mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 17:31:01 +01:00
1f003c0120
- the base abstraction for common abstract and anonymous rules (comments included per rule) - dbus-session-strict to add a rule for connecting to the dbus session abstract socket. I used 'peer=(label=unconfined)' here, but I could probably lose the explicit label if people preferred that - X to add a rule for connecting to the X abstract socket. Same as for dbus-session-strict - nameservice to add a rule for connecting to a netlink raw. This change could possibly be excluded, but applications using networking (at least on Ubuntu) all seem to need it. Excluding it would mean systems using nscd would need to add this and ones not using it would have a noisy denial Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
95 lines
2.9 KiB
Text
95 lines
2.9 KiB
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2002-2009 Novell/SUSE
|
|
# Copyright (C) 2009-2011 Canonical Ltd.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
# Many programs wish to perform nameservice-like operations, such as
|
|
# looking up users by name or id, groups by name or id, hosts by name
|
|
# or IP, etc. These operations may be performed through files, dns,
|
|
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
|
|
/etc/group r,
|
|
/etc/host.conf r,
|
|
/etc/hosts r,
|
|
/etc/nsswitch.conf r,
|
|
/etc/gai.conf r,
|
|
/etc/passwd r,
|
|
/etc/protocols r,
|
|
|
|
# When using libnss-extrausers, the passwd and group files are merged from
|
|
# an alternate path
|
|
/var/lib/extrausers/group r,
|
|
/var/lib/extrausers/passwd r,
|
|
|
|
# When using sssd, the passwd and group files are stored in an alternate path
|
|
# and the nss plugin also needs to talk to a pipe
|
|
/var/lib/sss/mc/group r,
|
|
/var/lib/sss/mc/passwd r,
|
|
/var/lib/sss/pipes/nss rw,
|
|
|
|
/etc/resolv.conf r,
|
|
# on systems using resolvconf, /etc/resolv.conf is a symlink to
|
|
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
|
|
# /etc/resolvconf/run/resolv.conf
|
|
/{,var/}run/resolvconf/resolv.conf r,
|
|
/etc/resolvconf/run/resolv.conf r,
|
|
|
|
/etc/samba/lmhosts r,
|
|
/etc/services r,
|
|
# db backend
|
|
/var/lib/misc/*.db r,
|
|
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
|
# to vast speed increases when working with network-based lookups.
|
|
/{,var/}run/.nscd_socket rw,
|
|
/{,var/}run/nscd/socket rw,
|
|
/{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
|
|
# nscd renames and unlinks files in it's operation that clients will
|
|
# have open
|
|
/{,var/}run/nscd/db* rmix,
|
|
|
|
# The nss libraries are sometimes used in addition to PAM; make sure
|
|
# they are available
|
|
/lib{,32,64}/libnss_*.so* mr,
|
|
/usr/lib{,32,64}/libnss_*.so* mr,
|
|
/lib/@{multiarch}/libnss_*.so* mr,
|
|
/usr/lib/@{multiarch}/libnss_*.so* mr,
|
|
/etc/default/nss r,
|
|
|
|
# avahi-daemon is used for mdns4 resolution
|
|
/{,var/}run/avahi-daemon/socket rw,
|
|
|
|
# nis
|
|
#include <abstractions/nis>
|
|
|
|
# ldap
|
|
#include <abstractions/ldapclient>
|
|
|
|
# winbind
|
|
#include <abstractions/winbind>
|
|
|
|
# likewise
|
|
#include <abstractions/likewise>
|
|
|
|
# mdnsd
|
|
#include <abstractions/mdns>
|
|
|
|
# kerberos
|
|
#include <abstractions/kerberosclient>
|
|
|
|
# TCP/UDP network access
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
|
|
# TODO: adjust when support finer-grained netlink rules
|
|
# Netlink raw needed for nscd
|
|
network netlink raw,
|
|
|
|
# interface details
|
|
@{PROC}/@{pid}/net/route r,
|