
|
link3LogStr = `apparmor="ALLOWED" operation="link" class="file" profile="dolphin" name="@{user_config_dirs}/kiorc" comm="dolphin" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="@{user_config_dirs}/#3954"`
|
|
link1Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "link",
|
|
"class": "file",
|
|
"profile": "mkinitcpio",
|
|
"name": "/tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
|
|
"comm": "cp",
|
|
"requested_mask": "l",
|
|
"denied_mask": "l",
|
|
"fsuid": "0",
|
|
"ouid": "0",
|
|
"target": "/tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
|
|
"FSUID": "root",
|
|
"OUID": "root",
|
|
}
|
|
link3Log = map[string]string{
|
|
"apparmor": "ALLOWED",
|
|
"operation": "link",
|
|
"class": "file",
|
|
"profile": "dolphin",
|
|
"name": "@{user_config_dirs}/kiorc",
|
|
"comm": "dolphin",
|
|
"requested_mask": "l",
|
|
"denied_mask": "l",
|
|
"fsuid": "1000",
|
|
"ouid": "1000",
|
|
"target": "@{user_config_dirs}/#3954",
|
|
}
|
|
link1 = &Link{
|
|
Path: "/tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
|
|
Target: "/tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
|
|
}
|
|
link2 = &Link{
|
|
Owner: true,
|
|
Path: "@{user_config_dirs}/powerdevilrc{,.@{rand6}}",
|
|
Target: "@{user_config_dirs}/#@{int}",
|
|
}
|
|
link3 = &Link{
|
|
Owner: true,
|
|
Path: "@{user_config_dirs}/kiorc",
|
|
Target: "@{user_config_dirs}/#3954",
|
|
}
|
|
)
|