mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
54 lines
1.3 KiB
Text
54 lines
1.3 KiB
Text
# Note: This profile does not specify an attachment path because it is
|
|
# intended to be used only via "Px -> lsb_release" exec transitions from
|
|
# other profiles. We want to confine the lsb_release(1) utility when it
|
|
# is invoked from other confined applications, but not when it is used
|
|
# in regular (unconfined) shell scripts or run directly by the user.
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
# Do not attach to /usr/bin/lsb_release by default
|
|
profile lsb_release {
|
|
include <abstractions/base>
|
|
include <abstractions/python>
|
|
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
|
|
/dev/tty rw,
|
|
|
|
/usr/bin/lsb_release r,
|
|
/usr/bin/python3.{1,}[0-9] mr,
|
|
|
|
/etc/debian_version r,
|
|
/etc/default/apport r,
|
|
/etc/dpkg/origins/** r,
|
|
/etc/lsb-release r,
|
|
/etc/lsb-release.d/ r,
|
|
|
|
/{usr/,}bin/bash ixr,
|
|
/{usr/,}bin/dash ixr,
|
|
/usr/bin/basename ixr,
|
|
/usr/bin/dpkg-query ixr,
|
|
/usr/bin/cat ixr,
|
|
/usr/bin/cut ixr,
|
|
/usr/bin/getopt ixr,
|
|
/usr/bin/sed ixr,
|
|
/usr/bin/tr ixr,
|
|
|
|
# TODO - many more permissions needed for this to work
|
|
deny /usr/bin/apt-cache x,
|
|
|
|
/usr/bin/ r,
|
|
/usr/include/python*/pyconfig.h r,
|
|
/usr/share/distro-info/** r,
|
|
/usr/share/dpkg/** r,
|
|
/usr/share/terminfo/** r,
|
|
/var/lib/dpkg/** r,
|
|
|
|
# file_inherit
|
|
deny /tmp/gtalkplugin.log w,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/lsb_release>
|
|
}
|