mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

pull in Ubuntu updates to profiles/apparmor.d

Browse source
This commit is contained in:
Jamie Strandboge 2009-11-04 14:25:42 -06:00
parent 4265cecdfa
commit 694c9916b9
24 changed files with 338 additions and 176 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
profiles/apparmor.d/abstractions/X
View file

@ -1,7 +1,9 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -20,8 +22,19 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,
/usr/include/X11/ r,
/usr/include/X11/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
/usr/include/X11/ r,
/usr/include/X11/** r,
# The X tree changes and is large -- grant read access to the whole thing
/usr/X11R6/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
/usr/X11R6/**.so* mr,
# DRI
/usr/lib/dri/** mr,
/dev/dri/** rw,
# mouse themes
/etc/X11/cursors/ r,
/etc/X11/cursors/** r,

18
profiles/apparmor.d/abstractions/audio
View file

@ -2,7 +2,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -43,3 +44,18 @@
@{HOME}/.esd_auth r,
@{HOME}/.asoundrc r,
/etc/esound/esd.conf r,
# libcanberra
@{HOME}/.cache/event-sound-cache.* rwk,
# pulse
/etc/pulse/ r,
/etc/pulse/* r,
/dev/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,

19
profiles/apparmor.d/abstractions/authentication
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -22,13 +23,9 @@
/etc/gshadow r,
/etc/pwdb.conf r,
/lib64/security/pam_filter/* mr,
/lib64/security/pam_*.so mr,
/lib64/security/ r,
/lib/security/pam_filter/* mr,
/lib/security/pam_*.so mr,
/lib/security/ r,
/lib{,32,64}/security/pam_filter/* mr,
/lib{,32,64}/security/pam_*.so mr,
/lib{,32,64}/security/ r,
# kerberos
#include <abstractions/kerberosclient>
@ -42,3 +39,9 @@
# winbind
#include <abstractions/winbind>
# likewise
#include <abstractions/likewise>
# smbpass
#include <abstractions/smbpass>

63
profiles/apparmor.d/abstractions/base
View file

@ -2,7 +2,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -26,18 +27,15 @@
/etc/locale/** r,
/etc/locale.alias r,
/etc/localtime r,
/usr/share/locale-langpack/** r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
/usr/lib64/locale/** mr,
/usr/lib32/gconv/*.so mr,
/usr/lib32/gconv/gconv-modules* mr,
/usr/lib64/gconv/*.so mr,
/usr/lib64/gconv/gconv-modules* mr,
/usr/lib/locale/** mr,
/usr/lib/gconv/*.so mr,
/usr/lib/gconv/gconv-modules* mr,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r,
@ -45,47 +43,24 @@
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
/etc/ld.so.cache mr,
/lib/ld-*.so mrix,
/lib32/ld-*.so mrix,
/lib64/ld-*.so mrix,
/lib/ld32-*.so mrix,
/lib/ld64-*.so mrix,
/lib32/ld32-*.so mrix,
/lib64/ld64-*.so mrix,
/lib{,32,64}/ld{,32,64}-*.so mrix,
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries
/lib/lib*.so* mr,
/lib32/lib*.so* mr,
/lib64/lib*.so* mr,
/lib/*/lib*.so* mr,
/lib32/*/lib*.so* mr,
/lib64/*/lib*.so* mr,
/usr/lib/** r,
/usr/lib/*.so* mr,
/usr/lib/**/lib*.so* mr,
/usr/lib32/** r,
/usr/lib32/*.so* mr,
/usr/lib32/**/lib*.so* mr,
/usr/lib64/** r,
/usr/lib64/*.so* mr,
/usr/lib64/**/lib*.so* mr,
/usr/lib/sasl2/*.so* mr,
/usr/lib32/sasl2/*.so* mr,
/usr/lib64/sasl2/*.so* mr,
/lib{,32,64}/** r,
/lib{,32,64}/lib*.so* mr,
/lib{,32,64}/**/lib*.so* mr,
/usr/lib{,32,64}/** r,
/usr/lib{,32,64}/*.so* mr,
/usr/lib{,32,64}/**/lib*.so* mr,
/lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero mrw,
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
@ -101,5 +76,11 @@
@{PROC}/stat r,
@{PROC}/cpuinfo r,
# glibc's *printf protections read the maps file
@{PROC}/*/maps r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# some applications will display license information
/usr/share/common-licenses/** r,

16
profiles/apparmor.d/abstractions/cups-client Normal file
View file

@ -0,0 +1,16 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
/var/run/cups/cups.sock w,

13
profiles/apparmor.d/abstractions/dbus
View file

@ -1,6 +1,17 @@
# vim:syntax=apparmor
# dbus permissions
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# System socket
/var/run/dbus/system_bus_socket w,
# Machine id
/var/lib/dbus/machine-id r,

8
profiles/apparmor.d/abstractions/fonts
View file

@ -2,7 +2,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -20,8 +21,7 @@
/opt/kde3/share/fonts/** r,
/usr/lib/openoffice/share/fonts/** r,
/usr/lib64/openoffice/share/fonts/** r,
/usr/lib{,32,64}/openoffice/share/fonts/** r,
/var/cache/fonts/** r,
/var/cache/fontconfig/** mr,
@ -37,7 +37,7 @@
@{HOME}/.fonts/** r,
@{HOME}/.fonts.cache-2 mr,
@{HOME}/.fontconfig/ r,
@{HOME}/.fontconfig/** r,
@{HOME}/.fontconfig/** rl,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,

19
profiles/apparmor.d/abstractions/freedesktop.org
View file

@ -1,5 +1,14 @@
# vim:syntax=apparmor
# freedesktop.org shared desktop FSH
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# system configuration
/usr/share/icons/ r,
@ -12,9 +21,9 @@
/usr/local/share/pixmaps/** r,
# this should probably go elsewhere
/usr/share/mime/* r,
/usr/share/mime/** r,
# per-user configurations
@{HOME}/.icons r,
@{HOME}/.recently-used.xbel rw,
@{HOME}/.icons/ r,
@{HOME}/.recently-used.xbel* rw,
@{HOME}/.config/user-dirs.dirs r,

35
profiles/apparmor.d/abstractions/gnome
View file

@ -2,7 +2,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -18,18 +19,18 @@
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
/usr/lib/gtk/** mr,
/usr/lib64/gtk/** mr,
/usr/lib{,32,64}/gtk/** mr,
/usr/share/themes/** r,
# for gnome 1 applications
/etc/orbitrc r,
# gtk-2 needed some new rights
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
/usr/lib64/pango/** mr,
/usr/lib64/gtk-*/** mr,
/usr/lib/pango/** mr,
/usr/lib/gtk-*/** mr,
/usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr,
# per-user gtk configuration
@{HOME}/.gnome/Gnome r,
@ -37,6 +38,12 @@
@{HOME}/.gtkrc r,
@{HOME}/.gtkrc-2.0 r,
@{HOME}/.gtk-bookmarks r,
@{HOME}/.themes/ r,
@{HOME}/.themes/** r,
# for gtk file dialog
@{HOME}/.config/gtk-2.0/** r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# from evolution-mail
@{HOME}/.gconfd/lock/* r,
@ -53,3 +60,17 @@
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/*/mounts r,
# printing
/etc/papersize r,
/etc/cups/lpoptions r,
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner /var/run/gdm/auth*/database r,

54
profiles/apparmor.d/abstractions/kde
View file

@ -2,6 +2,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -15,10 +16,14 @@
#include <abstractions/freedesktop.org>
#include <abstractions/user-tmp>
/etc/X11/kstylerc r,
/etc/X11/qt_plugins_3.3rc r,
/etc/X11/qtrc r,
/etc/{X11,qt3}/kstylerc r,
/etc/{X11,qt3}/qt_plugins_3.3rc r,
/etc/{X11,qt3}/qtrc r,
/etc/kde3rc r,
/etc/kde4rc r,
/etc/kde3/share/config/* r,
/etc/kde3/share/icons/ r,
/etc/kde3/share/icons/** r,
/etc/opt/kde3/share/config/* r,
/etc/opt/kde3/share/icons/ r,
/etc/opt/kde3/share/icons/** r,
@ -27,27 +32,42 @@
@{HOME}/.ICEauthority r,
@{HOME}/.fonts.* lrw,
@{HOME}/.kde/share/config/kdeglobals rw,
@{HOME}/.kde/share/config/*.lock rwl,
@{HOME}/.qt/** rw,
@{HOME}/.config/Trolltech.conf rwk,
/opt/kde3/lib64/kde3/plugins/styles/ r,
/opt/kde3/lib64/kde3/plugins/styles/* mr,
/opt/kde3/lib64/lib*so* mr,
/opt/kde3/lib/kde3/plugins/styles/ r,
/opt/kde3/lib/kde3/plugins/styles/* mr,
/opt/kde3/lib/lib*so* mr,
/usr/X11R6/lib{,32,64}/X11/XKeysymDB r,
/usr/X11R6/lib{,32,64}/X11/icons/** r,
/usr/{lib,share}/X11/XKeysymDB r,
/usr/share/icons/ r,
/usr/share/icons/** r,
# kde3
/opt/kde3/lib{,32,64}/kde3/plugins/styles/ r,
/opt/kde3/lib{,32,64}/kde3/plugins/styles/* mr,
/opt/kde3/lib{,32,64}/lib*so* mr,
/opt/kde3/share/config/kdeglobals r,
/opt/kde3/share/icons/ r,
/opt/kde3/share/icons/** r,
/usr/X11R6/lib64/X11/XKeysymDB r,
/usr/X11R6/lib64/X11/icons/** r,
/usr/X11R6/lib/X11/XKeysymDB r,
/usr/X11R6/lib/X11/icons/** r,
/usr/lib/X11/XKeysymDB r,
/usr/lib/qt3/lib64/lib*so* mr,
/usr/lib64/qt3/plugins/** mr,
/usr/lib{,32,64}/qt3/lib{,32,64}/lib*so* mr,
/usr/lib/qt3/lib/lib*so* mr,
/usr/lib/qt3/plugins/** mr,
/usr/lib{,32,64}/qt3/plugins/** mr,
/usr/lib{,32,64}/kde3/lib*so* mr,
/usr/lib{,32,64}/libqt-mt*so* mr,
/usr/lib{,32,64}/libqui*so* mr,
/usr/share/qt3/lib{,32,64}/libqt-mt*so* mr,
/usr/share/qt3/lib{,32,64}/libqui*so* mr,
# kde4
/usr/lib{,32,64}/kde4/plugins/*/*.so mr,
/usr/lib{,32,64}/kde4/plugins/*/ r,
/usr/lib{,32,64}/kde4/lib*so* mr,
/usr/lib{,32,64}/qt4/lib{,32,64}/lib*so* mr,
/usr/lib{,32,64}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# YaST
/usr/share/YaST2/theme/** r,

17
profiles/apparmor.d/abstractions/kerberosclient
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -10,17 +11,11 @@
# ------------------------------------------------------------------
# files required by kerberos client programs
/usr/lib/krb5/plugins/libkrb5/ r,
/usr/lib/krb5/plugins/libkrb5/* mr,
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
/usr/lib64/krb5/plugins/libkrb5/ r,
/usr/lib64/krb5/plugins/libkrb5/* mr,
/usr/lib/krb5/plugins/preauth/ r,
/usr/lib/krb5/plugins/preauth/* mr,
/usr/lib64/krb5/plugins/preauth/ r,
/usr/lib64/krb5/plugins/preauth/* mr,
/usr/lib{,32,64}/krb5/plugins/preauth/ r,
/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
/etc/krb5.keytab r,
/etc/krb5.conf r,

14
profiles/apparmor.d/abstractions/likewise Normal file
View file

@ -0,0 +1,14 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,

26
profiles/apparmor.d/abstractions/nameservice
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -25,8 +26,10 @@
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /var/run/resolvconf/resolv.conf
# /var/run/resolvconf/resolv.conf and a file sometimes referenced in
# /etc/resolvconf/run/resolv.conf
/var/run/resolvconf/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
/etc/samba/lmhosts r,
/etc/services r,
@ -39,20 +42,16 @@
# to vast speed increases when working with network-based lookups.
/var/run/.nscd_socket rw,
/var/run/nscd/socket rw,
/var/run/nscd/passwd rmix,
/var/run/nscd/group rmix,
/var/db/nscd/{passwd,group,services,hosts} r,
/var/{db,cache,run}/nscd/{passwd,group,services,host} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
/var/run/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/lib64/libnss_*.so* mr,
/lib/libnss_*.so* mr,
/usr/lib64/libnss_*.so* mr,
/usr/lib/libnss_*.so* mr,
/etc/default/nss r,
/lib{,32,64}/libnss_*.so* mr,
/usr/lib{,32,64}/libnss_*.so* mr,
/etc/default/nss r,
# avahi-daemon is used for mdns4 resolution
/var/run/avahi-daemon/socket w,
@ -63,12 +62,15 @@
# winbind
#include <abstractions/winbind>
# likewise
#include <abstractions/likewise>
# mdnsd
#include <abstractions/mdns>
# kerberos
#include <abstractions/kerberosclient>
# TCP/UDP network access
network inet stream,
network inet6 stream,

16
profiles/apparmor.d/abstractions/perl
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -9,12 +10,13 @@
#
# ------------------------------------------------------------------
# a few files typically required for perl scripts
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
/usr/lib/perl5/** r,
/usr/lib/perl5/**.so* mr,
/usr/lib64/perl5/** r,
/usr/lib64/perl5/**.so* mr,
/usr/lib{,32,64}/perl5/** r,
/usr/lib{,32,64}/perl{,5}/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
/etc/perl/** r,

27
profiles/apparmor.d/abstractions/python
View file

@ -3,6 +3,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -10,26 +11,22 @@
#
# ------------------------------------------------------------------
/usr/lib64/python2.[45]/**.{egg,py,pyc,pth,so} mr,
/usr/lib64/python2.[45]/site-packages/ r,
/usr/lib/python2.[45]/**.{egg,py,pyc,pth,so} mr,
/usr/lib/python2.[45]/site-packages/ r,
/usr/lib{,32,64}/python2.[456]/**.{pyc,so} mr,
/usr/lib{,32,64}/python2.[456]/**.{egg,py,pth} r,
/usr/lib{,32,64}/python2.[456]/{site,dist}-packages/ r,
/usr/local/lib64/python2.[45]/**.{egg,py,pyc,pth,so} mr,
/usr/local/lib64/python2.[45]/site-packages/ r,
/usr/local/lib/python2.[45]/**.{egg,py,pyc,pth,so} mr,
/usr/local/lib/python2.[45]/site-packages/ r,
/usr/local/lib{,32,64}/python2.[456]/**.{pyc,so} mr,
/usr/local/lib{,32,64}/python2.[456]/**.{egg,py,pth} r,
/usr/local/lib{,32,64}/python2.[456]/{site,dist}-packages/ r,
# Site-wide configuration
/etc/python2.[45]/** r,
/etc/python2.[456]/** r,
# python-central paths
/usr/share/pyshared/** r,
/usr/share/pycentral/** r,
/usr/share/python-support/** r,
/var/lib/python-support/** r,
/var/lib/python-support/**.so mr,
/usr/lib/python-support/**.so mr,
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/python-support/** r,
/usr/lib/python-support/**.so mr,
/var/lib/python-support/**.pyc mr,
# wx paths
/usr/lib/wx/python/*.pth r,

40
profiles/apparmor.d/abstractions/ruby
View file

@ -2,6 +2,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -9,32 +10,17 @@
#
# ------------------------------------------------------------------
/usr/lib64/ruby/1.8/ r,
/usr/lib64/ruby/1.8/*.rb r,
/usr/lib64/ruby/1.8/**/*.rb r,
/usr/lib64/ruby/1.8/*-linux/*.so mr,
/usr/lib64/ruby/1.8/*-linux/**/*.so mr,
/usr/lib{,32,64}/ruby/1.[89]/ r,
/usr/lib{,32,64}/ruby/1.[89]/*.rb r,
/usr/lib{,32,64}/ruby/1.[89]/**/*.rb r,
/usr/lib{,32,64}/ruby/1.[89]/*-linux/*.so mr,
/usr/lib{,32,64}/ruby/1.[89]/*-linux/**/*.so mr,
/usr/lib64/ruby/site_ruby/1.8/ r,
/usr/lib64/ruby/site_ruby/1.8/*.rb r,
/usr/lib64/ruby/site_ruby/1.8/**/*.rb r,
/usr/lib64/ruby/site_ruby/1.8/*-linux/*.so mr,
/usr/lib64/ruby/site_ruby/1.8/*-linux/**/*.so mr,
/usr/lib{,32,64}/ruby/site_ruby/1.[89]/ r,
/usr/lib{,32,64}/ruby/site_ruby/1.[89]/*.rb r,
/usr/lib{,32,64}/ruby/site_ruby/1.[89]/**/*.rb r,
/usr/lib{,32,64}/ruby/site_ruby/1.[89]/*-linux/*.so mr,
/usr/lib{,32,64}/ruby/site_ruby/1.[89]/*-linux/**/*.so mr,
/usr/lib64/ruby/gems/1.8/ r,
/usr/lib64/ruby/gems/1.8/** r,
/usr/lib/ruby/1.8/ r,
/usr/lib/ruby/1.8/*.rb r,
/usr/lib/ruby/1.8/**/*.rb r,
/usr/lib/ruby/1.8/*-linux/*.so mr,
/usr/lib/ruby/1.8/*-linux/**/*.so mr,
/usr/lib/ruby/site_ruby/1.8/ r,
/usr/lib/ruby/site_ruby/1.8/*.rb r,
/usr/lib/ruby/site_ruby/1.8/**/*.rb r,
/usr/lib/ruby/site_ruby/1.8/*-linux/*.so mr,
/usr/lib/ruby/site_ruby/1.8/*-linux/**/*.so mr,
/usr/lib/ruby/gems/1.8/ r,
/usr/lib/ruby/gems/1.8/** r,
/usr/lib/ruby/gems/1.[89]/ r,
/usr/lib/ruby/gems/1.[89]/** r,

19
profiles/apparmor.d/abstractions/samba Normal file
View file

@ -0,0 +1,19 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
/etc/samba/smb.conf r,
/usr/share/samba/*.dat r,
/var/lib/samba/**.tdb rw,
/var/log/samba/cores/* w,
/var/log/samba/log.* w,
/var/run/samba/*.tdb rw,

14
profiles/apparmor.d/abstractions/smbpass Normal file
View file

@ -0,0 +1,14 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# libpam-smbpass/pam_smbpass.so permissions
/var/lib/samba/*.[lt]db rwk,

19
profiles/apparmor.d/abstractions/ssl_keys Normal file
View file

@ -0,0 +1,19 @@
# vim:syntax=apparmor
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# private ssl permissions
# Just include the whole /etc/ssl directory if we should have access to
# private keys too
/etc/ssl/ r,
/etc/ssl/** r,

13
profiles/apparmor.d/abstractions/user-tmp
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -10,11 +11,11 @@
# ------------------------------------------------------------------
# per-user tmp directories
@{HOME}/tmp/** rwl,
@{HOME}/tmp/** rwkl,
@{HOME}/tmp/ rw,
# global tmp directories
/var/tmp/** rwl,
/var/tmp/ rw,
/tmp/** rwl,
/tmp/ rw,
/var/tmp/** rwkl,
/var/tmp/ rw,
/tmp/** rwkl,
/tmp/ rw,

5
profiles/apparmor.d/abstractions/winbind
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -11,7 +12,7 @@
# pam_winbindd
/tmp/.winbindd/pipe rw,
/var/lib/samba/winbindd_privileged/pipe rw,
/var/{lib,run}/samba/winbindd_privileged/pipe rw,
/etc/samba/smb.conf r,
/usr/lib/samba/valid.dat r,
/usr/lib/samba/upcase.dat r,

7
profiles/apparmor.d/abstractions/wutmp
View file

@ -1,7 +1,8 @@
# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -9,10 +10,8 @@
#
# ------------------------------------------------------------------
# some services update wtmp, utmp, and lastlog with per-user
# connection information
/var/log/lastlog rw,
/var/log/wtmp w,
/var/log/wtmp wk,
/var/run/utmp rwk,

23
profiles/apparmor.d/usr.sbin.dnsmasq Normal file
View file

@ -0,0 +1,23 @@
# Author: John Dong <jdong@ubuntu.com>
#include <tunables/global>
/usr/sbin/dnsmasq flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability dac_override,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/usr/sbin/dnsmasq mr,
/var/run/*dnsmasq*.pid w,
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
}

6
profiles/apparmor.d/usr.sbin.nscd
View file

@ -1,8 +1,8 @@
# Last Modified: Wed Aug 15 10:55:46 2007
# $Id$
# $Id#
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@ -32,7 +32,7 @@
/var/run/nscd/ r,
/var/run/nscd/db* wl,
/var/run/nscd/socket wl,
/var/run/nscd/{passwd,group,services,hosts} rw,
/var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
/var/run/{nscd/,}nscd.pid rwl,
/var/log/nscd.log rw,
@{PROC}/[0-9]*/fd/ r,