mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
32 lines
1 KiB
Text
32 lines
1 KiB
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2002-2009 Novell/SUSE
|
|
# Copyright (C) 2010 Canonical Ltd.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice>
|
|
|
|
deny capability net_admin, # noisy setsockopt() calls
|
|
capability net_raw,
|
|
|
|
network inet raw,
|
|
network inet6 raw,
|
|
|
|
/usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
|
|
@{PROC}/net/route r,
|
|
@{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.sbin.traceroute>
|
|
}
|