mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-19 09:28:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor.d/profiles/cron-popularity-contest
Alexandre Pujol e9b8e62fcd
apparmor.d -> profiles
2021-04-01 16:02:59 +01:00

161 lines
3.7 KiB
Text
Raw Blame History

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest
profile cron-popularity-contest @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
/{usr/,}bin/logger rix,
/{usr/,}bin/date rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/setsid rix,
# To send reports via TOR
/{usr/,}bin/torify rix,
/{usr/,}bin/torsocks rix,
/{usr/,}sbin/getcap rix,
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}sbin/runuser rCx -> runuser,
/{usr/,}bin/savelog rCx -> savelog,
/usr/share/popularity-contest/ r,
/usr/share/popularity-contest/default.conf r,
/etc/popularity-contest.conf r,
# For shell pwd
/ r,
/root/ r,
/var/log/ r,
/var/log/popularity-contest{,.new} rw,
/var/log/popularity-contest{,.new}.gpg rw,
# Store last successful http submission timestamp
/var/lib/popularity-contest/ rw,
/var/lib/popularity-contest/lastsub rw,
owner /tmp/tmp.*/ rw,
owner /tmp/tmp.*/random_seed w,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
profile savelog {
include <abstractions/base>
/{usr/,}bin/savelog mr,
/{usr/,}bin/date rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/{,ba,da}sh rix,
/var/log/ r,
/var/log/popularity-contest.[0-9]*.gz rw,
/var/log/popularity-contest.[0-9]* rw,
/var/log/popularity-contest rw,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
}
profile runuser {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/authentication>
/{usr/,}sbin/runuser mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,
/etc/security/limits.d/ r,
/var/log/popularity-contest.new w,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
}
profile gpg {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/gpg mr,
/usr/share/popularity-contest/debian-popcon.gpg r,
/var/log/popularity-contest.new r,
/var/log/popularity-contest.new.gpg rw,
owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
}
profile popcon-upload {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/usr/share/popularity-contest/popcon-upload r,
/{usr/,}bin/perl r,
/{usr/,}bin/gzip rix,
/var/log/ r,
/var/log/popularity-contest.new.gpg r,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
}
include if exists <local/cron-popularity-contest>
}
Reference in a new issue View git blame Copy permalink