mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-29 13:28:19 +00:00
Merge branch 'cboltz-include' into 'master'
Change `#include` to `include` in profiles and abstractions See merge request apparmor/apparmor!563 Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Christian Boltz
commit
e0d061d15a
@ -12,7 +12,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/dri-common>
|
||||
include <abstractions/dri-common>
|
||||
|
||||
|
||||
# .ICEauthority files required for X authentication, per user
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# Allow unconfined processes to send us signals by default
|
||||
signal (receive) peer=unconfined,
|
||||
|
||||
@ -8,6 +8,6 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/apparmor_api/introspect>
|
||||
include <abstractions/apparmor_api/introspect>
|
||||
|
||||
@{PROC}/@{tid}/attr/{current,exec} w,
|
||||
|
||||
@ -13,7 +13,7 @@ abi <abi/3.0>,
|
||||
# Make sure to include tunables/apparmorfs and tunables/global
|
||||
# when using this abstraction
|
||||
|
||||
#include <abstractions/apparmor_api/find_mountpoint>
|
||||
include <abstractions/apparmor_api/find_mountpoint>
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
# TODO: add alternate apparmorfs interface for enabled
|
||||
|
||||
@ -32,25 +32,25 @@
|
||||
/{usr/,}lib/@{multiarch}/security/ r,
|
||||
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
include <abstractions/kerberosclient>
|
||||
# SuSE's pwdutils are different:
|
||||
/{usr/,}etc/default/passwd r,
|
||||
/{usr/,}etc/login.defs r,
|
||||
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
include <abstractions/nis>
|
||||
|
||||
# winbind
|
||||
#include <abstractions/winbind>
|
||||
include <abstractions/winbind>
|
||||
|
||||
# likewise
|
||||
#include <abstractions/likewise>
|
||||
include <abstractions/likewise>
|
||||
|
||||
# smbpass
|
||||
#include <abstractions/smbpass>
|
||||
include <abstractions/smbpass>
|
||||
|
||||
# p11-kit (PKCS#11 modules configuration)
|
||||
#include <abstractions/p11-kit>
|
||||
include <abstractions/p11-kit>
|
||||
|
||||
# Include additions to the abstraction
|
||||
include if exists <abstractions/authentication.d>
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
# This abstraction grants full system bus access. Consider using the
|
||||
# dbus-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
dbus bus=system,
|
||||
|
||||
# Include additions to the abstraction
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
# This abstraction grants full accessibility bus access. Consider using the
|
||||
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
dbus bus=accessibility,
|
||||
|
||||
# Include additions to the abstraction
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
# This abstraction grants full session bus access. Consider using the
|
||||
# dbus-session-strict abstraction for fine-grained bus mediation.
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
/usr/bin/dbus-launch ix,
|
||||
dbus bus=session,
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
/usr/share/enchant/enchant.ordering r,
|
||||
|
||||
# aspell
|
||||
#include <abstractions/aspell>
|
||||
include <abstractions/aspell>
|
||||
/var/lib/dictionaries-common/aspell/ r,
|
||||
/var/lib/dictionaries-common/aspell/* r,
|
||||
|
||||
|
||||
@ -20,27 +20,27 @@
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//exo-open {
|
||||
# #include <abstractions/exo-open>
|
||||
# include <abstractions/exo-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
# include <abstractions/ubuntu-browsers>
|
||||
# include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
# include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/gnome>
|
||||
include <abstractions/X>
|
||||
include <abstractions/audio> # for alert messages
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/gnome>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/fcitx-strict>
|
||||
include <abstractions/fcitx-strict>
|
||||
dbus bus=fcitx,
|
||||
|
||||
# Include additions to the abstraction
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
dbus send
|
||||
bus=fcitx
|
||||
|
||||
@ -20,20 +20,20 @@
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gio-open {
|
||||
# #include <abstractions/gio-open>
|
||||
# include <abstractions/gio-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
# include <abstractions/ubuntu-browsers>
|
||||
# include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/freedesktop.org>
|
||||
#include <abstractions/xdg-desktop>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/wayland>
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/X>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/xdg-desktop>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/wayland>
|
||||
|
||||
# systemwide gtk defaults
|
||||
/etc/gnome/gtkrc* r,
|
||||
|
||||
@ -20,23 +20,23 @@
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gvfs-open {
|
||||
# #include <abstractions/gvfs-open>
|
||||
# include <abstractions/gvfs-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
# include <abstractions/ubuntu-browsers>
|
||||
# include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# gvfs-open is deprecated, it launches gio open <uri>
|
||||
#include <abstractions/gio-open>
|
||||
include <abstractions/gio-open>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/freedesktop.org>
|
||||
#include <abstractions/xdg-desktop>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/qt5>
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/X>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/xdg-desktop>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/qt5>
|
||||
|
||||
/etc/qt3/kstylerc r,
|
||||
/etc/qt3/qt_plugins_3.3rc r,
|
||||
|
||||
@ -20,18 +20,18 @@
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//kde-open5 {
|
||||
# #include <abstractions/kde-open5>
|
||||
# include <abstractions/kde-open5>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
# include <abstractions/ubuntu-browsers>
|
||||
# include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
# include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # Add if audio support for message box is
|
||||
# # considered as required.
|
||||
@ -41,19 +41,19 @@
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
#include <abstractions/dbus-network-manager-strict>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/dbus-strict>
|
||||
#include <abstractions/kde-icon-cache-write>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/qt5>
|
||||
#include <abstractions/recent-documents-write>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/audio> # for alert messages
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-network-manager-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/kde-icon-cache-write>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/recent-documents-write>
|
||||
include <abstractions/X>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
# local LDAP name service daemon
|
||||
@{run}/nslcd/socket rw,
|
||||
|
||||
#include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
# Include additions to the abstraction
|
||||
include if exists <abstractions/ldapclient.d>
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
# libpam-systemd notifies systemd-logind about session logins/logouts
|
||||
dbus send
|
||||
|
||||
@ -72,25 +72,25 @@
|
||||
/{usr/,}etc/libnl-*/classid r,
|
||||
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
include <abstractions/nis>
|
||||
|
||||
# ldap
|
||||
#include <abstractions/ldapclient>
|
||||
include <abstractions/ldapclient>
|
||||
|
||||
# winbind
|
||||
#include <abstractions/winbind>
|
||||
include <abstractions/winbind>
|
||||
|
||||
# likewise
|
||||
#include <abstractions/likewise>
|
||||
include <abstractions/likewise>
|
||||
|
||||
# mdnsd
|
||||
#include <abstractions/mdns>
|
||||
include <abstractions/mdns>
|
||||
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
include <abstractions/kerberosclient>
|
||||
|
||||
#libnss-systemd
|
||||
#include <abstractions/nss-systemd>
|
||||
include <abstractions/nss-systemd>
|
||||
|
||||
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
|
||||
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||
|
||||
@ -5,10 +5,10 @@
|
||||
# OpenCL access requirements
|
||||
|
||||
# TODO: use conditionals to select allowed implementations
|
||||
#include <abstractions/opencl-intel>
|
||||
#include <abstractions/opencl-mesa>
|
||||
#include <abstractions/opencl-nvidia>
|
||||
#include <abstractions/opencl-pocl>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/opencl-mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/opencl-pocl>
|
||||
|
||||
|
||||
# Include additions to the abstraction
|
||||
|
||||
@ -4,13 +4,13 @@
|
||||
|
||||
# OpenCL access requirements for Intel implementation
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
include <abstractions/opencl-common>
|
||||
|
||||
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
|
||||
#include <abstractions/X>
|
||||
include <abstractions/X>
|
||||
|
||||
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
|
||||
#include <abstractions/dri-enumerate>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
||||
# System files
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
# OpenCL access requirements for Mesa implementation
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
include <abstractions/opencl-common>
|
||||
|
||||
# Additional libraries
|
||||
|
||||
|
||||
@ -4,8 +4,8 @@
|
||||
|
||||
# OpenCL access requirements for NVIDIA implementation
|
||||
|
||||
#include <abstractions/nvidia>
|
||||
#include <abstractions/opencl-common>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/opencl-common>
|
||||
|
||||
# Executables
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/opencl-common>
|
||||
include <abstractions/opencl-common>
|
||||
|
||||
# Executables
|
||||
|
||||
@ -43,7 +43,7 @@
|
||||
# Child profiles
|
||||
|
||||
profile opencl_pocl_ld {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# Main executables
|
||||
|
||||
@ -56,7 +56,7 @@
|
||||
}
|
||||
|
||||
profile opencl_pocl_clang {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/php>
|
||||
include <abstractions/php>
|
||||
|
||||
# Include additions to the abstraction
|
||||
include if exists <abstractions/php5.d>
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/private-files>
|
||||
include <abstractions/private-files>
|
||||
|
||||
# potentially extremely sensitive files
|
||||
audit deny @{HOME}/.aws/{,**} mrwkl,
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
#
|
||||
# abstraction for allowing graphical bittorrent clients in Ubuntu
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
#
|
||||
# abstraction for allowing access to graphical browsers in Ubuntu
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -20,14 +20,14 @@
|
||||
# unfortunate workarounds of the proprietary Javas, so have a separate
|
||||
# profile.
|
||||
profile browser_openjdk {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/private-files-strict>
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/private-files-strict>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
@ -65,14 +65,14 @@
|
||||
# Profile for commercial Javas. These need workarounds to work right (eg
|
||||
# Sun's forcing of an executable stack (LP: #535247)).
|
||||
profile browser_java {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/fonts>
|
||||
#include <abstractions/gnome>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/private-files-strict>
|
||||
include <abstractions/base>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gnome>
|
||||
include <abstractions/kde>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/private-files-strict>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
# vim:syntax=apparmor
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/kde>
|
||||
include <abstractions/kde>
|
||||
/usr/bin/kde4-config Cx -> sanitized_helper,
|
||||
|
||||
@ -3,9 +3,9 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
# for mailto:
|
||||
#include <abstractions/ubuntu-email>
|
||||
#include <abstractions/ubuntu-console-email>
|
||||
include <abstractions/ubuntu-email>
|
||||
include <abstractions/ubuntu-console-email>
|
||||
|
||||
# Terminals for using console applications. These abstractions should ideally
|
||||
# have 'ix' to restrct access to what only firefox is allowed to do
|
||||
#include <abstractions/ubuntu-gnome-terminal>
|
||||
include <abstractions/ubuntu-gnome-terminal>
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
# vim:syntax=apparmor
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/X>
|
||||
include <abstractions/X>
|
||||
|
||||
# Pulseaudio
|
||||
/usr/bin/pulseaudio Pixr,
|
||||
@ -17,7 +17,7 @@
|
||||
/usr/bin/digikam Cxr -> sanitized_helper,
|
||||
/usr/bin/gwenview Cxr -> sanitized_helper,
|
||||
|
||||
#include <abstractions/ubuntu-media-players>
|
||||
include <abstractions/ubuntu-media-players>
|
||||
owner @{HOME}/.adobe/ w,
|
||||
owner @{HOME}/.adobe/** rw,
|
||||
owner @{HOME}/.macromedia/ w,
|
||||
@ -27,7 +27,7 @@
|
||||
/usr/bin/lpr Cxr -> sanitized_helper,
|
||||
|
||||
# Bittorrent clients
|
||||
#include <abstractions/ubuntu-bittorrent-clients>
|
||||
include <abstractions/ubuntu-bittorrent-clients>
|
||||
|
||||
# Archivers
|
||||
/usr/bin/ark Cxr -> sanitized_helper,
|
||||
@ -36,10 +36,10 @@
|
||||
/usr/local/lib{,32,64}/*.so* mr,
|
||||
|
||||
# News feed readers
|
||||
#include <abstractions/ubuntu-feed-readers>
|
||||
include <abstractions/ubuntu-feed-readers>
|
||||
|
||||
# If we allow the above, nvidia based systems will also need this
|
||||
#include <abstractions/nvidia>
|
||||
include <abstractions/nvidia>
|
||||
|
||||
# Virus scanners
|
||||
/usr/bin/clamscan Cx -> sanitized_helper,
|
||||
|
||||
@ -15,4 +15,4 @@
|
||||
|
||||
# Since all the ubuntu-browsers.d abstractions need this, just include it
|
||||
# here
|
||||
#include <abstractions/ubuntu-helpers>
|
||||
include <abstractions/ubuntu-helpers>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
# vim:syntax=apparmor
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
# vim:syntax=apparmor
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
# vim:syntax=apparmor
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
# firefox-notify
|
||||
#include <abstractions/python>
|
||||
include <abstractions/python>
|
||||
/usr/bin/python2.[4567] ix,
|
||||
/usr/share/xul-ext/notify/**/download_complete_notify.py ix,
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
owner @{HOME}/** w,
|
||||
|
||||
# Do not allow read and/or write to particularly sensitive/problematic files
|
||||
#include <abstractions/private-files>
|
||||
include <abstractions/private-files>
|
||||
audit deny @{HOME}/.ssh/{,**} mrwkl,
|
||||
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
||||
|
||||
@ -4,11 +4,11 @@
|
||||
# typically also need a terminal, so when using this abstraction, should also
|
||||
# do something like:
|
||||
#
|
||||
# #include <abstractions/ubuntu-gnome-terminal>
|
||||
# include <abstractions/ubuntu-gnome-terminal>
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -4,11 +4,11 @@
|
||||
# typically also need a terminal, so when using this abstraction, should also
|
||||
# do something like:
|
||||
#
|
||||
# #include <abstractions/ubuntu-gnome-terminal>
|
||||
# include <abstractions/ubuntu-gnome-terminal>
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
#
|
||||
# abstraction for allowing graphical email clients in Ubuntu
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
#
|
||||
# abstraction for allowing graphical news feed readers in Ubuntu
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/gnome>
|
||||
include <abstractions/gnome>
|
||||
|
||||
# do not use ux or PUx here. Use at a minimum ix
|
||||
/usr/bin/gnome-terminal ix,
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
#
|
||||
# Usage:
|
||||
# Because this abstraction defines the sanitized_helper profile, it must only
|
||||
# be #included once. Therefore this abstraction should typically not be
|
||||
# be included once. Therefore this abstraction should typically not be
|
||||
# included in other abstractions so as to avoid parser errors regarding
|
||||
# multiple definitions.
|
||||
#
|
||||
@ -34,16 +34,16 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
profile sanitized_helper {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/X>
|
||||
include <abstractions/base>
|
||||
include <abstractions/X>
|
||||
|
||||
# Allow all networking
|
||||
network inet,
|
||||
network inet6,
|
||||
|
||||
# Allow all DBus communications
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
dbus,
|
||||
|
||||
# Needed for Google Chrome
|
||||
|
||||
@ -5,8 +5,8 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kde>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/kde>
|
||||
capability sys_ptrace,
|
||||
@{PROC}/@{pid}/status r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
#
|
||||
# abstraction for allowing access to media players in Ubuntu
|
||||
#
|
||||
# Users of this abstraction need to #include the ubuntu-helpers abstraction
|
||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
||||
# in the toplevel profile. Eg:
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
|
||||
@ -15,10 +15,10 @@
|
||||
# Rules common to applications running under Unity 7
|
||||
#
|
||||
|
||||
#include <abstractions/gnome>
|
||||
include <abstractions/gnome>
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
#
|
||||
# Access required for connecting to/communication with Unity HUD
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/consoles>
|
||||
/dev/ptmx rw,
|
||||
/{,var/}run/utmp r,
|
||||
/etc/X11/app-defaults/XTerm r,
|
||||
|
||||
@ -18,40 +18,40 @@
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//xdg-open {
|
||||
# #include <abstractions/xdg-open>
|
||||
# include <abstractions/xdg-open>
|
||||
#
|
||||
# # Enable a11y support if considered required by
|
||||
# # profile author for (rare) error message boxes.
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
# include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # Enable gstreamer support if considered required by
|
||||
# # profile author for (rare) error message boxes.
|
||||
# include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
# include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
# include <abstractions/ubuntu-browsers>
|
||||
# include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# for openin with `exo-open`
|
||||
#include <abstractions/exo-open>
|
||||
include <abstractions/exo-open>
|
||||
|
||||
# for opening with `gio open <uri>`
|
||||
#include <abstractions/gio-open>
|
||||
include <abstractions/gio-open>
|
||||
|
||||
# for opening with gvfs-open (deprecated)
|
||||
#include <abstractions/gvfs-open>
|
||||
include <abstractions/gvfs-open>
|
||||
|
||||
# for opening with kde-open5
|
||||
#include <abstractions/kde-open5>
|
||||
include <abstractions/kde-open5>
|
||||
|
||||
# Main executables
|
||||
|
||||
|
||||
@ -4,11 +4,11 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
^phpsysinfo {
|
||||
#include <abstractions/apache2-common>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/php5>
|
||||
#include <abstractions/python>
|
||||
include <abstractions/apache2-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/php5>
|
||||
include <abstractions/python>
|
||||
|
||||
/{,usr/}bin/dash ixr,
|
||||
/{,usr/}bin/df ixr,
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile ping /{usr/,}bin/{,iputils-}ping {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_raw,
|
||||
capability setuid,
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
# it is appropriate for your site.
|
||||
#
|
||||
# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
|
||||
# #include <local/usr.sbin.smbd>
|
||||
# include <local/usr.sbin.smbd>
|
||||
#
|
||||
# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
|
||||
# contain any additional paths to be allowed, such as:
|
||||
|
||||
@ -6,12 +6,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
# Do not attach to /usr/bin/lsb_release by default
|
||||
profile lsb_release {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
||||
@ -2,10 +2,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile nvidia_modprobe {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# Capabilities
|
||||
|
||||
@ -35,7 +35,7 @@ profile nvidia_modprobe {
|
||||
# Child profiles
|
||||
|
||||
profile kmod {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
# Capabilities
|
||||
|
||||
|
||||
@ -11,10 +11,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile klogd /{usr/,}{bin,sbin}/klogd {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_admin, # for backward compatibility with kernel <= 2.6.37
|
||||
capability syslog,
|
||||
|
||||
@ -12,18 +12,18 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
#define this to be where syslog-ng is chrooted
|
||||
@{CHROOT_BASE}=""
|
||||
|
||||
profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/mysql>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/python>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile syslogd /{usr/,}{bin,sbin}/syslogd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/consoles>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability sys_tty_config,
|
||||
capability dac_override,
|
||||
|
||||
@ -6,6 +6,6 @@
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <tunables/securityfs>
|
||||
include <tunables/securityfs>
|
||||
|
||||
@{apparmorfs}=@{securityfs}/apparmor/
|
||||
|
||||
@ -12,11 +12,11 @@
|
||||
# All the tunables definitions that should be available to every profile
|
||||
# should be included here
|
||||
|
||||
#include <tunables/home>
|
||||
#include <tunables/multiarch>
|
||||
#include <tunables/proc>
|
||||
#include <tunables/alias>
|
||||
#include <tunables/kernelvars>
|
||||
#include <tunables/xdg-user-dirs>
|
||||
#include <tunables/share>
|
||||
#include <tunables/run>
|
||||
include <tunables/home>
|
||||
include <tunables/multiarch>
|
||||
include <tunables/proc>
|
||||
include <tunables/alias>
|
||||
include <tunables/kernelvars>
|
||||
include <tunables/xdg-user-dirs>
|
||||
include <tunables/share>
|
||||
include <tunables/run>
|
||||
|
||||
@ -22,4 +22,4 @@
|
||||
|
||||
# Also, include files in tunables/home.d for site-specific adjustments to
|
||||
# @{HOMEDIRS}.
|
||||
#include <tunables/home.d>
|
||||
include <tunables/home.d>
|
||||
|
||||
@ -14,4 +14,4 @@
|
||||
|
||||
# Also, include files in tunables/multiarch.d for site and packaging
|
||||
# specific adjustments to @{multiarch}.
|
||||
#include <tunables/multiarch.d>
|
||||
include <tunables/multiarch.d>
|
||||
|
||||
@ -21,4 +21,4 @@
|
||||
|
||||
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
|
||||
# to the various XDG directories
|
||||
#include <tunables/xdg-user-dirs.d>
|
||||
include <tunables/xdg-user-dirs.d>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/lib/apache2/mpm-prefork/apache2 {
|
||||
|
||||
# This profile is completely permissive.
|
||||
@ -41,8 +41,8 @@ abi <abi/3.0>,
|
||||
# </Directory>
|
||||
#
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability kill,
|
||||
@ -56,8 +56,8 @@ abi <abi/3.0>,
|
||||
|
||||
|
||||
^DEFAULT_URI {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
/ rw,
|
||||
/** mrwlkix,
|
||||
@ -65,7 +65,7 @@ abi <abi/3.0>,
|
||||
}
|
||||
|
||||
^HANDLING_UNTRUSTED_INPUT {
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
/ rw,
|
||||
/** mrwlkix,
|
||||
@ -75,7 +75,7 @@ abi <abi/3.0>,
|
||||
# This directory contains web application
|
||||
# package-specific apparmor files.
|
||||
|
||||
#include <apache2.d>
|
||||
include <apache2.d>
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/usr.lib.apache2.mpm-prefork.apache2>
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/anvil {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -12,16 +12,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/auth {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/mysql>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/wutmp>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/wutmp>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability audit_write,
|
||||
capability dac_override,
|
||||
|
||||
@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/config {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/ssl_keys>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
@ -13,13 +13,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/deliver {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@ -11,14 +11,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/dict {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/mysql>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@ -12,14 +12,14 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/dovecot-auth {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/wutmp>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/wutmp>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
||||
@ -43,11 +43,11 @@ abi <abi/3.0>,
|
||||
# this profile is based on the usr.sbin.sendmail profile in extras
|
||||
# and should support both postfix' and sendmail's sendmail binary
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
|
||||
@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/imap {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
deny capability block_suspend,
|
||||
|
||||
@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/lib/dovecot/imap-login {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -11,16 +11,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/lmtp {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/ssl_keys>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/log flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
/usr/lib/dovecot/log mr,
|
||||
|
||||
|
||||
@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/managesieve {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@ -14,11 +14,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/lib/dovecot/managesieve-login {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -12,13 +12,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/dovecot>
|
||||
include <tunables/global>
|
||||
include <tunables/dovecot>
|
||||
|
||||
/usr/lib/dovecot/pop3 {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
|
||||
|
||||
@ -12,11 +12,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
/usr/lib/dovecot/pop3-login {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/openssl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/ssl-params {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
@{run}/dovecot/ssl-params rw,
|
||||
@{run}/dovecot/login/ssl-params rw,
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/usr/lib/dovecot/stats {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
|
||||
|
||||
# This profile is completely permissive.
|
||||
@ -28,7 +28,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
|
||||
# the "apache2-common" abstraction:
|
||||
#
|
||||
# ^example.com {
|
||||
# #include <abstractions/apache2-common>
|
||||
# include <abstractions/apache2-common>
|
||||
# /var/www/html/ r,
|
||||
# /var/www/html/** r,
|
||||
# /var/log/apache2/*.log w,
|
||||
@ -69,8 +69,8 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
|
||||
# </Location>
|
||||
#
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
# Send signals to all hats.
|
||||
signal (send) peer=@{profile_name}//*,
|
||||
@ -87,15 +87,15 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
|
||||
|
||||
|
||||
^DEFAULT_URI flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/apache2-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/apache2-common>
|
||||
|
||||
/ rw,
|
||||
/** mrwlkix,
|
||||
}
|
||||
|
||||
^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
|
||||
#include <abstractions/apache2-common>
|
||||
include <abstractions/apache2-common>
|
||||
|
||||
/ rw,
|
||||
/** mrwlkix,
|
||||
@ -104,7 +104,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
|
||||
# This directory contains web application
|
||||
# package-specific apparmor files.
|
||||
|
||||
#include <apache2.d>
|
||||
include <apache2.d>
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/usr.sbin.apache2>
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@ -13,11 +13,11 @@ abi <abi/3.0>,
|
||||
|
||||
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability net_bind_service,
|
||||
@ -108,7 +108,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
@{run}/NetworkManager/NetworkManager.pid w,
|
||||
|
||||
profile libvirt_leaseshelper {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
|
||||
/etc/libnl-3/classid r,
|
||||
|
||||
|
||||
@ -12,16 +12,16 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/mysql>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/ssl_certs>
|
||||
#include <abstractions/ssl_keys>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dovecot-common>
|
||||
include <abstractions/mysql>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/ssl_keys>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile identd /usr/{bin,sbin}/identd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile mdnsd /usr/{bin,sbin}/mdnsd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile nmbd /usr/{bin,sbin}/nmbd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/samba>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/samba>
|
||||
|
||||
capability net_bind_service,
|
||||
|
||||
|
||||
@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile nscd /usr/{bin,sbin}/nscd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/ssl_certs>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
deny capability block_suspend,
|
||||
capability net_bind_service,
|
||||
|
||||
@ -11,13 +11,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
#include <tunables/ntpd>
|
||||
include <tunables/global>
|
||||
include <tunables/ntpd>
|
||||
profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/xad>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/xad>
|
||||
|
||||
capability dac_override,
|
||||
capability ipc_lock,
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile smbd /usr/{bin,sbin}/smbd {
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/cups-client>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/samba>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/wutmp>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/samba>
|
||||
include <abstractions/user-tmp>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability audit_write,
|
||||
capability dac_override,
|
||||
|
||||
@ -2,13 +2,13 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/perl>
|
||||
|
||||
/dev/tty rw,
|
||||
/{,usr/}bin/bash ix,
|
||||
@ -24,8 +24,8 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
|
||||
include if exists <local/usr.sbin.smbldap-useradd>
|
||||
|
||||
profile /etc/init.d/nscd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
|
||||
@ -11,11 +11,11 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
deny capability net_admin, # noisy setsockopt() calls
|
||||
capability net_raw,
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile winbindd /usr/{bin,sbin}/winbindd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/samba>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/samba>
|
||||
|
||||
deny capability block_suspend,
|
||||
|
||||
|
||||
@ -15,12 +15,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile netstat /{usr/,}bin/netstat {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
@ -13,12 +13,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/logrotate {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
|
||||
@ -14,10 +14,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/slocate.cron {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
/{usr/,}bin/bash mixr,
|
||||
/dev/tty wr ,
|
||||
/etc/cron.daily/slocate.cron r ,
|
||||
|
||||
@ -10,10 +10,10 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
/etc/cron.daily/tmpwatch {
|
||||
#include <abstractions/base>
|
||||
include <abstractions/base>
|
||||
/etc/cron.daily/tmpwatch r,
|
||||
/tmp r,
|
||||
/tmp/** rwl,
|
||||
|
||||
@ -11,12 +11,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}anvil mrix,
|
||||
|
||||
|
||||
@ -12,12 +12,12 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
include <tunables/global>
|
||||
|
||||
profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}bounce mrix,
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user