apparmor/utils/logprof.conf

# ------------------------------------------------------------------
#
#    Copyright (C) 2004-2006 Novell/SUSE
#    Copyright (C) 2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

[settings]
  profiledir = /etc/apparmor.d /etc/subdomain.d
  inactive_profiledir = /usr/share/apparmor/extra-profiles
  logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages

  parser = /sbin/apparmor_parser /sbin/subdomain_parser
  logger = /bin/logger /usr/bin/logger

  # customize how file ownership permissions are presented
  # 0 - off
  # 1 - default of what ever mode the log reported
  # 2 - force the new permissions to be user
  # 3 - force all perms on the rule to be user
  default_owner_prompt = 1

  # custom directory locations to look for #includes
  #
  # each name should be a valid directory containing possible #include
  # candidate files under the profile dir which by default is /etc/apparmor.d.
  #
  # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
  # be used by the yast UI and profiling tools as a source of #include
  # files.
  custom_includes =

  # When called with --json, log all input and output to a tempfile (/tmp/aa-jsonlog-*)
  # Only enable for debugging.
  # Note that aa-logprof will not display any hint that aa-jsonlog-* gets written.
  json_log = 0

[qualifiers]
  # things will be painfully broken if bash has a profile
  /bin/bash     = icnu
  /usr/bin/bash = icnu
  /bin/ksh	    = icnu
  /usr/bin/ksh	= icnu
  /bin/dash	    = icnu
  /usr/bin/dash	= icnu
  /bin/zsh      = icnu
  /usr/bin/zsh  = icnu

  # these programs can't function if they're confined
  /bin/mount    = u
  /usr/bin/mount = u
  /etc/init.d/subdomain = u
  /sbin/cardmgr = u
  /usr/sbin/cardmgr = u
  /sbin/subdomain_parser = u
  /usr/sbin/subdomain_parser = u
  /usr/sbin/genprof = u
  /usr/sbin/logprof = u
  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
  /usr/lib/YaST2/servers_non_y2/ag_logprof = u

  # these ones shouldn't have their own profiles
  /bin/awk      = icn
  /usr/bin/awk  = icn
  /bin/cat      = icn
  /usr/bin/cat  = icn
  /bin/chmod    = icn
  /usr/bin/chmod = icn
  /bin/chown    = icn
  /usr/bin/chown = icn
  /bin/cp       = icn
  /usr/bin/cp   = icn
  /bin/gawk     = icn
  /usr/bin/gawk = icn
  /bin/grep     = icn
  /usr/bin/grep = icn
  /bin/gunzip   = icn
  /usr/bin/gunzip = icn
  /bin/gzip     = icn
  /usr/bin/gzip = icn
  /bin/kill     = icn
  /usr/bin/kill = icn
  /bin/ln       = icn
  /usr/bin/ln   = icn
  /bin/ls       = icn
  /usr/bin/ls   = icn
  /bin/mkdir    = icn
  /usr/bin/mkdir = icn
  /bin/mv       = icn
  /usr/bin/mv   = icn
  /bin/readlink = icn
  /usr/bin/readlink = icn
  /bin/rm       = icn
  /usr/bin/rm   = icn
  /bin/sed      = icn
  /usr/bin/sed  = icn
  /bin/touch    = icn
  /usr/bin/touch = icn
  /sbin/killall5 = icn
  /usr/sbin/killall5 = icn
  /usr/bin/find = icn
  /usr/bin/killall = icn
  /usr/bin/nice = icn
  /usr/bin/perl = icn
  /usr/bin/python       = icn
  /usr/bin/python2      = icn
  /usr/bin/python2.7    = icn
  /usr/bin/python3      = icn
  /usr/bin/python3.3    = icn
  /usr/bin/python3.4    = icn
  /usr/bin/python3.5    = icn
  /usr/bin/python3.6    = icn
  /usr/bin/python3.7    = icn
  /usr/bin/python3.8    = icn
  /usr/bin/python3.9    = icn
  /usr/bin/python3.10   = icn
  /usr/bin/python3.11   = icn
  /usr/bin/python3.12   = icn
  /usr/bin/python3.13   = icn
  /usr/bin/python3.14   = icn
  /usr/bin/python3.15   = icn
  /usr/bin/python3.16   = icn
  /usr/bin/python3.17   = icn
  /usr/bin/python3.18   = icn
  /usr/bin/python3.19   = icn
  /usr/bin/tr   = icn

[required_hats]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
  ^.+/httpd(|2|2-prefork)$  = DEFAULT_URI HANDLING_UNTRUSTED_INPUT

[defaulthat]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI
  ^.+/httpd(|2|2-prefork)$  = DEFAULT_URI

[globs]
  # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
  /lib/lib[^\/]+so[^\/]*$           = /lib/lib*so*

  # strip kernel version numbers from kernel module accesses
  ^/lib/modules/[^\/]+\/            = /lib/modules/*/

  # strip pid numbers from /proc accesses
  ^/proc/\d+/                       = /proc/*/

  # if it looks like a home directory, glob out the username
  ^/home/[^\/]+                     = /home/*

  # if they use any perl modules, grant access to all
  ^/usr/lib/perl5/.+$               = /usr/lib/perl5/**
  ^/usr/lib/[^\/]+/perl5?/.+$       = /usr/lib/@{multiarch}/perl{,5}/**

  # locale foo
  ^/usr/lib/locale/.+$              = /usr/lib/locale/**
  ^/usr/share/locale/.+$            = /usr/share/locale/**

  # timezone fun
  ^/usr/share/zoneinfo/.+$          = /usr/share/zoneinfo/**

  # /foobar/fonts/baz -> /foobar/fonts/**
  /fonts/.+$                        = /fonts/**

  # turn /foo/bar/baz.8907234 into /foo/bar/baz.*
  # BUGBUG - this one looked weird because it would suggest a glob for
  # BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
  # \.\d+$                            = .*

  # some various /etc/security poo -- dunno about these ones...
  ^/etc/security/_[^\/]+$           = /etc/security/*
  ^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
  ^/lib/security/pam_[^\/]+\.so$    = /lib/security/pam_*.so

  ^/etc/pam.d/[^\/]+$               = /etc/pam.d/*
  ^/etc/profile.d/[^\/]+\.sh$       = /etc/profile.d/*.sh