mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/logprof.conf
Dominic Reynolds d27ff99e31 Changes to add support for the AppArmor profile repository to the 
console UI tools. (jmichael)
2007-04-26 02:48:24 +00:00

121 lines
3.7 KiB
Text
Raw Blame History

# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog
parser = /sbin/apparmor_parser /sbin/subdomain_parser
ldd = /usr/bin/ldd
distro = opensuse
repository = http://localhost:3000/backend/api
# custom directory locations to look for #includes
#
# each name should be a valid directory containing possible #include
# candidate files under the profile dir which by default is /etc/apparmor.d.
#
# So an entry of my-includes will allow /etc/apparmor.d/my-includes to
# be used by the yast UI and profiling tools as a source of #include
# files.
custom_includes =
[qualifiers]
# things will be painfully broken if bash has a profile
/bin/bash = iu
/bin/ksh = iu
# these programs can't function if they're confined
/bin/mount = u
/etc/init.d/subdomain = u
/sbin/cardmgr = u
/sbin/subdomain_parser = u
/usr/sbin/genprof = u
/usr/sbin/logprof = u
/usr/lib/YaST2/servers_non_y2/ag_genprof = u
/usr/lib/YaST2/servers_non_y2/ag_logprof = u
# these ones shouln't have their own profiles
/bin/awk = i
/bin/cat = i
/bin/chmod = i
/bin/chown = i
/bin/cp = i
/bin/gawk = i
/bin/grep = i
/bin/gunzip = i
/bin/gzip = i
/bin/kill = i
/bin/ln = i
/bin/ls = i
/bin/mkdir = i
/bin/mv = i
/bin/readlink = i
/bin/rm = i
/bin/sed = i
/bin/touch = i
/sbin/killall5 = i
/usr/bin/find = i
/usr/bin/killall = i
/usr/bin/nice = i
/usr/bin/perl = i
/usr/bin/tr = i
[required_hats]
^.+/sshd$ = AUTHENTICATED EXEC PRIVSEP PRIVSEP_MONITOR
^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
[defaulthat]
^.+/sshd$ = EXEC
^.+/apache(|2|2-prefork)$ = DEFAULT_URI
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI
[globs]
# /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
/lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*
# strip kernel version numbers from kernel module accesses
^/lib/modules/[^\/]+\/ = /lib/modules/*/
# strip pid numbers from /proc accesses
^/proc/\d+/ = /proc/*/
# if it looks like a home directory, glob out the username
^/home/[^\/]+ = /home/*
# if they use any perl modules, grant access to all
^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
^/usr/share/locale/.+$ = /usr/share/locale/**
# timezone fun
^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/**
# /foobar/fonts/baz -> /foobar/fonts/**
/fonts/.+$ = /fonts/**
# turn /foo/bar/baz.8907234 into /foo/bar/baz.*
# BUGBUG - this one looked weird because it would suggest a glob for
# BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
# \.\d+$ = .*
# some various /etc/security poo -- dunno about these ones...
^/etc/security/_[^\/]+$ = /etc/security/*
^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so
^/etc/pam.d/[^\/]+$ = /etc/pam.d/*
^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh
Reference in a new issue View git blame Copy permalink