2008-06-11 20:19:36 +00:00
|
|
|
# vim:syntax=apparmor
|
2006-04-11 21:52:54 +00:00
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
#
|
2009-11-04 14:25:42 -06:00
|
|
|
# Copyright (C) 2002-2009 Novell/SUSE
|
2011-03-23 12:24:11 -07:00
|
|
|
# Copyright (C) 2009-2011 Canonical Ltd.
|
2006-04-11 21:52:54 +00:00
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
# License published by the Free Software Foundation.
|
|
|
|
|
#
|
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
|
2020-05-05 00:08:39 -07:00
|
|
|
abi <abi/3.0>,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# (Note that the ldd profile has inlined this file; if you make
|
|
|
|
|
# modifications here, please consider including them in the ldd
|
|
|
|
|
# profile as well.)
|
|
|
|
|
|
|
|
|
|
# The __canary_death_handler function writes a time-stamped log
|
|
|
|
|
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
|
|
|
|
|
# and localisations of date should be available EVERYWHERE, so
|
|
|
|
|
# StackGuard, FormatGuard, etc., alerts can be properly logged.
|
|
|
|
|
/dev/log w,
|
2007-08-27 23:49:51 +00:00
|
|
|
/dev/random r,
|
2006-04-11 21:52:54 +00:00
|
|
|
/dev/urandom r,
|
abstractions/base: allow read access to /run/uuidd/request
/run/uuidd/request is hardcoded in libuuid from util-linux and uuidd
listens on this socket to provide random and time-based UUIDs in a
secure manner (man 8 uuidd). Some applications (eg, python's uuid)
prefer to use this socket, falling back to getrandom(), /dev/urandom,
etc. Eg:
$ strace -f aa-exec -p test -- \
python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))'
...
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied)
getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6
...
uuidd itself produces random numbers using getrandom() and
/dev/{,u}random (falling back to time-based if not), which are already
allowed in the base abstraction. The uuidd daemon, when available, runs
unprivileged under a dedicated user, so allowing read-only access to
/run/uuidd/request is reasonable.
2019-12-17 15:56:23 -06:00
|
|
|
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
|
|
|
|
# time and getrandom()/{,u}random and, when available, runs under an
|
|
|
|
|
# unprivilged, dedicated user).
|
2020-02-13 11:02:49 +02:00
|
|
|
@{run}/uuidd/request r,
|
2020-01-25 19:35:50 +01:00
|
|
|
/{usr/,}etc/locale/** r,
|
|
|
|
|
/{usr/,}etc/locale.alias r,
|
|
|
|
|
/{usr/,}etc/localtime r,
|
2015-08-23 15:20:20 +02:00
|
|
|
/usr/share/locale-bundle/** r,
|
2009-11-04 14:25:42 -06:00
|
|
|
/usr/share/locale-langpack/** r,
|
2006-04-11 21:52:54 +00:00
|
|
|
/usr/share/locale/** r,
|
2009-11-04 14:25:42 -06:00
|
|
|
/usr/share/**/locale/** r,
|
2010-01-03 13:16:38 -08:00
|
|
|
/usr/share/zoneinfo/ r,
|
2006-04-11 21:52:54 +00:00
|
|
|
/usr/share/zoneinfo/** r,
|
2008-06-11 20:19:36 +00:00
|
|
|
/usr/share/X11/locale/** r,
|
2020-02-13 11:02:49 +02:00
|
|
|
@{run}/systemd/journal/dev-log w,
|
2017-04-27 08:28:46 -05:00
|
|
|
# systemd native journal API (see sd_journal_print(4))
|
2020-02-13 11:02:49 +02:00
|
|
|
@{run}/systemd/journal/socket w,
|
2017-04-27 08:28:46 -05:00
|
|
|
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
|
|
|
|
|
# be required but applications fail without it. journald doesn't leak
|
|
|
|
|
# anything when reading so this is ok.
|
2020-02-13 11:02:49 +02:00
|
|
|
@{run}/systemd/journal/stdout rw,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2009-11-04 14:25:42 -06:00
|
|
|
/usr/lib{,32,64}/locale/** mr,
|
|
|
|
|
/usr/lib{,32,64}/gconv/*.so mr,
|
|
|
|
|
/usr/lib{,32,64}/gconv/gconv-modules* mr,
|
2012-01-03 17:27:26 -06:00
|
|
|
/usr/lib/@{multiarch}/gconv/*.so mr,
|
|
|
|
|
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
# used by glibc when binding to ephemeral ports
|
2020-01-25 19:35:50 +01:00
|
|
|
/{usr/,}etc/bindresvport.blacklist r,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
# ld.so.cache and ld are used to load shared libraries; they are best
|
|
|
|
|
# available everywhere
|
2020-01-25 19:35:50 +01:00
|
|
|
/{usr/,}etc/ld.so.cache mr,
|
|
|
|
|
/{usr/,}etc/ld.so.conf r,
|
|
|
|
|
/{usr/,}etc/ld.so.conf.d/{,*.conf} r,
|
|
|
|
|
/{usr/,}etc/ld.so.preload r,
|
abstractions/base: drop 'ix' for ld-*.so and friends.
This should solve the "overlapping rules with conflicting 'x'
modifiers" problem (introduced with r3594) entirely.
The other options I could think of were:
* ix → Pix, adjust all profiles that do 'ix' accordingly, and leave
alone those that do Pix already; downsides: requires updating quite
a few profiles all around the place, and breaks a mere "file," rule;
* ix → Pix, adjust all profiles that do 'ix' accordingly, and change
the "file," rule semantics to imply Pix; downside: very intrusive,
and likely to break random existing policy in ways that are hard
to predict;
* stick to ix, and adjust all profiles that do anything else with
overlapping rules, to do ix instead; downside: in some cases this means
removing the 'P' modifier, which can cause regressions in how we confine
stuff.
I've looked up in the bzr history to understand why execution rights
would be needed, and… the answer predates the move to bzr.
Looking into the SVN history, if it's even available anywhere, is
a bit too much for me, so I've tested this change and the few
applications I've tried did not complain. Of course, more testing will
be needed.
2016-12-03 16:52:47 +01:00
|
|
|
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
|
|
|
|
|
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
|
|
|
|
|
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
|
|
|
|
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
|
|
|
|
|
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
# we might as well allow everything to use common libraries
|
2016-12-03 10:59:01 +01:00
|
|
|
/{usr/,}lib{,32,64}/** r,
|
2019-02-24 17:05:22 +00:00
|
|
|
/{usr/,}lib{,32,64}/**.so* mr,
|
2016-12-03 10:59:01 +01:00
|
|
|
/{usr/,}lib/@{multiarch}/** r,
|
2019-02-24 17:05:22 +00:00
|
|
|
/{usr/,}lib/@{multiarch}/**.so* mr,
|
|
|
|
|
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
|
|
|
|
|
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
# /dev/null is pretty harmless and frequently used
|
|
|
|
|
/dev/null rw,
|
|
|
|
|
# as is /dev/zero
|
2009-11-04 14:25:42 -06:00
|
|
|
/dev/zero rw,
|
2006-08-04 18:13:59 +00:00
|
|
|
# recent glibc uses /dev/full in preference to /dev/null for programs
|
|
|
|
|
# that don't have open fds at exec()
|
|
|
|
|
/dev/full rw,
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
# Sometimes used to determine kernel/user interfaces to use
|
2007-05-25 02:09:30 +00:00
|
|
|
@{PROC}/sys/kernel/version r,
|
2006-04-11 21:52:54 +00:00
|
|
|
# Depending on which glibc routine uses this file, base may not be the
|
|
|
|
|
# best place -- but many profiles require it, and it is quite harmless.
|
2007-05-25 02:09:30 +00:00
|
|
|
@{PROC}/sys/kernel/ngroups_max r,
|
2006-05-01 17:34:59 +00:00
|
|
|
|
|
|
|
|
# glibc's sysconf(3) routine to determine free memory, etc
|
2007-05-25 02:09:30 +00:00
|
|
|
@{PROC}/meminfo r,
|
|
|
|
|
@{PROC}/stat r,
|
|
|
|
|
@{PROC}/cpuinfo r,
|
2018-11-08 20:00:45 +02:00
|
|
|
@{sys}/devices/system/cpu/ r,
|
|
|
|
|
@{sys}/devices/system/cpu/online r,
|
2008-06-11 20:19:36 +00:00
|
|
|
|
2009-11-04 14:25:42 -06:00
|
|
|
# glibc's *printf protections read the maps file
|
2017-01-20 17:01:50 -08:00
|
|
|
@{PROC}/@{pid}/{maps,auxv,status} r,
|
2009-11-04 14:25:42 -06:00
|
|
|
|
|
|
|
|
# libgcrypt reads some flags from /proc
|
|
|
|
|
@{PROC}/sys/crypto/* r,
|
|
|
|
|
|
2008-06-11 20:19:36 +00:00
|
|
|
# some applications will display license information
|
|
|
|
|
/usr/share/common-licenses/** r,
|
2009-11-11 11:42:30 -08:00
|
|
|
|
2010-06-04 17:43:11 -07:00
|
|
|
# glibc statvfs
|
|
|
|
|
@{PROC}/filesystems r,
|
|
|
|
|
|
2013-04-08 20:11:43 -05:00
|
|
|
# glibc malloc (man 5 proc)
|
|
|
|
|
@{PROC}/sys/vm/overcommit_memory r,
|
|
|
|
|
|
2014-10-08 15:18:34 -05:00
|
|
|
# Allow determining the highest valid capability of the running kernel
|
|
|
|
|
@{PROC}/sys/kernel/cap_last_cap r,
|
|
|
|
|
|
2014-06-23 16:11:03 -05:00
|
|
|
# Allow other processes to read our /proc entries, futexes, perf tracing and
|
|
|
|
|
# kcmp for now (they will need 'read' in the first place). Administrators can
|
|
|
|
|
# override with:
|
|
|
|
|
# deny ptrace (readby) ...
|
|
|
|
|
ptrace (readby),
|
|
|
|
|
|
|
|
|
|
# Allow other processes to trace us by default (they will need 'trace' in
|
|
|
|
|
# the first place). Administrators can override with:
|
|
|
|
|
# deny ptrace (tracedby) ...
|
|
|
|
|
ptrace (tracedby),
|
|
|
|
|
|
|
|
|
|
# Allow us to ptrace read ourselves
|
|
|
|
|
ptrace (read) peer=@{profile_name},
|
|
|
|
|
|
|
|
|
|
# Allow unconfined processes to send us signals by default
|
|
|
|
|
signal (receive) peer=unconfined,
|
|
|
|
|
|
|
|
|
|
# Allow us to signal ourselves
|
|
|
|
|
signal peer=@{profile_name},
|
|
|
|
|
|
|
|
|
|
# Checking for PID existence is quite common so add it by default for now
|
|
|
|
|
signal (receive, send) set=("exists"),
|
|
|
|
|
|
2014-09-03 14:21:31 -05:00
|
|
|
# Allow us to create and use abstract and anonymous sockets
|
|
|
|
|
unix peer=(label=@{profile_name}),
|
|
|
|
|
|
|
|
|
|
# Allow unconfined processes to us via unix sockets
|
|
|
|
|
unix (receive) peer=(label=unconfined),
|
|
|
|
|
|
|
|
|
|
# Allow us to create abstract and anonymous sockets
|
|
|
|
|
unix (create),
|
|
|
|
|
|
2014-09-05 13:08:55 -05:00
|
|
|
# Allow us to getattr, getopt, setop and shutdown on unix sockets
|
|
|
|
|
unix (getattr, getopt, setopt, shutdown),
|
2014-09-03 14:21:31 -05:00
|
|
|
|
2009-11-11 11:42:30 -08:00
|
|
|
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
|
|
|
|
|
# filesystems generally. This does not appreciably decrease security with
|
|
|
|
|
# Ubuntu profiles because the user is expected to have access to files owned
|
|
|
|
|
# by him/her. Exceptions to this are explicit in the profiles. While this rule
|
|
|
|
|
# grants access to those exceptions, the intended privacy is maintained due to
|
|
|
|
|
# the encrypted contents of the files in this directory. Files in this
|
|
|
|
|
# directory will also use filename encryption by default, so the files are
|
|
|
|
|
# further protected. Also, with the use of 'owner', this rule properly
|
|
|
|
|
# prevents access to the files from processes running under a different uid.
|
|
|
|
|
|
|
|
|
|
# encrypted ~/.Private and old-style encrypted $HOME
|
2019-12-17 15:44:44 -06:00
|
|
|
owner @{HOME}/.Private/ r,
|
2016-12-03 16:51:55 +01:00
|
|
|
owner @{HOME}/.Private/** mrixwlk,
|
2009-11-11 11:42:30 -08:00
|
|
|
# new-style encrypted $HOME
|
2019-12-17 15:44:44 -06:00
|
|
|
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
|
2016-12-03 16:51:55 +01:00
|
|
|
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
|
2009-11-11 11:42:30 -08:00
|
|
|
|
2019-01-24 03:03:11 -08:00
|
|
|
|
|
|
|
|
# Include additions to the abstraction
|
2020-05-30 19:46:08 +02:00
|
|
|
include if exists <abstractions/base.d>
|