mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

policy: update to use 4.0 abi

Browse source 
Begin preparing policy for the 4.0 release. This may result in new
denials. This is expected and needed to make sure policy is ready
for the 4.0 release.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-06-30 23:36:12 -07:00
parent 271f0e2366
commit f1b4da2f64
275 changed files with 365 additions and 274 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
profiles/Makefile
View file

@ -132,7 +132,7 @@ check-parser: test-dependencies local
@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser" @echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \ $(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \ [ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \
echo "abi <abi/3.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \ echo "abi <abi/4.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \
| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \ | ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \
|| exit 1; \ || exit 1; \
done done

91
profiles/apparmor.d/abi/4.0 Normal file
View file

@ -0,0 +1,91 @@
capability {0xffffff
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
}
}
dbus {mask {acquire send receive
}
}
domain {attach_conditions {xattr {yes
}
}
change_hat {yes
}
change_hatv {yes
}
change_onexec {yes
}
change_profile {yes
}
computed_longest_left {yes
}
fix_binfmt_elf_mmap {yes
}
post_nnp_subset {yes
}
stack {yes
}
version {1.2
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
ipc {posix_mqueue {create read write open delete setattr getattr
}
}
mount {mask {mount umount pivot_root
}
}
namespaces {mask {userns_create
}
pivot_root {no
}
profile {yes
}
}
network {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
}
af_unix {yes
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
}
}
policy {outofband {0x000001
}
permstable32 {allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
}
permstable32_version {0x000002
}
set_load {yes
}
versions {v5 {yes
}
v6 {yes
}
v7 {yes
}
v8 {yes
}
v9 {yes
}
}
}
ptrace {mask {read trace
}
}
query {label {data {yes
}
multi_transaction {yes
}
perms {allow deny audit quiet
}
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}

2
profiles/apparmor.d/abstractions/X
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/dri-common> include <abstractions/dri-common>

2
profiles/apparmor.d/abstractions/apache2-common
View file

@ -2,7 +2,7 @@
# This file contains basic permissions for Apache and every vHost # This file contains basic permissions for Apache and every vHost
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/nameservice> include <abstractions/nameservice>

2
profiles/apparmor.d/abstractions/apparmor_api/change_profile
View file

@ -6,7 +6,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/apparmor_api/introspect> include <abstractions/apparmor_api/introspect>

2
profiles/apparmor.d/abstractions/apparmor_api/examine
View file

@ -9,6 +9,6 @@
# Make sure to include at least tunables/proc and tunables/kernelvars # Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global. # when using this abstraction, if not tunables/global.
abi <abi/3.0>, abi <abi/4.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r, @{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

2
profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
View file

@ -6,7 +6,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
#permissions needed for aa_find_mountpoint #permissions needed for aa_find_mountpoint

2
profiles/apparmor.d/abstractions/apparmor_api/introspect
View file

@ -6,7 +6,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars # Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global. # when using this abstraction, if not tunables/global.

2
profiles/apparmor.d/abstractions/apparmor_api/is_enabled
View file

@ -6,7 +6,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# permissions needed for aa_is_enabled # permissions needed for aa_is_enabled

2
profiles/apparmor.d/abstractions/aspell
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# aspell permissions # aspell permissions
abi <abi/3.0>, abi <abi/4.0>,
# per-user settings and dictionaries # per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk, owner @{HOME}/.aspell.*.{pws,prepl} rwk,

2
profiles/apparmor.d/abstractions/audio
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/dev/admmidi* rw, /dev/admmidi* rw,

2
profiles/apparmor.d/abstractions/authentication
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# Some services need to perform authentication of users # Some services need to perform authentication of users

2
profiles/apparmor.d/abstractions/base
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/crypto> include <abstractions/crypto>

2
profiles/apparmor.d/abstractions/bash
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# user-specific bash files # user-specific bash files
@{HOMEDIRS} r, @{HOMEDIRS} r,

2
profiles/apparmor.d/abstractions/consoles
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# there are three common ways to refer to consoles # there are three common ways to refer to consoles

2
profiles/apparmor.d/abstractions/crypto
View file

@ -11,7 +11,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
@{etc_ro}/gcrypt/hwf.deny r, @{etc_ro}/gcrypt/hwf.deny r,
@{etc_ro}/gcrypt/random.conf r, @{etc_ro}/gcrypt/random.conf r,

2
profiles/apparmor.d/abstractions/cups-client
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# discoverable system configuration for non-local cupsd # discoverable system configuration for non-local cupsd
/etc/cups/client.conf r, /etc/cups/client.conf r,

2
profiles/apparmor.d/abstractions/dbus
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction grants full system bus access. Consider using the # This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation. # dbus-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-accessibility
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction grants full accessibility bus access. Consider using the # This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation. # dbus-accessibility-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-accessibility-strict
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
dbus send dbus send
bus=accessibility bus=accessibility

2
profiles/apparmor.d/abstractions/dbus-network-manager-strict
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
dbus send dbus send
bus=system bus=system

2
profiles/apparmor.d/abstractions/dbus-session
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction grants full session bus access. Consider using the # This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation. # dbus-session-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-session-strict
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# unique per-machine identifier # unique per-machine identifier
/etc/machine-id r, /etc/machine-id r,

2
profiles/apparmor.d/abstractions/dbus-strict
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
@{run}/dbus/system_bus_socket rw, @{run}/dbus/system_bus_socket rw,

2
profiles/apparmor.d/abstractions/dconf
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# permissions for querying dconf settings; granting write access should # permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile. # be specified in a specific application's profile.

2
profiles/apparmor.d/abstractions/dovecot-common
View file

@ -9,7 +9,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# used with dovecot/* # used with dovecot/*
abi <abi/3.0>, abi <abi/4.0>,
capability setgid, capability setgid,

2
profiles/apparmor.d/abstractions/dri-common
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications # This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar). # (needed by libdrm and similar).

2
profiles/apparmor.d/abstractions/dri-enumerate
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications that # This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from

2
profiles/apparmor.d/abstractions/enchant
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# abstraction for Enchant spellchecking frontend # abstraction for Enchant spellchecking frontend

2
profiles/apparmor.d/abstractions/exo-open
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper. # confined application can invoke via exo-open helper.

2
profiles/apparmor.d/abstractions/fcitx
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/fcitx-strict> include <abstractions/fcitx-strict>
dbus bus=fcitx, dbus bus=fcitx,

2
profiles/apparmor.d/abstractions/fcitx-strict
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>

2
profiles/apparmor.d/abstractions/fonts
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/usr/share/AbiSuite/fonts/** r, /usr/share/AbiSuite/fonts/** r,

2
profiles/apparmor.d/abstractions/freedesktop.org
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# system configuration # system configuration
@{system_share_dirs}/applications/{**,} r, @{system_share_dirs}/applications/{**,} r,

2
profiles/apparmor.d/abstractions/gio-open
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper. # confined application can invoke via gio helper.

2
profiles/apparmor.d/abstractions/gnome
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>

2
profiles/apparmor.d/abstractions/gnupg
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# gnupg sub-process running permissions # gnupg sub-process running permissions
abi <abi/3.0>, abi <abi/4.0>,
# user configurations # user configurations
owner @{HOME}/.gnupg/options r, owner @{HOME}/.gnupg/options r,

2
profiles/apparmor.d/abstractions/gtk
View file

@ -7,7 +7,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/usr/share/themes/{,**} r, /usr/share/themes/{,**} r,

2
profiles/apparmor.d/abstractions/gvfs-open
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper. # confined application can invoke via gvfs-open helper.

2
profiles/apparmor.d/abstractions/hosts_access
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/etc/hosts.deny r, /etc/hosts.deny r,
/etc/hosts.allow r, /etc/hosts.allow r,

2
profiles/apparmor.d/abstractions/ibus
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# abstraction for ibus input methods # abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/ r,

2
profiles/apparmor.d/abstractions/kde
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>

2
profiles/apparmor.d/abstractions/kde-globals-write
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other). # Rules for changing KDE settings (for KFileDialog and other).
abi <abi/3.0>, abi <abi/4.0>,
# User files # User files

2
profiles/apparmor.d/abstractions/kde-icon-cache-write
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for writing KDE icon cache # Rules for writing KDE icon cache
abi <abi/3.0>, abi <abi/4.0>,
# User files # User files

2
profiles/apparmor.d/abstractions/kde-language-write
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# Rules for changing per-application language settings on KDE. Some KDE # Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs # applications have "Help -> Switch Application Language..." option, that needs

2
profiles/apparmor.d/abstractions/kde-open5
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper. # confined application can invoke via kde-open5 helper.

2
profiles/apparmor.d/abstractions/kerberosclient
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# files required by kerberos client programs # files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,

2
profiles/apparmor.d/abstractions/ldapclient
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap) # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r, /etc/ldap.conf r,

2
profiles/apparmor.d/abstractions/libpam-systemd
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/dbus-strict> include <abstractions/dbus-strict>

2
profiles/apparmor.d/abstractions/likewise
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/tmp/.lwidentity/pipe rw, /tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw, /var/lib/likewise-open/lwidentity_privileged/pipe rw,

2
profiles/apparmor.d/abstractions/mdns
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# mdnsd # mdnsd
/etc/mdns.allow r, /etc/mdns.allow r,

2
profiles/apparmor.d/abstractions/mesa
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API # Rules for Mesa implementation of the OpenGL API
abi <abi/3.0>, abi <abi/4.0>,
# System files # System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()

2
profiles/apparmor.d/abstractions/mir
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# mir libraries sometimes do not have a lib prefix # mir libraries sometimes do not have a lib prefix
# see LP: #1422521 # see LP: #1422521

2
profiles/apparmor.d/abstractions/mozc
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"), unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),

2
profiles/apparmor.d/abstractions/mysql
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw, /var/lib/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw, @{run}/mysql{,d}/mysql{,d}.sock rw,

2
profiles/apparmor.d/abstractions/nameservice
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# Many programs wish to perform nameservice-like operations, such as # Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name # looking up users by name or id, groups by name or id, hosts by name

2
profiles/apparmor.d/abstractions/nis
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# NIS rules # NIS rules
/var/yp/binding/* r, /var/yp/binding/* r,

2
profiles/apparmor.d/abstractions/nss-systemd
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# libnss-systemd # libnss-systemd
# #

2
profiles/apparmor.d/abstractions/nvidia
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# nvidia access requirements # nvidia access requirements
abi <abi/3.0>, abi <abi/4.0>,
# configuration queries # configuration queries
capability ipc_lock, capability ipc_lock,

2
profiles/apparmor.d/abstractions/opencl
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# OpenCL access requirements # OpenCL access requirements

2
profiles/apparmor.d/abstractions/opencl-common
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# implementation-independent OpenCL access requirements # implementation-independent OpenCL access requirements

2
profiles/apparmor.d/abstractions/opencl-intel
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# OpenCL access requirements for Intel implementation # OpenCL access requirements for Intel implementation

2
profiles/apparmor.d/abstractions/opencl-mesa
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# OpenCL access requirements for Mesa implementation # OpenCL access requirements for Mesa implementation

2
profiles/apparmor.d/abstractions/opencl-nvidia
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# OpenCL access requirements for NVIDIA implementation # OpenCL access requirements for NVIDIA implementation

2
profiles/apparmor.d/abstractions/opencl-pocl
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# OpenCL access requirements for POCL implementation # OpenCL access requirements for POCL implementation
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/opencl-common> include <abstractions/opencl-common>

2
profiles/apparmor.d/abstractions/openssl
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/etc/ssl/openssl.cnf r, /etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r, /etc/ssl/openssl-*.cnf r,

2
profiles/apparmor.d/abstractions/orbit2
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# orbit2 permissions # orbit2 permissions
abi <abi/3.0>, abi <abi/4.0>,
# system library # system library
/usr/lib/orbit-2.0/*.so mr, /usr/lib/orbit-2.0/*.so mr,

2
profiles/apparmor.d/abstractions/p11-kit
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/etc/pkcs11/ r, /etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r, /etc/pkcs11/pkcs11.conf r,

2
profiles/apparmor.d/abstractions/perl
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# a few files typically required for perl scripts # a few files typically required for perl scripts
/usr/bin/perl rmix, /usr/bin/perl rmix,

2
profiles/apparmor.d/abstractions/php
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# shared snippets for config files # shared snippets for config files
/etc/php{,5,7,8}/** r, /etc/php{,5,7,8}/** r,

2
profiles/apparmor.d/abstractions/php-worker
View file

@ -2,7 +2,7 @@
# This file contains basic permissions for php-fpm workers # This file contains basic permissions for php-fpm workers
abi <abi/3.0>, abi <abi/4.0>,
# load common libraries and their support files # load common libraries and their support files
include <abstractions/base> include <abstractions/base>

2
profiles/apparmor.d/abstractions/php5
View file

@ -1,6 +1,6 @@
#backwards compatibility include, actual abstraction moved from php5 to php #backwards compatibility include, actual abstraction moved from php5 to php
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/php> include <abstractions/php>

2
profiles/apparmor.d/abstractions/postfix-common
View file

@ -11,7 +11,7 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# used with postfix/* # used with postfix/*
abi <abi/3.0>, abi <abi/4.0>,
capability setuid, capability setuid,

2
profiles/apparmor.d/abstractions/private-files
View file

@ -2,7 +2,7 @@
# privacy-violations contains rules for common files that you want to # privacy-violations contains rules for common files that you want to
# explicitly deny access # explicitly deny access
abi <abi/3.0>, abi <abi/4.0>,
# privacy violations (don't audit files under $HOME otherwise get a # privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories) # lot of false positives when reading contents of directories)

2
profiles/apparmor.d/abstractions/private-files-strict
View file

@ -2,7 +2,7 @@
# privacy-violations-strict contains additional rules for sensitive # privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access # files that you want to explicitly deny access
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/private-files> include <abstractions/private-files>

2
profiles/apparmor.d/abstractions/python
View file

@ -10,7 +10,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,

2
profiles/apparmor.d/abstractions/qt5
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Common rules for Qt5-based applications # Common rules for Qt5-based applications
abi <abi/3.0>, abi <abi/4.0>,
# Additional libraries # Additional libraries

2
profiles/apparmor.d/abstractions/qt5-compose-cache-write
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins # Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/3.0>, abi <abi/4.0>,
# User files # User files

2
profiles/apparmor.d/abstractions/qt5-settings-write
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Allow writing shared settings for Qt-based applications # Allow writing shared settings for Qt-based applications
abi <abi/3.0>, abi <abi/4.0>,
# User files # User files

2
profiles/apparmor.d/abstractions/recent-documents-write
View file

@ -1,7 +1,7 @@
# vim:syntax=apparmor # vim:syntax=apparmor
# Allow updating recent documents # Allow updating recent documents
abi <abi/3.0>, abi <abi/4.0>,
# User files # User files

2
profiles/apparmor.d/abstractions/ruby
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r, /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r, /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,

2
profiles/apparmor.d/abstractions/samba
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/etc/samba/* r, /etc/samba/* r,
/usr/lib*/ldb/*.so mr, /usr/lib*/ldb/*.so mr,

2
profiles/apparmor.d/abstractions/samba-rpcd
View file

@ -11,7 +11,7 @@
# This file contains basic permissions for samba rpcd_xyz services # This file contains basic permissions for samba rpcd_xyz services
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice> include <abstractions/nameservice>

2
profiles/apparmor.d/abstractions/smbpass
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# libpam-smbpass/pam_smbpass.so permissions # libpam-smbpass/pam_smbpass.so permissions
/var/lib/samba/*.[lt]db rwk, /var/lib/samba/*.[lt]db rwk,

2
profiles/apparmor.d/abstractions/ssl_certs
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
/etc/ca-certificates/{,**} r, /etc/ca-certificates/{,**} r,
/etc/{,libre}ssl/ r, /etc/{,libre}ssl/ r,

2
profiles/apparmor.d/abstractions/ssl_keys
View file

@ -9,7 +9,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# private ssl permissions # private ssl permissions

2
profiles/apparmor.d/abstractions/svn-repositories
View file

@ -8,7 +8,7 @@
# #
# ------------------------------------------------------------------ # ------------------------------------------------------------------
abi <abi/3.0>, abi <abi/4.0>,
# This little snippet should abstract the read/write access to a repository. # This little snippet should abstract the read/write access to a repository.
# it is intended to be included in profiles for svnserve/apache2 and maybe # it is intended to be included in profiles for svnserve/apache2 and maybe

2
profiles/apparmor.d/abstractions/trash
View file

@ -1,4 +1,4 @@
abi <abi/3.0>, abi <abi/4.0>,
# requires <tunables/home> # requires <tunables/home>

2
profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients
View file

@ -6,7 +6,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
/usr/bin/azureus Cxr -> sanitized_helper, /usr/bin/azureus Cxr -> sanitized_helper,
/usr/bin/bitstormlite Cxr -> sanitized_helper, /usr/bin/bitstormlite Cxr -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers
View file

@ -6,7 +6,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
/usr/bin/arora Cx -> sanitized_helper, /usr/bin/arora Cx -> sanitized_helper,
/usr/bin/dillo Cx -> sanitized_helper, /usr/bin/dillo Cx -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
View file

@ -13,7 +13,7 @@
# For site-specific adjustments, please see: # For site-specific adjustments, please see:
# /etc/apparmor.d/local/chromium-browser # /etc/apparmor.d/local/chromium-browser
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/ubuntu-browsers.d/plugins-common> include <abstractions/ubuntu-browsers.d/plugins-common>
include <abstractions/ubuntu-browsers.d/mailto> include <abstractions/ubuntu-browsers.d/mailto>

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# Java plugin # Java plugin
owner @{HOME}/.java/deployment/deployment.properties k, owner @{HOME}/.java/deployment/deployment.properties k,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
View file

@ -3,7 +3,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/kde> include <abstractions/kde>
/usr/bin/kde4-config Cx -> sanitized_helper, /usr/bin/kde4-config Cx -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# for mailto: # for mailto:
include <abstractions/ubuntu-email> include <abstractions/ubuntu-email>

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
View file

@ -3,7 +3,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
include <abstractions/X> include <abstractions/X>

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# #
# Plugins/helpers # Plugins/helpers

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
View file

@ -3,7 +3,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
# Openoffice.org # Openoffice.org
/usr/bin/ooffice Cxr -> sanitized_helper, /usr/bin/ooffice Cxr -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
View file

@ -3,7 +3,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
# Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
/usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper, /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
View file

@ -3,7 +3,7 @@
# in the toplevel profile. Eg: # in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers> # include <abstractions/ubuntu-helpers>
abi <abi/3.0>, abi <abi/4.0>,
# Apport # Apport
/usr/bin/apport-bug Cx -> sanitized_helper, /usr/bin/apport-bug Cx -> sanitized_helper,

2
profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
View file

@ -1,6 +1,6 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>, abi <abi/4.0>,
# firefox-notify # firefox-notify
include <abstractions/python> include <abstractions/python>

Some files were not shown because too many files have changed in this diff Show more