mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 14:25:52 +00:00
Compare commits
178 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
b51a2d271d | ||
|
f8286feada | ||
|
5700ff9e40 | ||
|
ee0ae96566 | ||
|
67e7b302a4 | ||
|
157c8ee36a | ||
|
d62b5a9a7d | ||
|
3c047517a4 | ||
|
9fff1c5c6a | ||
|
d415e48646 | ||
|
63751d20e2 | ||
|
411249b3b5 | ||
|
8921644ab4 | ||
|
fd1b463643 | ||
|
ca3e5be507 | ||
|
37d938b815 | ||
|
3f4e97e228 | ||
|
7e6df95729 | ||
|
1a3b81857a | ||
|
e3371f871f | ||
|
2d6380c26a | ||
|
5f3f4ba087 | ||
|
4540cb2f50 | ||
|
3cdfe944ac | ||
|
15e5b5c459 | ||
|
3da24e0116 | ||
|
be8ab7d538 | ||
|
b469e1f3e8 | ||
|
2993533d61 | ||
|
5d7b35d30d | ||
|
2686a0af6c | ||
|
9de934c3e7 | ||
|
701943948c | ||
|
47bb1a31b0 | ||
|
898c2cda7a | ||
|
14ed051657 | ||
|
8e04e39b7c | ||
|
552ee5d621 | ||
|
c8e57213f9 | ||
|
44e6f90f23 | ||
|
dd03484866 | ||
|
00396b8f13 | ||
|
3d85e1234a | ||
|
4c8ac78605 | ||
|
17032f2254 | ||
|
de784f55d3 | ||
|
ad0a6ac6bf | ||
|
95aa5b5895 | ||
|
c16fff8cb4 | ||
|
2db3d94ce2 | ||
|
b174705a31 | ||
|
56cc87aace | ||
|
ca0d9f758b | ||
|
a606a59d96 | ||
|
6a8a5de637 | ||
|
1bcf85737b | ||
|
ea55ef22e7 | ||
|
dc3e2c39fb | ||
|
1335b80ff4 | ||
|
1808d14e35 | ||
|
145136f604 | ||
|
ab0f4ab2ed | ||
|
5c47e448b4 | ||
|
72f97a98e7 | ||
|
726c3fc129 | ||
|
be05b4497f | ||
|
fac184d923 | ||
|
a090a6377b | ||
|
4527abd028 | ||
|
350b4a5358 | ||
|
3f8cfac384 | ||
|
054079b271 | ||
|
f6eb8553dc | ||
|
8b5e4a45a9 | ||
|
8771cff94b | ||
|
351014c3f6 | ||
|
903e743b87 | ||
|
7a7c7fb346 | ||
|
58e4e8169c | ||
|
4cab2dbc17 | ||
|
8501ed822e | ||
|
e54fdf8e2b | ||
|
57f6315783 | ||
|
6fae03d142 | ||
|
bd401448fa | ||
|
6e2de0806c | ||
|
583fb1c0cd | ||
|
54806dce22 | ||
|
25338e4691 | ||
|
9051288c3d | ||
|
0107d57915 | ||
|
1909ca0dcb | ||
|
d6ebf87d2b | ||
|
43af5f9751 | ||
|
065546c312 | ||
|
2060ccde22 | ||
|
df9cfced8c | ||
|
9a9c2f9793 | ||
|
8b0e2bdc94 | ||
|
68316d265b | ||
|
e32cbfc0e6 | ||
|
f2e09aa234 | ||
|
af6bf82389 | ||
|
02dce59d29 | ||
|
dab520aae9 | ||
|
70d3183a23 | ||
|
64dfc797dd | ||
|
ad45b80789 | ||
|
aca6adea2a | ||
|
2a3752c4c4 | ||
|
a07de3f095 | ||
|
60007d3fe4 | ||
|
ef8d514138 | ||
|
4e194b2f3a | ||
|
ed61e482cb | ||
|
efb6952e0c | ||
|
aecc9e1cb6 | ||
|
489fa60fda | ||
|
cd4a161350 | ||
|
701b3ba29c | ||
|
c63cc73672 | ||
|
a65078494e | ||
|
d1d74e8950 | ||
|
88517e9768 | ||
|
6016f931eb | ||
|
f25770c27b | ||
|
5623881bfa | ||
|
9528672c36 | ||
|
02b9090eda | ||
|
7c5c8a0cc1 | ||
|
ac4bf706e5 | ||
|
53a95a58e6 | ||
|
583ea724b2 | ||
|
b3560008dd | ||
|
2f04bf6498 | ||
|
438d2794e1 | ||
|
711a1747a2 | ||
|
b302327ac8 | ||
|
af32be0fb4 | ||
|
0c858fb34d | ||
|
8a3b92cd62 | ||
|
1842231253 | ||
|
2d0358c95c | ||
|
5929c1519b | ||
|
53798e90d5 | ||
|
5f61bd4cf2 | ||
|
72c2a7d2de | ||
|
e038123f8f | ||
|
2841103039 | ||
|
0e89e79a32 | ||
|
0ad7109eea | ||
|
eb5185c961 | ||
|
da07cdf79c | ||
|
6e9dd6494b | ||
|
6c638c97c5 | ||
|
b3dff41eb7 | ||
|
cca58df6f5 | ||
|
95b75a628a | ||
|
ddb747c0a9 | ||
|
01841ade3a | ||
|
e02a017014 | ||
|
0b31930b3b | ||
|
b9af6564a5 | ||
|
632fb92bc5 | ||
|
79e942bf2a | ||
|
c046bc83dc | ||
|
dda6825ff2 | ||
|
92f6679da9 | ||
|
03acdebf07 | ||
|
1f319c3870 | ||
|
411af09c97 | ||
|
454fca7483 | ||
|
af0c288fcd | ||
|
0d8e4cda3f | ||
|
69651fc656 | ||
|
fc2beaca9d | ||
|
5972adc7e3 | ||
|
2e2529bae8 |
1
.gitignore
vendored
1
.gitignore
vendored
@@ -8,6 +8,7 @@ binutils/po/*.mo
|
||||
parser/po/*.mo
|
||||
parser/af_names.h
|
||||
parser/cap_names.h
|
||||
parser/generated_cap_names.h
|
||||
parser/tst_lib
|
||||
parser/tst_misc
|
||||
parser/tst_regex
|
||||
|
@@ -1,7 +1,7 @@
|
||||
---
|
||||
image: ubuntu:latest
|
||||
before_script:
|
||||
- export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-notify2 python3-psutil zlib1g-dev
|
||||
- export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-notify2 python3-psutil python3-setuptools zlib1g-dev
|
||||
- lsb_release -a
|
||||
- uname -a
|
||||
|
||||
|
18
README.md
18
README.md
@@ -45,6 +45,24 @@ Security issues can be filed as security bugs on launchpad
|
||||
or directed to `security@apparmor.net`. Additional details can be found
|
||||
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
|
||||
|
||||
|
||||
--------------
|
||||
Privacy Policy
|
||||
--------------
|
||||
|
||||
The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.
|
||||
|
||||
The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.
|
||||
|
||||
The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.
|
||||
|
||||
Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.
|
||||
|
||||
The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab and LaunchPad) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.
|
||||
|
||||
Currently both GitLab an LaunchPad require a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.
|
||||
|
||||
|
||||
-------------
|
||||
Source Layout
|
||||
-------------
|
||||
|
@@ -54,6 +54,10 @@ TOOLS = aa-enabled aa-exec
|
||||
|
||||
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
|
||||
|
||||
ifdef WITH_LIBINTL
|
||||
AALIB += -lintl
|
||||
endif
|
||||
|
||||
ifdef USE_SYSTEM
|
||||
# Using the system libapparmor so Makefile dependencies can't be used
|
||||
LIBAPPARMOR_A =
|
||||
|
67
binutils/po/aa_enabled.pot
Normal file
67
binutils/po/aa_enabled.pot
Normal file
@@ -0,0 +1,67 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:36-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_enabled.c:21
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:38
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:42
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:46
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:51
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:56
|
||||
#, c-format
|
||||
msgid "Error - %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:70
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:80
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:90
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr ""
|
52
binutils/po/aa_exec.pot
Normal file
52
binutils/po/aa_exec.pot
Normal file
@@ -0,0 +1,52 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:37-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_exec.c:48
|
||||
#, c-format
|
||||
msgid ""
|
||||
"USAGE: %s [OPTIONS] <prog> <args>\n"
|
||||
"\n"
|
||||
"Confine <prog> with the specified PROFILE.\n"
|
||||
"\n"
|
||||
"OPTIONS:\n"
|
||||
" -p PROFILE, --profile=PROFILE\t\tPROFILE to confine <prog> with\n"
|
||||
" -n NAMESPACE, --namespace=NAMESPACE\tNAMESPACE to confine <prog> in\n"
|
||||
" -d, --debug\t\t\t\tshow messages with debugging information\n"
|
||||
" -i, --immediate\t\t\tchange profile immediately instead of at exec\n"
|
||||
" -v, --verbose\t\t\t\tshow messages with stats\n"
|
||||
" -h, --help\t\t\t\tdisplay this help\n"
|
||||
"\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:63
|
||||
msgid "aa-exec: ERROR: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:74
|
||||
msgid "aa-exec: DEBUG: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:87
|
||||
msgid "\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:105
|
||||
#, c-format
|
||||
msgid "exec"
|
||||
msgstr ""
|
@@ -74,40 +74,6 @@ endif
|
||||
pod_clean:
|
||||
-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
|
||||
|
||||
# =====================
|
||||
# generate list of capabilities based on
|
||||
# /usr/include/linux/capabilities.h for use in multiple locations in
|
||||
# the source tree
|
||||
# =====================
|
||||
|
||||
# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
|
||||
CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
|
||||
|
||||
.PHONY: list_capabilities
|
||||
list_capabilities: /usr/include/linux/capability.h
|
||||
@echo "$(CAPABILITIES)"
|
||||
|
||||
# =====================
|
||||
# generate list of network protocols based on
|
||||
# sys/socket.h for use in multiple locations in
|
||||
# the source tree
|
||||
# =====================
|
||||
|
||||
# These are the families that it doesn't make sense for apparmor
|
||||
# to mediate. We use PF_ here since that is what is required in
|
||||
# bits/socket.h, but we will rewrite these as AF_.
|
||||
|
||||
FILTER_FAMILIES=PF_UNIX
|
||||
|
||||
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
|
||||
|
||||
# emits the AF names in a "AF_NAME NUMBER," pattern
|
||||
AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
|
||||
|
||||
.PHONY: list_af_names
|
||||
list_af_names:
|
||||
@echo "$(AF_NAMES)"
|
||||
|
||||
# =====================
|
||||
# manpages
|
||||
# =====================
|
||||
|
@@ -1 +1 @@
|
||||
2.13.4
|
||||
2.13.7
|
||||
|
19
common/list_af_names.sh
Executable file
19
common/list_af_names.sh
Executable file
@@ -0,0 +1,19 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
# =====================
|
||||
# generate list of network protocols based on
|
||||
# sys/socket.h for use in multiple locations in
|
||||
# the source tree
|
||||
# =====================
|
||||
|
||||
# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
|
||||
# for "PF_" constants since that is what is required in bits/socket.h, but
|
||||
# rewrite as "AF_".
|
||||
|
||||
echo "#include <sys/socket.h>" | \
|
||||
cpp -dM | \
|
||||
LC_ALL=C sed -n \
|
||||
-e '/PF_UNIX/d' \
|
||||
-e 's/PF_LOCAL/PF_UNIX/' \
|
||||
-e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
|
||||
sort -n -k2
|
14
common/list_capabilities.sh
Executable file
14
common/list_capabilities.sh
Executable file
@@ -0,0 +1,14 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
# =====================
|
||||
# generate list of capabilities based on
|
||||
# /usr/include/linux/capabilities.h for use in multiple locations in
|
||||
# the source tree
|
||||
# =====================
|
||||
|
||||
echo "#include <linux/capability.h>" | \
|
||||
cpp -dM | \
|
||||
LC_ALL=C sed -n \
|
||||
-e '/CAP_EMPTY_SET/d' \
|
||||
-e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
|
||||
LC_ALL=C sort
|
@@ -58,7 +58,7 @@ if test "$with_perl" = "yes"; then
|
||||
AC_PATH_PROG(PERL, perl)
|
||||
test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
|
||||
perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
|
||||
AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
|
||||
AS_IF([test -e "$perl_includedir/perl.h"], enable_perl=yes, enable_perl=no)
|
||||
fi
|
||||
|
||||
|
||||
|
@@ -20,6 +20,7 @@
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
|
@@ -64,7 +64,7 @@ variable to configure. See ``configure --help'' for reference.
|
||||
# Check if you have distutils, else fail
|
||||
#
|
||||
AC_MSG_CHECKING([for the distutils Python package])
|
||||
ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
|
||||
ac_distutils_result=`$PYTHON -c "import distutils" 2>&1 | grep -v DeprecationWarning`
|
||||
if test -z "$ac_distutils_result"; then
|
||||
AC_MSG_RESULT([yes])
|
||||
else
|
||||
@@ -75,12 +75,14 @@ $ac_distutils_result])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
|
||||
AC_PATH_TOOL([PYTHON_CONFIG],[`basename $PYTHON`-config])
|
||||
|
||||
#
|
||||
# Check for Python include path
|
||||
#
|
||||
AC_MSG_CHECKING([for Python include path])
|
||||
if type $PYTHON-config; then
|
||||
PYTHON_CPPFLAGS=`$PYTHON-config --includes`
|
||||
if test -n "$PYTHON_CONFIG"; then
|
||||
PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
|
||||
fi
|
||||
if test -z "$PYTHON_CPPFLAGS"; then
|
||||
python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
|
||||
@@ -97,8 +99,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
|
||||
# Check for Python library path
|
||||
#
|
||||
AC_MSG_CHECKING([for Python library path])
|
||||
if type $PYTHON-config; then
|
||||
PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
|
||||
if test -n "$PYTHON_CONFIG"; then
|
||||
PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
|
||||
fi
|
||||
if test -z "$PYTHON_LDFLAGS"; then
|
||||
# (makes two attempts to ensure we've got a version number
|
||||
|
@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
|
||||
# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
|
||||
#
|
||||
AA_LIB_CURRENT = 7
|
||||
AA_LIB_REVISION = 2
|
||||
AA_LIB_REVISION = 3
|
||||
AA_LIB_AGE = 6
|
||||
|
||||
SUFFIXES = .pc.in .pc
|
||||
@@ -35,7 +35,7 @@ SUFFIXES = .pc.in .pc
|
||||
BUILT_SOURCES = grammar.h scanner.h af_protos.h
|
||||
AM_LFLAGS = -v
|
||||
AM_YFLAGS = -d -p aalogparse_
|
||||
AM_CFLAGS = -Wall
|
||||
AM_CFLAGS = -Wall -flto-partition=none
|
||||
AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
|
||||
scanner.h: scanner.l
|
||||
$(LEX) -v $<
|
||||
|
@@ -219,7 +219,7 @@ static int init_features_hash(aa_features *features)
|
||||
/* portable murmur3 hash
|
||||
* https://github.com/aappleby/smhasher/wiki/MurmurHash3
|
||||
*/
|
||||
PMurHash32_Process(&hash, &carry, features, len);
|
||||
PMurHash32_Process(&hash, &carry, string, len);
|
||||
hash = PMurHash32_Result(hash, carry, len);
|
||||
|
||||
if (snprintf(features->hash, HASH_SIZE,
|
||||
|
@@ -43,6 +43,7 @@
|
||||
__asm__ (".symver " #real "," #name "@" #version)
|
||||
#define default_symbol_version(real, name, version) \
|
||||
__asm__ (".symver " #real "," #name "@@" #version)
|
||||
#define DLLEXPORT __attribute__((visibility("default"),externally_visible))
|
||||
|
||||
#define UNCONFINED "unconfined"
|
||||
#define UNCONFINED_SIZE strlen(UNCONFINED)
|
||||
@@ -500,7 +501,7 @@ int aa_change_onexec(const char *profile)
|
||||
}
|
||||
|
||||
/* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
|
||||
extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
|
||||
DLLEXPORT extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
|
||||
symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
|
||||
default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);
|
||||
|
||||
@@ -889,7 +890,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
|
||||
|
||||
/* export multiple aa_query_label symbols to compensate for downstream
|
||||
* releases with differing symbol versions. */
|
||||
extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
|
||||
DLLEXPORT extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
|
||||
symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
|
||||
default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
|
||||
|
||||
|
@@ -6,14 +6,14 @@
|
||||
|
||||
IMMUNIX_1.0 {
|
||||
global:
|
||||
change_hat;
|
||||
change_hat; __old_change_hat;
|
||||
local:
|
||||
*;
|
||||
};
|
||||
|
||||
APPARMOR_1.0 {
|
||||
global:
|
||||
change_hat;
|
||||
change_hat; __change_hat;
|
||||
parse_record;
|
||||
free_record;
|
||||
local:
|
||||
@@ -24,7 +24,7 @@ APPARMOR_1.1 {
|
||||
global:
|
||||
aa_is_enabled;
|
||||
aa_find_mountpoint;
|
||||
aa_change_hat;
|
||||
aa_change_hat; __old_change_hat;
|
||||
aa_change_hatv;
|
||||
aa_change_hat_vargs;
|
||||
aa_change_profile;
|
||||
@@ -37,7 +37,7 @@ APPARMOR_1.1 {
|
||||
free_record;
|
||||
aa_getprocattr_raw;
|
||||
aa_getprocattr;
|
||||
aa_query_label;
|
||||
aa_query_label; __aa_query_label;
|
||||
|
||||
# no more symbols here, please
|
||||
|
||||
@@ -47,7 +47,7 @@ APPARMOR_1.1 {
|
||||
|
||||
APPARMOR_2.9 {
|
||||
global:
|
||||
aa_query_label;
|
||||
aa_query_label; query_label;
|
||||
local:
|
||||
*;
|
||||
} APPARMOR_1.1;
|
||||
@@ -118,6 +118,7 @@ APPARMOR_2.13.1 {
|
||||
PRIVATE {
|
||||
global:
|
||||
_aa_is_blacklisted;
|
||||
_aa_asprintf;
|
||||
_aa_autofree;
|
||||
_aa_autoclose;
|
||||
_aa_autofclose;
|
||||
|
@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_builddir)/config.status
|
||||
|
||||
CLEANFILES = test_python.py
|
||||
|
||||
# bah, how brittle is this?
|
||||
PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")'
|
||||
PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
|
||||
|
||||
TESTS = test_python.py
|
||||
TESTS_ENVIRONMENT = \
|
||||
|
13
libraries/libapparmor/swig/python/test/buildpath.py
Normal file
13
libraries/libapparmor/swig/python/test/buildpath.py
Normal file
@@ -0,0 +1,13 @@
|
||||
#!/usr/bin/python3
|
||||
# the build path has changed in setuptools 62.1:
|
||||
# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894
|
||||
import sys
|
||||
import sysconfig
|
||||
import setuptools
|
||||
|
||||
|
||||
if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
|
||||
identifier = sys.implementation.cache_tag
|
||||
else:
|
||||
identifier = "%d.%d" % sys.version_info[:2]
|
||||
print("lib.%s-%s" % (sysconfig.get_platform(), identifier))
|
@@ -74,7 +74,7 @@ class AAPythonBindingsTests(unittest.TestCase):
|
||||
libapparmor.free_record(swig_record)
|
||||
|
||||
expected = self.parse_output_file(outfile)
|
||||
self.assertEquals(expected, record,
|
||||
self.assertEqual(expected, record,
|
||||
"expected records did not match\n" +
|
||||
"expected = %s\nactual = %s" % (expected, record))
|
||||
|
||||
@@ -90,7 +90,7 @@ class AAPythonBindingsTests(unittest.TestCase):
|
||||
line = l.rstrip('\n')
|
||||
count += 1
|
||||
if line == "START":
|
||||
self.assertEquals(count, 1,
|
||||
self.assertEqual(count, 1,
|
||||
"Unexpected output format in %s" % (outfile))
|
||||
continue
|
||||
else:
|
||||
|
1
libraries/libapparmor/testsuite/test_multi/symlink.in
Normal file
1
libraries/libapparmor/testsuite/test_multi/symlink.in
Normal file
@@ -0,0 +1 @@
|
||||
Aug 3 00:00:41 liuchao-virtual-machine kernel: [ 4362.615262] audit: type=1400 audit(1596384041.705:290): apparmor="DENIED" operation="symlink" profile="/home/test.sh" name="/home/b.c" pid=8016 comm="ln" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
|
15
libraries/libapparmor/testsuite/test_multi/symlink.out
Normal file
15
libraries/libapparmor/testsuite/test_multi/symlink.out
Normal file
@@ -0,0 +1,15 @@
|
||||
START
|
||||
File: symlink.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1596384041.705:290
|
||||
Operation: symlink
|
||||
Mask: c
|
||||
Denied Mask: c
|
||||
fsuid: 0
|
||||
ouid: 0
|
||||
Profile: /home/test.sh
|
||||
Name: /home/b.c
|
||||
Command: ln
|
||||
PID: 8016
|
||||
Epoch: 1596384041
|
||||
Audit subid: 290
|
@@ -0,0 +1,4 @@
|
||||
/home/test.sh {
|
||||
owner /home/b.c w,
|
||||
|
||||
}
|
@@ -94,6 +94,10 @@ AAREOBJECTS = $(AAREOBJECT)
|
||||
AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS)
|
||||
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
|
||||
|
||||
ifdef WITH_LIBINTL
|
||||
AALIB += -lintl
|
||||
endif
|
||||
|
||||
ifdef USE_SYSTEM
|
||||
# Using the system libapparmor so Makefile dependencies can't be used
|
||||
LIBAPPARMOR_A =
|
||||
@@ -281,14 +285,23 @@ parser_version.h: Makefile
|
||||
# as well as the filtering that occurs for network protocols that
|
||||
# apparmor should not mediate.
|
||||
|
||||
.PHONY: af_names.h
|
||||
af_names.h:
|
||||
echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
|
||||
echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
|
||||
af_names.h: ../common/list_af_names.sh
|
||||
../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
|
||||
../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
|
||||
# cat $@
|
||||
|
||||
cap_names.h: /usr/include/linux/capability.h
|
||||
echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
|
||||
generated_cap_names.h: /usr/include/linux/capability.h
|
||||
../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
|
||||
|
||||
cap_names.h: generated_cap_names.h base_cap_names.h
|
||||
@LC_ALL=C sed -e 's/\([^,]*,[^,]*,\) CAP_[A-Z0-9_]\+,/\1 NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h | grep '^\+[^+]' ; \
|
||||
if [ $$? -eq 1 ] ; then \
|
||||
cp base_cap_names.h $@ ; \
|
||||
else \
|
||||
echo "Error: new capabilities detected please update base_cap_names.h with values from generated_cap_names.h" ; \
|
||||
LC_ALL=C sed -e 's/\([^,]*,[^,]*,\) CAP_[A-Z0-9_]\+,/\1 NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h ; \
|
||||
exit 1; \
|
||||
fi
|
||||
|
||||
tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
|
||||
$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
|
||||
@@ -304,10 +317,7 @@ tests: apparmor_parser ${TESTS}
|
||||
sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
|
||||
$(Q)$(MAKE) -s -C tst tests
|
||||
|
||||
# always need to rebuild.
|
||||
.SILENT: $(AAREOBJECT)
|
||||
.PHONY: $(AAREOBJECT)
|
||||
$(AAREOBJECT):
|
||||
$(AAREOBJECT): FORCE
|
||||
$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
|
||||
|
||||
.PHONY: install-rhel4
|
||||
@@ -363,7 +373,9 @@ INSTALLDEPS+=install-$(DISTRO)
|
||||
endif
|
||||
|
||||
.PHONY: install
|
||||
install: install-indep install-arch
|
||||
install:
|
||||
$(MAKE) install-indep
|
||||
$(MAKE) install-arch
|
||||
|
||||
.PHONY: install-arch
|
||||
install-arch: $(INSTALLDEPS)
|
||||
@@ -402,9 +414,10 @@ clean: pod_clean
|
||||
rm -f parser_version.h
|
||||
rm -f $(NAME)*.tar.gz $(NAME)*.tgz
|
||||
rm -f af_names.h
|
||||
rm -f cap_names.h
|
||||
rm -f cap_names.h generated_cap_names.h
|
||||
rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/
|
||||
$(MAKE) -s -C $(AAREDIR) clean
|
||||
$(MAKE) -s -C po clean
|
||||
$(MAKE) -s -C tst clean
|
||||
|
||||
FORCE:
|
||||
|
@@ -151,9 +151,11 @@ int unix_rule::expand_variables(void)
|
||||
error = expand_entry_variables(&addr);
|
||||
if (error)
|
||||
return error;
|
||||
filter_slashes(addr);
|
||||
error = expand_entry_variables(&peer_addr);
|
||||
if (error)
|
||||
return error;
|
||||
filter_slashes(peer_addr);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -202,14 +204,18 @@ void unix_rule::downgrade_rule(Profile &prof) {
|
||||
yyerror(_("Memory allocation error."));
|
||||
if (sock_type_n != -1)
|
||||
mask = 1 << sock_type_n;
|
||||
if (deny) {
|
||||
prof.net.deny[AF_UNIX] |= mask;
|
||||
if (!audit)
|
||||
prof.net.quiet[AF_UNIX] |= mask;
|
||||
} else {
|
||||
if (!deny) {
|
||||
prof.net.allow[AF_UNIX] |= mask;
|
||||
if (audit)
|
||||
prof.net.audit[AF_UNIX] |= mask;
|
||||
} else {
|
||||
/* deny rules have to be dropped because the downgrade makes
|
||||
* the rule less specific meaning it will make the profile more
|
||||
* restrictive and may end up denying accesses that might be
|
||||
* allowed by the profile.
|
||||
*/
|
||||
if (warnflags & WARN_RULE_NOT_ENFORCED)
|
||||
warn_once(prof.name, "deny unix socket rule not enforced, can't be downgraded to generic network rule\n");
|
||||
}
|
||||
}
|
||||
|
||||
|
@@ -664,7 +664,7 @@ and other operations that are typically reserved for the root user.
|
||||
|
||||
AppArmor supports simple coarse grained network mediation. The network
|
||||
rule restrict all socket(2) based operations. The mediation done is
|
||||
a course grained check on whether a socket of a given type and family
|
||||
a coarse-grained check on whether a socket of a given type and family
|
||||
can be created, read, or written. There is no mediation based of port
|
||||
number or protocol beyond tcp, udp, and raw. Network netlink(7) rules may
|
||||
only specify type 'dgram' and 'raw'.
|
||||
@@ -1279,6 +1279,7 @@ provided AppArmor policy:
|
||||
@{apparmorfs}
|
||||
@{sys}
|
||||
@{tid}
|
||||
@{run}
|
||||
@{XDG_DESKTOP_DIR}
|
||||
@{XDG_DOWNLOAD_DIR}
|
||||
@{XDG_TEMPLATES_DIR}
|
||||
|
@@ -314,12 +314,15 @@ Eg.
|
||||
-jx4 OR --jobs=x4 sets the jobs to # of cpus * 4
|
||||
-jx1 is equivalent to -jauto
|
||||
|
||||
The default value is the number of cpus in the system.
|
||||
The default value is the number of cpus in the system. Note that if jobs
|
||||
is a positive integer number the --jobs-max parameter is automatically
|
||||
set to the same value.
|
||||
|
||||
=item --max-jobs n
|
||||
|
||||
Set a hard cap on the value that can be specified by the --jobs flag.
|
||||
It takes the same set of options available to the --jobs option, and
|
||||
When --jobs is set to a scaling value (ie. auto or xN) the specify a
|
||||
hard cap on the value that can be specified by the --jobs flag. It
|
||||
takes the same set of options available to the --jobs option, and
|
||||
defaults to 8*cpus
|
||||
|
||||
=item -O n, --optimize=n
|
||||
|
82
parser/base_cap_names.h
Normal file
82
parser/base_cap_names.h
Normal file
@@ -0,0 +1,82 @@
|
||||
{"audit_control", CAP_AUDIT_CONTROL},
|
||||
|
||||
{"audit_read", CAP_AUDIT_READ},
|
||||
|
||||
{"audit_write", CAP_AUDIT_WRITE},
|
||||
|
||||
{"block_suspend", CAP_BLOCK_SUSPEND},
|
||||
|
||||
{"bpf", CAP_BPF},
|
||||
|
||||
{"checkpoint_restore", CAP_CHECKPOINT_RESTORE},
|
||||
|
||||
{"chown", CAP_CHOWN},
|
||||
|
||||
{"dac_override", CAP_DAC_OVERRIDE},
|
||||
|
||||
{"dac_read_search", CAP_DAC_READ_SEARCH},
|
||||
|
||||
{"fowner", CAP_FOWNER},
|
||||
|
||||
{"fsetid", CAP_FSETID},
|
||||
|
||||
{"ipc_lock", CAP_IPC_LOCK},
|
||||
|
||||
{"ipc_owner", CAP_IPC_OWNER},
|
||||
|
||||
{"kill", CAP_KILL},
|
||||
|
||||
{"lease", CAP_LEASE},
|
||||
|
||||
{"linux_immutable", CAP_LINUX_IMMUTABLE},
|
||||
|
||||
{"mac_admin", CAP_MAC_ADMIN},
|
||||
|
||||
{"mac_override", CAP_MAC_OVERRIDE},
|
||||
|
||||
{"mknod", CAP_MKNOD},
|
||||
|
||||
{"net_admin", CAP_NET_ADMIN},
|
||||
|
||||
{"net_bind_service", CAP_NET_BIND_SERVICE},
|
||||
|
||||
{"net_broadcast", CAP_NET_BROADCAST},
|
||||
|
||||
{"net_raw", CAP_NET_RAW},
|
||||
|
||||
{"perfmon", CAP_PERFMON},
|
||||
|
||||
{"setfcap", CAP_SETFCAP},
|
||||
|
||||
{"setgid", CAP_SETGID},
|
||||
|
||||
{"setpcap", CAP_SETPCAP},
|
||||
|
||||
{"setuid", CAP_SETUID},
|
||||
|
||||
{"syslog", CAP_SYSLOG},
|
||||
|
||||
{"sys_admin", CAP_SYS_ADMIN},
|
||||
|
||||
{"sys_boot", CAP_SYS_BOOT},
|
||||
|
||||
{"sys_chroot", CAP_SYS_CHROOT},
|
||||
|
||||
{"sys_module", CAP_SYS_MODULE},
|
||||
|
||||
{"sys_nice", CAP_SYS_NICE},
|
||||
|
||||
{"sys_pacct", CAP_SYS_PACCT},
|
||||
|
||||
{"sys_ptrace", CAP_SYS_PTRACE},
|
||||
|
||||
{"sys_rawio", CAP_SYS_RAWIO},
|
||||
|
||||
{"sys_resource", CAP_SYS_RESOURCE},
|
||||
|
||||
{"sys_time", CAP_SYS_TIME},
|
||||
|
||||
{"sys_tty_config", CAP_SYS_TTY_CONFIG},
|
||||
|
||||
{"wake_alarm", CAP_WAKE_ALARM},
|
||||
|
@@ -179,6 +179,7 @@ int dbus_rule::expand_variables(void)
|
||||
error = expand_entry_variables(&path);
|
||||
if (error)
|
||||
return error;
|
||||
filter_slashes(path);
|
||||
error = expand_entry_variables(&interface);
|
||||
if (error)
|
||||
return error;
|
||||
|
@@ -486,18 +486,32 @@ ostream &mnt_rule::dump(ostream &os)
|
||||
/* does not currently support expansion of vars in options */
|
||||
int mnt_rule::expand_variables(void)
|
||||
{
|
||||
struct value_list *ent;
|
||||
int error = 0;
|
||||
|
||||
error = expand_entry_variables(&mnt_point);
|
||||
if (error)
|
||||
return error;
|
||||
filter_slashes(mnt_point);
|
||||
error = expand_entry_variables(&device);
|
||||
if (error)
|
||||
return error;
|
||||
filter_slashes(device);
|
||||
error = expand_entry_variables(&trans);
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
list_for_each(dev_type, ent) {
|
||||
error = expand_entry_variables(&ent->value);
|
||||
if (error)
|
||||
return error;
|
||||
}
|
||||
list_for_each(opts, ent) {
|
||||
error = expand_entry_variables(&ent->value);
|
||||
if (error)
|
||||
return error;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@@ -367,6 +367,7 @@ extern int post_process_entry(struct cod_entry *entry);
|
||||
extern int process_policydb(Profile *prof);
|
||||
|
||||
extern int process_policy_ents(Profile *prof);
|
||||
extern void filter_slashes(char *path);
|
||||
|
||||
/* parser_variable.c */
|
||||
int expand_entry_variables(char **name);
|
||||
|
@@ -24,6 +24,7 @@
|
||||
%option noyywrap
|
||||
%option nounput
|
||||
%option stack
|
||||
%option nodefault
|
||||
|
||||
%{
|
||||
#include <stdio.h>
|
||||
@@ -179,6 +180,7 @@ void include_filename(char *filename, int search, bool if_exists)
|
||||
yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
|
||||
} else if (S_ISDIR(my_stat.st_mode)) {
|
||||
struct cb_struct data = { fullpath, filename };
|
||||
update_mru_tstamp(include_file, fullpath);
|
||||
fclose(include_file);
|
||||
include_file = NULL;
|
||||
if (dirat_for_each(AT_FDCWD, fullpath, &data, include_dir_cb)) {
|
||||
@@ -240,7 +242,16 @@ ADD_ASSIGN \+=
|
||||
ARROW ->
|
||||
LT_EQUAL <=
|
||||
|
||||
/* IF adding new state please update state_names table at eof */
|
||||
/* IF adding new state please update state_names table and default rule (just
|
||||
* above the state_names table) at the eof.
|
||||
*
|
||||
* The nodefault option is set so missing adding to the default rule isn't
|
||||
* fatal but can't take advantage of additional debug the default rule might
|
||||
* have.
|
||||
*
|
||||
* If a state is not added to the default rule it can result in the message
|
||||
* "flex scanner jammed"
|
||||
*/
|
||||
%x SUB_ID
|
||||
%x SUB_ID_WS
|
||||
%x SUB_VALUE
|
||||
@@ -274,7 +285,7 @@ LT_EQUAL <=
|
||||
}
|
||||
%}
|
||||
|
||||
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
|
||||
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
|
||||
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
|
||||
}
|
||||
|
||||
@@ -469,6 +480,7 @@ LT_EQUAL <=
|
||||
\\\n { DUMP_PREPROCESS; current_lineno++ ; }
|
||||
|
||||
\r?\n {
|
||||
/* don't use shared rule because we need POP() here */
|
||||
DUMP_PREPROCESS;
|
||||
current_lineno++;
|
||||
POP();
|
||||
@@ -695,18 +707,20 @@ include/{WS} {
|
||||
POP_NODUMP();
|
||||
RETURN_TOKEN(TOK_END_OF_RULE);
|
||||
}
|
||||
}
|
||||
|
||||
\r?\n {
|
||||
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
|
||||
\r?\n {
|
||||
DUMP_PREPROCESS;
|
||||
current_lineno++;
|
||||
}
|
||||
}
|
||||
|
||||
<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
|
||||
[^\n] {
|
||||
<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODE,INCLUDE,INCLUDE_EXISTS,ABI_MODE>{
|
||||
(.|\n) {
|
||||
DUMP_PREPROCESS;
|
||||
/* Something we didn't expect */
|
||||
yyerror(_("Found unexpected character: '%s'"), yytext);
|
||||
yyerror(_("Lexer found unexpected character: '%s' (0x%x) in state: %s"), yytext, yytext[0], state_names[YY_START].c_str());
|
||||
}
|
||||
}
|
||||
%%
|
||||
|
@@ -638,6 +638,8 @@ static int process_arg(int c, char *optarg)
|
||||
break;
|
||||
case 'j':
|
||||
jobs = process_jobs_arg("-j", optarg);
|
||||
if (jobs != JOBS_AUTO && jobs < LONG_MAX)
|
||||
jobs_max = jobs;
|
||||
break;
|
||||
case 136:
|
||||
jobs_max = process_jobs_arg("max-jobs", optarg);
|
||||
@@ -1183,6 +1185,8 @@ static void setup_parallel_compile(void)
|
||||
if (maxn == -1)
|
||||
/* unable to determine number of processors, default to 1 */
|
||||
maxn = 1;
|
||||
if (jobs < 0 || jobs == JOBS_AUTO)
|
||||
jobs_scale = 1;
|
||||
jobs = compute_jobs(n, jobs);
|
||||
jobs_max = compute_jobs(maxn, jobs_max);
|
||||
|
||||
@@ -1190,7 +1194,7 @@ static void setup_parallel_compile(void)
|
||||
pwarn("%s: Warning capping number of jobs to %ld * # of cpus == '%ld'",
|
||||
progname, jobs_max, jobs);
|
||||
jobs = jobs_max;
|
||||
} else if (jobs < jobs_max)
|
||||
} else if (jobs_scale && jobs < jobs_max)
|
||||
/* the bigger the difference the more sample chances given */
|
||||
jobs_scale = jobs_max + 1 - n;
|
||||
|
||||
|
@@ -61,9 +61,14 @@ int is_blacklisted(const char *name, const char *path)
|
||||
return !retval ? 0 : 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* WARNING: if the format of the following table is changed then
|
||||
* the Makefile targets, cap_names.h and generated_cap_names.h
|
||||
* must be updated.
|
||||
*/
|
||||
struct keyword_table {
|
||||
const char *keyword;
|
||||
int token;
|
||||
unsigned int token;
|
||||
};
|
||||
|
||||
static struct keyword_table keyword_table[] = {
|
||||
@@ -165,12 +170,59 @@ static int get_table_token(const char *name unused, struct keyword_table *table,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
#ifndef CAP_AUDIT_WRITE
|
||||
#define CAP_AUDIT_WRITE 29
|
||||
#endif
|
||||
|
||||
#ifndef CAP_AUDIT_CONTROL
|
||||
#define CAP_AUDIT_CONTROL 30
|
||||
#endif
|
||||
|
||||
#ifndef CAP_SETFCAP
|
||||
#define CAP_SETFCAP 31
|
||||
#endif
|
||||
|
||||
#ifndef CAP_MAC_OVERRIDE
|
||||
#define CAP_MAC_OVERRIDE 32
|
||||
#endif
|
||||
|
||||
#ifndef CAP_MAC_ADMIN
|
||||
#define CAP_MAC_ADMIN 33
|
||||
#endif
|
||||
|
||||
#ifndef CAP_SYSLOG
|
||||
#define CAP_SYSLOG 34
|
||||
#endif
|
||||
|
||||
#ifndef CAP_WAKE_ALARM
|
||||
#define CAP_WAKE_ALARM 35
|
||||
#endif
|
||||
|
||||
#ifndef CAP_BLOCK_SUSPEND
|
||||
#define CAP_BLOCK_SUSPEND 36
|
||||
#endif
|
||||
|
||||
#ifndef CAP_AUDIT_READ
|
||||
#define CAP_AUDIT_READ 37
|
||||
#endif
|
||||
|
||||
#ifndef CAP_PERFMON
|
||||
#define CAP_PERFMON 38
|
||||
#endif
|
||||
|
||||
#ifndef CAP_BPF
|
||||
#define CAP_BPF 39
|
||||
#endif
|
||||
|
||||
#ifndef CAP_CHECKPOINT_RESTORE
|
||||
#define CAP_CHECKPOINT_RESTORE 40
|
||||
#endif
|
||||
|
||||
static struct keyword_table capability_table[] = {
|
||||
/* capabilities */
|
||||
#include "cap_names.h"
|
||||
#ifndef CAP_SYSLOG
|
||||
{"syslog", 34},
|
||||
#endif
|
||||
|
||||
/* terminate */
|
||||
{NULL, 0}
|
||||
};
|
||||
@@ -832,52 +884,16 @@ void debug_cod_entries(struct cod_entry *list)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static const char *capnames[] = {
|
||||
"chown",
|
||||
"dac_override",
|
||||
"dac_read_search",
|
||||
"fowner",
|
||||
"fsetid",
|
||||
"kill",
|
||||
"setgid",
|
||||
"setuid",
|
||||
"setpcap",
|
||||
"linux_immutable",
|
||||
"net_bind_service",
|
||||
"net_broadcast",
|
||||
"net_admin",
|
||||
"net_raw",
|
||||
"ipc_lock",
|
||||
"ipc_owner",
|
||||
"sys_module",
|
||||
"sys_rawio",
|
||||
"sys_chroot",
|
||||
"sys_ptrace",
|
||||
"sys_pacct",
|
||||
"sys_admin",
|
||||
"sys_boot",
|
||||
"sys_nice",
|
||||
"sys_resource",
|
||||
"sys_time",
|
||||
"sys_tty_config",
|
||||
"mknod",
|
||||
"lease",
|
||||
"audit_write",
|
||||
"audit_control",
|
||||
"setfcap",
|
||||
"mac_override",
|
||||
"syslog",
|
||||
};
|
||||
|
||||
const char *capability_to_name(unsigned int cap)
|
||||
{
|
||||
const char *capname;
|
||||
int i;
|
||||
|
||||
capname = (cap < (sizeof(capnames) / sizeof(char *))
|
||||
? capnames[cap] : "invalid-capability");
|
||||
for (i = 0; capability_table[i].keyword; i++) {
|
||||
if (capability_table[i].token == cap)
|
||||
return capability_table[i].keyword;
|
||||
}
|
||||
|
||||
return capname;
|
||||
return "invalid-capability";
|
||||
}
|
||||
|
||||
void __debug_capabilities(uint64_t capset, const char *name)
|
||||
@@ -885,10 +901,10 @@ void __debug_capabilities(uint64_t capset, const char *name)
|
||||
unsigned int i;
|
||||
|
||||
printf("%s:", name);
|
||||
for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
|
||||
if (((1ull << i) & capset) != 0) {
|
||||
printf (" %s", capability_to_name(i));
|
||||
}
|
||||
|
||||
for (i = 0; capability_table[i].keyword; i++) {
|
||||
if ((1ull << capability_table[i].token) & capset)
|
||||
printf (" %s", capability_table[i].keyword);
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
@@ -204,9 +204,8 @@ static int profile_add_hat_rules(Profile *prof)
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
|
||||
/* TODO: ??? fix logic for when to add to hat/base vs. local */
|
||||
/* don't add hat rules for local_profiles or base profiles */
|
||||
if (prof->local || prof->hat_table.empty())
|
||||
/* don't add hat rules if not hat or profile doesn't have hats */
|
||||
if (!prof->flags.hat || !prof->hat_table.empty())
|
||||
return 0;
|
||||
|
||||
/* add entry to hat */
|
||||
|
@@ -47,7 +47,7 @@ enum error_type {
|
||||
* that's a distinct namespace in linux) and trailing slashes.
|
||||
* NOTE: modifies in place the contents of the path argument */
|
||||
|
||||
static void filter_slashes(char *path)
|
||||
void filter_slashes(char *path)
|
||||
{
|
||||
char *sptr, *dptr;
|
||||
BOOL seen_slash = 0;
|
||||
@@ -564,6 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
||||
int pos;
|
||||
vec[0] = tbuf.c_str();
|
||||
if (entry->link_name) {
|
||||
filter_slashes(entry->link_name);
|
||||
ptype = convert_aaregex_to_pcre(entry->link_name, 0, glob_default, lbuf, &pos);
|
||||
if (ptype == ePatternInvalid)
|
||||
return FALSE;
|
||||
|
@@ -1,5 +1,5 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR NOVELL, Inc.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
@@ -8,7 +8,7 @@ msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2014-09-13 00:11-0700\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:35-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
@@ -17,95 +17,106 @@ msgstr ""
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../parser_include.c:113 ../parser_include.c:111
|
||||
#: ../parser_include.c:113 ../parser_include.c:111 ../parser_include.c:114
|
||||
msgid "Error: Out of memory.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_include.c:123 ../parser_include.c:121
|
||||
#: ../parser_include.c:123 ../parser_include.c:121 ../parser_include.c:124
|
||||
#, c-format
|
||||
msgid "Error: basedir %s is not a directory, skipping.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_include.c:137
|
||||
#: ../parser_include.c:137 ../parser_include.c:140
|
||||
#, c-format
|
||||
msgid "Error: Could not add directory %s to search path.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_include.c:147 ../parser_include.c:151
|
||||
#: ../parser_include.c:147 ../parser_include.c:151 ../parser_include.c:154
|
||||
msgid "Error: Could not allocate memory.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
|
||||
#: ../parser_interface.c:52
|
||||
msgid "Bad write position\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
|
||||
#: ../parser_interface.c:55
|
||||
msgid "Permission denied\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
|
||||
#: ../parser_interface.c:58
|
||||
msgid "Out of memory\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
|
||||
#: ../parser_interface.c:61
|
||||
msgid "Couldn't copy profile: Bad memory address\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
|
||||
#: ../parser_interface.c:64
|
||||
msgid "Profile doesn't conform to protocol\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
|
||||
#: ../parser_interface.c:67
|
||||
msgid "Profile does not match signature\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
|
||||
#: ../parser_interface.c:70
|
||||
msgid "Profile version not supported by Apparmor module\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
|
||||
#: ../parser_interface.c:73
|
||||
msgid "Profile already exists\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
|
||||
#: ../parser_interface.c:76
|
||||
msgid "Profile doesn't exist\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
|
||||
#: ../parser_interface.c:79
|
||||
msgid "Permission denied; attempted to load a profile while confined?\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
|
||||
#: ../parser_interface.c:82
|
||||
#, c-format
|
||||
msgid "Unknown error (%d): %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:116 ../parser_interface.c:119
|
||||
#: ../parser_interface.c:96
|
||||
#: ../parser_interface.c:116 ../parser_interface.c:119 ../parser_interface.c:96
|
||||
#: ../parser_interface.c:100
|
||||
#, c-format
|
||||
msgid "%s: Unable to add \"%s\". "
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:121 ../parser_interface.c:124
|
||||
#: ../parser_interface.c:101
|
||||
#: ../parser_interface.c:101 ../parser_interface.c:105
|
||||
#, c-format
|
||||
msgid "%s: Unable to replace \"%s\". "
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:126 ../parser_interface.c:129
|
||||
#: ../parser_interface.c:106
|
||||
#: ../parser_interface.c:106 ../parser_interface.c:110
|
||||
#, c-format
|
||||
msgid "%s: Unable to remove \"%s\". "
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:131 ../parser_interface.c:134
|
||||
#: ../parser_interface.c:111
|
||||
#: ../parser_interface.c:111 ../parser_interface.c:115
|
||||
#, c-format
|
||||
msgid "%s: Unable to write to stdout\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:135 ../parser_interface.c:138
|
||||
#: ../parser_interface.c:115
|
||||
#: ../parser_interface.c:115 ../parser_interface.c:119
|
||||
#, c-format
|
||||
msgid "%s: Unable to write to output file\n"
|
||||
msgstr ""
|
||||
@@ -113,24 +124,25 @@ msgstr ""
|
||||
#: ../parser_interface.c:138 ../parser_interface.c:162
|
||||
#: ../parser_interface.c:141 ../parser_interface.c:165
|
||||
#: ../parser_interface.c:118 ../parser_interface.c:142
|
||||
#: ../parser_interface.c:122 ../parser_interface.c:146
|
||||
#, c-format
|
||||
msgid "%s: ASSERT: Invalid option: %d\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:147 ../parser_interface.c:150
|
||||
#: ../parser_interface.c:127
|
||||
#: ../parser_interface.c:127 ../parser_interface.c:131
|
||||
#, c-format
|
||||
msgid "Addition succeeded for \"%s\".\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:151 ../parser_interface.c:154
|
||||
#: ../parser_interface.c:131
|
||||
#: ../parser_interface.c:131 ../parser_interface.c:135
|
||||
#, c-format
|
||||
msgid "Replacement succeeded for \"%s\".\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:155 ../parser_interface.c:158
|
||||
#: ../parser_interface.c:135
|
||||
#: ../parser_interface.c:135 ../parser_interface.c:139
|
||||
#, c-format
|
||||
msgid "Removal succeeded for \"%s\".\n"
|
||||
msgstr ""
|
||||
@@ -141,7 +153,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:656 ../parser_interface.c:658
|
||||
#: ../parser_interface.c:446
|
||||
#: ../parser_interface.c:446 ../parser_interface.c:448
|
||||
#, c-format
|
||||
msgid "profile %s network rules not enforced\n"
|
||||
msgstr ""
|
||||
@@ -186,12 +198,12 @@ msgid "%s: Unable to write entire profile entry\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:839 ../parser_interface.c:831
|
||||
#: ../parser_interface.c:593
|
||||
#: ../parser_interface.c:593 ../parser_interface.c:551
|
||||
#, c-format
|
||||
msgid "%s: Unable to write entire profile entry to cache\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
|
||||
#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169 parser_lex.l:168
|
||||
#, c-format
|
||||
msgid "Could not open '%s'"
|
||||
msgstr ""
|
||||
@@ -211,7 +223,7 @@ msgstr ""
|
||||
msgid "stat failed for '%s'"
|
||||
msgstr ""
|
||||
|
||||
#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
|
||||
#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139 parser_lex.l:138
|
||||
#, c-format
|
||||
msgid "Could not open '%s' in '%s'"
|
||||
msgstr ""
|
||||
@@ -222,7 +234,7 @@ msgstr ""
|
||||
msgid "Found unexpected character: '%s'"
|
||||
msgstr ""
|
||||
|
||||
#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
|
||||
#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428 parser_lex.l:477
|
||||
msgid "Variable declarations do not accept trailing commas"
|
||||
msgstr ""
|
||||
|
||||
@@ -232,6 +244,7 @@ msgid "(network_mode) Found unexpected character: '%s'"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
|
||||
#: ../parser_common.c:107
|
||||
#, c-format
|
||||
msgid "Warning from %s (%s%sline %d): %s"
|
||||
msgstr ""
|
||||
@@ -242,6 +255,7 @@ msgid "%s: Could not allocate memory for subdomainbase mount point\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
|
||||
#: ../parser_main.c:1302
|
||||
#, c-format
|
||||
msgid ""
|
||||
"Warning: unable to find a suitable fs in %s, is it mounted?\n"
|
||||
@@ -249,6 +263,7 @@ msgid ""
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
|
||||
#: ../parser_main.c:730
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: Sorry. You need root privileges to run this program.\n"
|
||||
@@ -256,6 +271,7 @@ msgid ""
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
|
||||
#: ../parser_main.c:736
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: Warning! You've set this program setuid root.\n"
|
||||
@@ -264,7 +280,7 @@ msgid ""
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
|
||||
#: ../parser_main.c:946 ../parser_main.c:860
|
||||
#: ../parser_main.c:946 ../parser_main.c:860 ../parser_main.c:925
|
||||
#, c-format
|
||||
msgid "Error: Could not read profile %s: %s.\n"
|
||||
msgstr ""
|
||||
@@ -286,26 +302,36 @@ msgstr ""
|
||||
#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
|
||||
#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
|
||||
#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
|
||||
#: ../network.c:314 ../af_unix.cc:203
|
||||
#: ../network.c:314 ../af_unix.cc:203 ../parser_misc.c:729 parser_yacc.y:315
|
||||
#: parser_yacc.y:339 parser_yacc.y:493 parser_yacc.y:503 parser_yacc.y:614
|
||||
#: parser_yacc.y:695 parser_yacc.y:702 parser_yacc.y:1116 parser_yacc.y:1164
|
||||
#: parser_yacc.y:1200 parser_yacc.y:1204 parser_yacc.y:1214 parser_yacc.y:1224
|
||||
#: parser_yacc.y:1318 parser_yacc.y:1396 parser_yacc.y:1529 parser_yacc.y:1534
|
||||
#: parser_yacc.y:1608 parser_yacc.y:1626 parser_yacc.y:1633 parser_yacc.y:1682
|
||||
#: ../network.c:315 ../af_unix.cc:204
|
||||
msgid "Memory allocation error."
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
|
||||
#: ../parser_main.c:866
|
||||
#, c-format
|
||||
msgid "Cached load succeeded for \"%s\".\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
|
||||
#: ../parser_main.c:870
|
||||
#, c-format
|
||||
msgid "Cached reload succeeded for \"%s\".\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
|
||||
#: ../parser_main.c:1019
|
||||
#, c-format
|
||||
msgid "%s: Errors found in file. Aborting.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
|
||||
#: ../parser_misc.c:322
|
||||
msgid ""
|
||||
"Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
|
||||
"See the apparmor.d(5) manpage for details.\n"
|
||||
@@ -313,14 +339,17 @@ msgstr ""
|
||||
|
||||
#: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
|
||||
#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
|
||||
#: ../parser_misc.c:363 ../parser_misc.c:370
|
||||
msgid "Conflict 'a' and 'w' perms are mutually exclusive."
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
|
||||
#: ../parser_misc.c:387
|
||||
msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
|
||||
#: ../parser_misc.c:398
|
||||
#, c-format
|
||||
msgid ""
|
||||
"Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
|
||||
@@ -329,22 +358,26 @@ msgstr ""
|
||||
|
||||
#: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
|
||||
#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
|
||||
#: ../parser_misc.c:406 ../parser_misc.c:447
|
||||
#, c-format
|
||||
msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
|
||||
#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
|
||||
#: ../parser_misc.c:433 ../parser_misc.c:441
|
||||
#, c-format
|
||||
msgid "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
|
||||
#: ../parser_misc.c:489
|
||||
#, c-format
|
||||
msgid "Internal: unexpected mode character '%c' in input"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
|
||||
#: ../parser_misc.c:511
|
||||
#, c-format
|
||||
msgid "Internal error generated invalid perm 0x%llx\n"
|
||||
msgstr ""
|
||||
@@ -356,10 +389,12 @@ msgid "AppArmor parser error: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
|
||||
#: ../parser_merge.c:71
|
||||
msgid "Couldn't merge entries. Out of Memory\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
|
||||
#: ../parser_merge.c:93
|
||||
#, c-format
|
||||
msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
|
||||
msgstr ""
|
||||
@@ -368,119 +403,122 @@ msgstr ""
|
||||
msgid "Profile attachment must begin with a '/'."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
|
||||
#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348 parser_yacc.y:373
|
||||
msgid ""
|
||||
"Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
|
||||
#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384 parser_yacc.y:409
|
||||
#, c-format
|
||||
msgid "Failed to create alias %s -> %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
|
||||
#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506 parser_yacc.y:537
|
||||
msgid "Profile flag chroot_relative conflicts with namespace_relative"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
|
||||
#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510 parser_yacc.y:541
|
||||
msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
|
||||
#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513 parser_yacc.y:544
|
||||
msgid "Profile flag attach_disconnected conflicts with no_attach_disconnected"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
|
||||
#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516 parser_yacc.y:547
|
||||
msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
|
||||
#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530 parser_yacc.y:561
|
||||
msgid "Profile flag 'debug' is no longer valid."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
|
||||
#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552 parser_yacc.y:583
|
||||
#, c-format
|
||||
msgid "Invalid profile flag: %s."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
|
||||
#: parser_yacc.y:627
|
||||
msgid "Assert: `rule' returned NULL."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
|
||||
#: parser_yacc.y:598 parser_yacc.y:630
|
||||
#: parser_yacc.y:598 parser_yacc.y:630 parser_yacc.y:631 parser_yacc.y:663
|
||||
msgid ""
|
||||
"Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
|
||||
"'p', or 'u'"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
|
||||
#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602 parser_yacc.y:635
|
||||
msgid ""
|
||||
"Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
|
||||
#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633 parser_yacc.y:666
|
||||
msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
|
||||
#: parser_yacc.y:693
|
||||
msgid "Assert: `network_rule' return invalid protocol."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
|
||||
#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786 parser_yacc.y:819
|
||||
msgid "Assert: `change_profile' returned NULL."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
|
||||
#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810 parser_yacc.y:857
|
||||
msgid "Assert: 'hat rule' returned NULL."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
|
||||
#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819 parser_yacc.y:866
|
||||
msgid "Assert: 'local_profile rule' returned NULL."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
|
||||
#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992 parser_yacc.y:1029
|
||||
#, c-format
|
||||
msgid "Unset boolean variable %s used in if-expression"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
|
||||
#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092 parser_yacc.y:1126
|
||||
msgid "unsafe rule missing exec permissions"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
|
||||
#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060 parser_yacc.y:1093
|
||||
msgid "subset can only be used with link rules."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
|
||||
#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062 parser_yacc.y:1095
|
||||
msgid "link and exec perms conflict on a file rule using ->"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
|
||||
#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064 parser_yacc.y:1097
|
||||
msgid "link perms are not allowed on a named profile transition.\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
|
||||
#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109 parser_yacc.y:1143
|
||||
#, c-format
|
||||
msgid "missing an end of line character? (entry: %s)"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
|
||||
#: parser_yacc.y:1145 parser_yacc.y:1155
|
||||
#: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1179 parser_yacc.y:1189
|
||||
msgid "Invalid network entry."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
|
||||
#: parser_yacc.y:1554
|
||||
#, c-format
|
||||
msgid "Invalid capability %s."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
|
||||
#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525 parser_yacc.y:1569
|
||||
#, c-format
|
||||
msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
|
||||
#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531 parser_yacc.y:1575
|
||||
#, c-format
|
||||
msgid "AppArmor parser error,%s%s line %d: %s\n"
|
||||
msgstr ""
|
||||
@@ -491,17 +529,20 @@ msgid "%s: Illegal open {, nesting groupings not allowed\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
|
||||
#: ../parser_regex.c:295
|
||||
#, c-format
|
||||
msgid "%s: Regex grouping error: Invalid number of items between {}\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
|
||||
#: ../parser_regex.c:301
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: Regex grouping error: Invalid close }, no matching open { detected\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
|
||||
#: ../parser_regex.c:392
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: Regex grouping error: Unclosed grouping or character class, expecting "
|
||||
@@ -514,16 +555,19 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
|
||||
#: ../parser_regex.c:408
|
||||
#, c-format
|
||||
msgid "%s: Unable to parse input line '%s'\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
|
||||
#: ../parser_regex.c:452
|
||||
#, c-format
|
||||
msgid "%s: Invalid profile name '%s' - bad regular expression\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
|
||||
#: ../parser_policy.c:378
|
||||
#, c-format
|
||||
msgid "ERROR merging rules for profile %s, failed to load\n"
|
||||
msgstr ""
|
||||
@@ -537,16 +581,19 @@ msgid ""
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
|
||||
#: ../parser_policy.c:335
|
||||
#, c-format
|
||||
msgid "ERROR processing regexs for profile %s, failed to load\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
|
||||
#: ../parser_policy.c:365
|
||||
#, c-format
|
||||
msgid "ERROR expanding variables for profile %s, failed to load\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
|
||||
#: ../parser_policy.c:358
|
||||
#, c-format
|
||||
msgid "ERROR adding hat access rule for profile %s\n"
|
||||
msgstr ""
|
||||
@@ -586,7 +633,7 @@ msgid "Feature buffer full."
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
|
||||
#: ../parser_main.c:1041
|
||||
#: ../parser_main.c:1041 ../parser_main.c:1218 ../parser_main.c:1240
|
||||
msgid "Out of memory"
|
||||
msgstr ""
|
||||
|
||||
@@ -615,11 +662,11 @@ msgstr ""
|
||||
msgid "Internal error generated invalid DBus perm 0x%x\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:575 parser_yacc.y:621
|
||||
#: parser_yacc.y:575 parser_yacc.y:621 parser_yacc.y:654
|
||||
msgid "deny prefix not allowed"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:612 parser_yacc.y:658
|
||||
#: parser_yacc.y:612 parser_yacc.y:658 parser_yacc.y:691
|
||||
msgid "owner prefix not allowed"
|
||||
msgstr ""
|
||||
|
||||
@@ -635,41 +682,41 @@ msgstr ""
|
||||
msgid "owner prefix not allow on capability rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1357 parser_yacc.y:1613
|
||||
#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1656
|
||||
#, c-format
|
||||
msgid "invalid mount conditional %s%s"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1374 parser_yacc.y:1628
|
||||
#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1671
|
||||
msgid "bad mount rule"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1381 parser_yacc.y:1635
|
||||
#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1678
|
||||
msgid "mount point conditions not currently supported"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1398 parser_yacc.y:1650
|
||||
#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1693
|
||||
#, c-format
|
||||
msgid "invalid pivotroot conditional '%s'"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:241 ../parser_regex.c:236
|
||||
#: ../parser_regex.c:241 ../parser_regex.c:236 ../parser_regex.c:253
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:257 ../parser_regex.c:256
|
||||
#: ../parser_regex.c:257 ../parser_regex.c:256 ../parser_regex.c:273
|
||||
#, c-format
|
||||
msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:366 ../parser_policy.c:339
|
||||
#: ../parser_policy.c:366 ../parser_policy.c:339 ../parser_policy.c:342
|
||||
#, c-format
|
||||
msgid "ERROR processing policydb rules for profile %s, failed to load\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_policy.c:396 ../parser_policy.c:369
|
||||
#: ../parser_policy.c:396 ../parser_policy.c:369 ../parser_policy.c:372
|
||||
#, c-format
|
||||
msgid "ERROR replacing aliases for profile %s, failed to load\n"
|
||||
msgstr ""
|
||||
@@ -689,51 +736,170 @@ msgstr ""
|
||||
msgid "Error: Could not read cache file '%s', skipping...\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:575
|
||||
#: ../parser_misc.c:575 ../parser_misc.c:558
|
||||
#, c-format
|
||||
msgid "Internal: unexpected %s mode character '%c' in input"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:599
|
||||
#: ../parser_misc.c:599 ../parser_misc.c:582
|
||||
#, c-format
|
||||
msgid "Internal error generated invalid %s perm 0x%x\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:703
|
||||
#: parser_yacc.y:703 parser_yacc.y:736
|
||||
msgid "owner prefix not allowed on mount rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:720
|
||||
#: parser_yacc.y:720 parser_yacc.y:753
|
||||
msgid "owner prefix not allowed on dbus rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:736
|
||||
#: parser_yacc.y:736 parser_yacc.y:769
|
||||
msgid "owner prefix not allowed on signal rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:752
|
||||
#: parser_yacc.y:752 parser_yacc.y:785
|
||||
msgid "owner prefix not allowed on ptrace rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:768
|
||||
#: parser_yacc.y:768 parser_yacc.y:801 parser_yacc.y:821
|
||||
msgid "owner prefix not allowed on unix rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:794
|
||||
#: parser_yacc.y:794 parser_yacc.y:837
|
||||
msgid "owner prefix not allowed on capability rules"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1293
|
||||
#: parser_yacc.y:1293 parser_yacc.y:1313
|
||||
#, c-format
|
||||
msgid "dbus rule: invalid conditional group %s=()"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1371
|
||||
#: parser_yacc.y:1371 parser_yacc.y:1391
|
||||
#, c-format
|
||||
msgid "unix rule: invalid conditional group %s=()"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:368
|
||||
#: ../parser_regex.c:368 ../parser_regex.c:399
|
||||
#, c-format
|
||||
msgid "%s: Regex error: trailing '\\' escape character\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:496
|
||||
#, c-format
|
||||
msgid "Unable to open stdout - %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_interface.c:505
|
||||
#, c-format
|
||||
msgid "Unable to open output file - %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_lex.l:337
|
||||
msgid "Failed to process filename\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_lex.l:723
|
||||
#, c-format
|
||||
msgid "Lexer found unexpected character: '%s' (0x%x) in state: %s"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:806
|
||||
#, c-format
|
||||
msgid "Unable to print the cache directory: %m\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:842
|
||||
#, c-format
|
||||
msgid "Error: Could not load profile %s: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:852
|
||||
#, c-format
|
||||
msgid "Error: Could not replace profile %s: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:857
|
||||
#, c-format
|
||||
msgid "Error: Invalid load option specified: %d\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:964
|
||||
#, c-format
|
||||
msgid "Could not get cachename for '%s'\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:1323
|
||||
#, c-format
|
||||
msgid "Failed to clear cache files (%s): %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:1332
|
||||
msgid ""
|
||||
"The --create-cache-dir option is deprecated. Please use --write-cache.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_main.c:1337
|
||||
#, c-format
|
||||
msgid "Failed setting up policy cache (%s): %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:694
|
||||
#, c-format
|
||||
msgid "Namespace not terminated: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:696
|
||||
#, c-format
|
||||
msgid "Empty namespace: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:698
|
||||
#, c-format
|
||||
msgid "Empty named transition profile name: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_misc.c:700
|
||||
#, c-format
|
||||
msgid "Unknown error while parsing label: %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:322
|
||||
msgid "Profile names must begin with a '/' or a namespace"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:344
|
||||
msgid "Profile attachment must begin with a '/' or variable."
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:906
|
||||
msgid "RLIMIT 'cpu' no units specified using default units of seconds\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:918
|
||||
msgid ""
|
||||
"RLIMIT 'rttime' no units specified using default units of microseconds\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1074
|
||||
#, c-format
|
||||
msgid "%s: Profile abi not supported, falling back to system abi.\n"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1519
|
||||
msgid "Exec condition is required when unsafe or safe keywords are present"
|
||||
msgstr ""
|
||||
|
||||
#: parser_yacc.y:1521
|
||||
msgid "Exec condition must begin with '/'."
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:98
|
||||
#, c-format
|
||||
msgid "%s: Invalid glob type %d\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../parser_regex.c:615
|
||||
#, c-format
|
||||
msgid "The current kernel does not support stacking of named transitions: %s\n"
|
||||
msgstr ""
|
||||
|
@@ -140,7 +140,7 @@ force_complain() {
|
||||
local profile=$1
|
||||
|
||||
# if profile not in complain mode
|
||||
if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then
|
||||
if ! egrep -q '^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+\{' $profile ; then
|
||||
local link="${PROFILE_DIR}/force-complain/`basename ${profile}`"
|
||||
if [ -e "$link" ] ; then
|
||||
aa_log_warning_msg "found $link, forcing complain mode"
|
||||
|
@@ -137,7 +137,7 @@ class AAParserCachingCommon(testlib.AATestTemplate):
|
||||
with open(features_path) as f:
|
||||
features = f.read()
|
||||
if expected:
|
||||
self.assertEquals(expected_output, features,
|
||||
self.assertEqual(expected_output, features,
|
||||
"features contents differ, expected:\n%s\nresult:\n%s" % (expected_output, features))
|
||||
else:
|
||||
self.assertNotEquals(expected_output, features,
|
||||
@@ -269,7 +269,7 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
if (int(major) < 3) or ((int(major) == 3) and (int(minor) <= 2)):
|
||||
self.assertAlmostEquals(time1, time2, places=5)
|
||||
else:
|
||||
self.assertEquals(time1, time2)
|
||||
self.assertEqual(time1, time2)
|
||||
|
||||
def _set_mtime(self, path, mtime):
|
||||
atime = os.stat(path).st_atime
|
||||
@@ -370,7 +370,7 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
# in cache_contents because of the difficulty coercing cache
|
||||
# file bytes into strings in python3
|
||||
self.assertNotEquals(orig_stat.st_size, stat.st_size, 'Expected cache file to be updated, size is not changed.')
|
||||
self.assertEquals(os.stat(self.profile).st_mtime, stat.st_mtime)
|
||||
self.assertEqual(os.stat(self.profile).st_mtime, stat.st_mtime)
|
||||
|
||||
def test_cache_writing_clears_all_files(self):
|
||||
'''test cache writing clears all cache files'''
|
||||
@@ -388,7 +388,7 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
self._set_mtime(self.abstraction, 0)
|
||||
self._set_mtime(self.profile, expected)
|
||||
self._generate_cache_file()
|
||||
self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
|
||||
self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
|
||||
|
||||
def test_abstraction_mtime_preserved(self):
|
||||
'''test abstraction mtime is preserved when it is newest'''
|
||||
@@ -396,7 +396,7 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
self._set_mtime(self.profile, 0)
|
||||
self._set_mtime(self.abstraction, expected)
|
||||
self._generate_cache_file()
|
||||
self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
|
||||
self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
|
||||
|
||||
def test_equal_mtimes_preserved(self):
|
||||
'''test equal profile and abstraction mtimes are preserved'''
|
||||
@@ -404,7 +404,7 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
self._set_mtime(self.profile, expected)
|
||||
self._set_mtime(self.abstraction, expected)
|
||||
self._generate_cache_file()
|
||||
self.assertEquals(expected, os.stat(self.cache_file).st_mtime)
|
||||
self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
|
||||
|
||||
def test_profile_newer_skips_cache(self):
|
||||
'''test cache is skipped if profile is newer'''
|
||||
@@ -420,9 +420,9 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
|
||||
|
||||
stat = os.stat(self.cache_file)
|
||||
self.assertEquals(orig_stat.st_size, stat.st_size)
|
||||
self.assertEquals(orig_stat.st_ino, stat.st_ino)
|
||||
self.assertEquals(orig_stat.st_mtime, stat.st_mtime)
|
||||
self.assertEqual(orig_stat.st_size, stat.st_size)
|
||||
self.assertEqual(orig_stat.st_ino, stat.st_ino)
|
||||
self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
|
||||
|
||||
def test_abstraction_newer_skips_cache(self):
|
||||
'''test cache is skipped if abstraction is newer'''
|
||||
@@ -438,9 +438,9 @@ class AAParserCachingTests(AAParserCachingCommon):
|
||||
self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
|
||||
|
||||
stat = os.stat(self.cache_file)
|
||||
self.assertEquals(orig_stat.st_size, stat.st_size)
|
||||
self.assertEquals(orig_stat.st_ino, stat.st_ino)
|
||||
self.assertEquals(orig_stat.st_mtime, stat.st_mtime)
|
||||
self.assertEqual(orig_stat.st_size, stat.st_size)
|
||||
self.assertEqual(orig_stat.st_ino, stat.st_ino)
|
||||
self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
|
||||
|
||||
def test_profile_newer_rewrites_cache(self):
|
||||
'''test cache is rewritten if profile is newer'''
|
||||
|
@@ -547,7 +547,21 @@ verify_binary_equality "set rlimit memlock <= 2GB" \
|
||||
"/t { set rlimit memlock <= 2GB, }" \
|
||||
"/t { set rlimit memlock <= $((2 * 1024)) MB, }" \
|
||||
"/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \
|
||||
"/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }" \
|
||||
"/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }"
|
||||
|
||||
# verify slash filtering for link rules
|
||||
verify_binary_equality "link rules slash filtering" \
|
||||
"/t { link /dev/foo -> /mnt/bar, }" \
|
||||
"/t { link ///dev/foo -> /mnt/bar, }" \
|
||||
"/t { link /dev/foo -> /mnt//bar, }" \
|
||||
"/t { link /dev///foo -> ////mnt/bar, }" \
|
||||
"@{BAR}=/mnt/
|
||||
/t { link /dev///foo -> @{BAR}/bar, }" \
|
||||
"@{FOO}=/dev/
|
||||
/t { link @{FOO}//foo -> /mnt/bar, }" \
|
||||
"@{FOO}=/dev/
|
||||
@{BAR}=/mnt/
|
||||
/t { link @{FOO}/foo -> @{BAR}/bar, }" \
|
||||
|
||||
if [ $fails -ne 0 -o $errors -ne 0 ]
|
||||
then
|
||||
|
@@ -1,7 +1,6 @@
|
||||
#
|
||||
#=DESCRIPTION abi testing - abi relative path in quotes
|
||||
#=EXRESULT FAIL
|
||||
#=TODO
|
||||
|
||||
abi "abi/4.19,
|
||||
|
||||
|
@@ -35,9 +35,49 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/
|
||||
SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
|
||||
TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
|
||||
|
||||
ifdef USE_SYSTEM
|
||||
PYTHONPATH=
|
||||
PARSER?=apparmor_parser
|
||||
LOGPROF?=aa-logprof
|
||||
else
|
||||
# PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
|
||||
PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../libraries/libapparmor/swig/python/test/buildpath.py)
|
||||
LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
|
||||
LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
|
||||
PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
|
||||
PARSER?=../parser/apparmor_parser
|
||||
# use ../utils logprof
|
||||
LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof
|
||||
endif
|
||||
|
||||
# $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
|
||||
PWD=$(shell pwd)
|
||||
|
||||
.PHONY: test-dependencies
|
||||
test-dependencies: __parser __libapparmor
|
||||
|
||||
|
||||
.PHONY: __parser __libapparmor
|
||||
__parser:
|
||||
ifndef USE_SYSTEM
|
||||
@if [ ! -f $(PARSER) ]; then \
|
||||
echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
|
||||
echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
|
||||
echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
|
||||
exit 1; \
|
||||
fi
|
||||
endif
|
||||
|
||||
__libapparmor:
|
||||
ifndef USE_SYSTEM
|
||||
@if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \
|
||||
echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
|
||||
echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
|
||||
echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
|
||||
exit 1; \
|
||||
fi
|
||||
endif
|
||||
|
||||
local:
|
||||
for profile in ${TOPLEVEL_PROFILES}; do \
|
||||
fn=$$(basename $$profile); \
|
||||
@@ -69,16 +109,6 @@ else
|
||||
Q=
|
||||
endif
|
||||
|
||||
ifndef PARSER
|
||||
# use system parser
|
||||
PARSER=../parser/apparmor_parser
|
||||
endif
|
||||
|
||||
ifndef LOGPROF
|
||||
# use ../utils logprof
|
||||
LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof
|
||||
endif
|
||||
|
||||
.PHONY: docs
|
||||
# docs: should we have some here?
|
||||
docs:
|
||||
@@ -92,7 +122,7 @@ CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
|
||||
check: check-parser check-logprof
|
||||
|
||||
.PHONY: check-parser
|
||||
check-parser: local
|
||||
check-parser: test-dependencies local
|
||||
@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
|
||||
$(Q)for profile in ${CHECK_PROFILES} ; do \
|
||||
[ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
|
||||
@@ -108,6 +138,6 @@ check-parser: local
|
||||
done
|
||||
|
||||
.PHONY: check-logprof
|
||||
check-logprof: local
|
||||
check-logprof: test-dependencies local
|
||||
@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
|
||||
$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1
|
||||
|
@@ -24,6 +24,7 @@
|
||||
owner /{,var/}run/lightdm/*/xauthority r,
|
||||
owner /{,var/}run/user/*/gdm/Xauthority r,
|
||||
owner /{,var/}run/user/*/X11/Xauthority r,
|
||||
owner /{,var/}run/user/*/xauth_* r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
/tmp/.X11-unix/* rw,
|
||||
@@ -48,6 +49,8 @@
|
||||
|
||||
# Xcompose
|
||||
owner @{HOME}/.XCompose r,
|
||||
/var/cache/libx11/compose/* r,
|
||||
deny /var/cache/libx11/compose/* wlk,
|
||||
|
||||
# mouse themes
|
||||
/etc/X11/cursors/ r,
|
||||
|
@@ -94,6 +94,7 @@
|
||||
@{PROC}/cpuinfo r,
|
||||
@{sys}/devices/system/cpu/ r,
|
||||
@{sys}/devices/system/cpu/online r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
|
||||
# glibc's *printf protections read the maps file
|
||||
@{PROC}/@{pid}/{maps,auxv,status} r,
|
||||
|
45
profiles/apparmor.d/abstractions/dbus-network-manager-strict
Normal file
45
profiles/apparmor.d/abstractions/dbus-network-manager-strict
Normal file
@@ -0,0 +1,45 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=GetDevices
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Settings
|
||||
interface=org.freedesktop.NetworkManager.Settings
|
||||
member={GetDevices,ListConnections}
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
dbus send
|
||||
bus=system
|
||||
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings
|
||||
peer=(name=org.freedesktop.NetworkManager),
|
||||
|
||||
#include if exists <abstractions/dbus-network-manager-strict.d>
|
@@ -14,6 +14,9 @@
|
||||
/usr/share/enchant/ r,
|
||||
/usr/share/enchant/enchant.ordering r,
|
||||
|
||||
/usr/share/enchant-2/ r,
|
||||
/usr/share/enchant-2/enchant.ordering r,
|
||||
|
||||
# aspell
|
||||
#include <abstractions/aspell>
|
||||
/var/lib/dictionaries-common/aspell/ r,
|
||||
|
74
profiles/apparmor.d/abstractions/exo-open
Normal file
74
profiles/apparmor.d/abstractions/exo-open
Normal file
@@ -0,0 +1,74 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via exo-open helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/exo-open directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/exo-open rPx -> foo//exo-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//exo-open {
|
||||
# #include <abstractions/exo-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/X>
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/gnome>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/exo-open rix,
|
||||
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
|
||||
|
||||
# Other executables
|
||||
|
||||
/{,usr/}bin/which rix,
|
||||
|
||||
# Deny DBus
|
||||
|
||||
# for GTK error message dialog, not required exo-open to work.
|
||||
deny dbus send
|
||||
bus=session
|
||||
path=/org/gtk/vfs/mounttracker,
|
||||
|
||||
# System files
|
||||
|
||||
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
|
||||
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
|
||||
/usr/share/sounds/freedesktop/** r, # for message box alert sound
|
||||
/usr/share/xfce4/helpers/*.desktop r,
|
||||
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{HOME}/.config/xfce4/helpers.rc r,
|
||||
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/exo-open.d>
|
@@ -14,8 +14,8 @@
|
||||
|
||||
/usr/lib/xorg/modules/fonts/**.so* mr,
|
||||
|
||||
/usr/share/fonts/ r,
|
||||
/usr/share/fonts/** r,
|
||||
/usr/share/fonts/{,**} r,
|
||||
/usr/share/fonts-*/{,**} r,
|
||||
|
||||
/etc/fonts/** r,
|
||||
# Debian, openSUSE paths are different
|
||||
|
57
profiles/apparmor.d/abstractions/gio-open
Normal file
57
profiles/apparmor.d/abstractions/gio-open
Normal file
@@ -0,0 +1,57 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via gio helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/gio directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/gio rPx -> foo//gio-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gio-open {
|
||||
# #include <abstractions/gio-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/gio rix,
|
||||
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
|
||||
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
|
||||
|
||||
# System files
|
||||
|
||||
/etc/gnome/defaults.list r,
|
||||
/usr/share/mime/* r,
|
||||
/usr/share/{,*/}applications/{,**} r,
|
||||
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
||||
/var/lib/snapd/desktop/applications/{,**} r,
|
||||
|
||||
# User files
|
||||
|
||||
owner @{HOME}/.config/mimeapps.list r,
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/gio-open.d>
|
@@ -26,6 +26,7 @@
|
||||
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
|
||||
/usr/share/themes/ r,
|
||||
/usr/share/themes/** r,
|
||||
/usr/share/gtk-3.0/settings.ini r,
|
||||
|
||||
# for gnome 1 applications
|
||||
/etc/orbitrc r,
|
||||
@@ -87,6 +88,7 @@
|
||||
/usr/share/gvfs/remote-volume-monitors/ r,
|
||||
/usr/share/gvfs/remote-volume-monitors/* r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
/run/mount/utab r,
|
||||
|
||||
# printing
|
||||
/etc/papersize r,
|
||||
|
45
profiles/apparmor.d/abstractions/gvfs-open
Normal file
45
profiles/apparmor.d/abstractions/gvfs-open
Normal file
@@ -0,0 +1,45 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via gvfs-open helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/gvfs-open directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//gvfs-open {
|
||||
# #include <abstractions/gvfs-open>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/base>
|
||||
|
||||
# gvfs-open is deprecated, it launches gio open <uri>
|
||||
#include <abstractions/gio-open>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/gvfs-open r,
|
||||
/{,usr/}bin/dash mr,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/gvfs-open.d>
|
13
profiles/apparmor.d/abstractions/hosts_access
Normal file
13
profiles/apparmor.d/abstractions/hosts_access
Normal file
@@ -0,0 +1,13 @@
|
||||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/hosts.deny r,
|
||||
/etc/hosts.allow r,
|
104
profiles/apparmor.d/abstractions/kde-open5
Normal file
104
profiles/apparmor.d/abstractions/kde-open5
Normal file
@@ -0,0 +1,104 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via kde-open5 helper.
|
||||
#
|
||||
# NOTE: most likely you want to use xdg-open abstraction instead for better
|
||||
# portability across desktop environments, unless you are sure that confined
|
||||
# application only uses /usr/bin/kde-open5 directly.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//kde-open5 {
|
||||
# #include <abstractions/kde-open5>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # Add if accesibility access is considered as required
|
||||
# # (for message boxe in case exo-open fails)
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # Add if audio support for message box is
|
||||
# # considered as required.
|
||||
# #include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/audio> # for alert messages
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus-accessibility-strict>
|
||||
#include <abstractions/dbus-network-manager-strict>
|
||||
#include <abstractions/dbus-session-strict>
|
||||
#include <abstractions/dbus-strict>
|
||||
#include <abstractions/kde-icon-cache-write>
|
||||
#include <abstractions/kde>
|
||||
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/qt5>
|
||||
#include <abstractions/recent-documents-write>
|
||||
#include <abstractions/X>
|
||||
|
||||
# Main executables
|
||||
|
||||
/usr/bin/kde-open5 rix,
|
||||
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
|
||||
|
||||
# DBus
|
||||
|
||||
dbus
|
||||
bus=session
|
||||
interface=org.kde.KLauncher
|
||||
member=start_service_by_desktop_path
|
||||
peer=(name=org.kde.klauncher5),
|
||||
|
||||
# Denied system files
|
||||
|
||||
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
|
||||
|
||||
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
||||
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
||||
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
||||
# so we deny this path to protect from loading exploits from /tmp.
|
||||
deny /tmp/#[0-9]*[0-9] m,
|
||||
|
||||
# System files
|
||||
|
||||
/dev/tty r,
|
||||
/etc/xdg/accept-languages.codes r,
|
||||
/etc/xdg/menus/{,*/} r,
|
||||
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
|
||||
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
|
||||
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
|
||||
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
|
||||
/usr/share/mime/ r,
|
||||
/usr/share/mime/generic-icons r,
|
||||
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
|
||||
/usr/share/sounds/ r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
# User files
|
||||
|
||||
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
|
||||
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
|
||||
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
|
||||
owner @{HOME}/.cache/kio_http/ rw,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/kde-open5.d>
|
@@ -9,5 +9,6 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# mdnsd
|
||||
/etc/mdns.allow r,
|
||||
/etc/nss_mdns.conf r,
|
||||
/{,var/}run/mdnsd w,
|
||||
|
@@ -4,6 +4,12 @@
|
||||
# System files
|
||||
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
||||
|
||||
# Needed to check if the kernel supports the i915 perf interface
|
||||
# (src/intel/perf/gen_perf.c, load_oa_metrics())
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{revision,config} r,
|
||||
|
||||
# User files
|
||||
owner @{HOME}/.cache/ w, # if user clears all caches
|
||||
owner @{HOME}/.cache/mesa_shader_cache/ w,
|
||||
|
@@ -29,6 +29,11 @@
|
||||
/var/lib/extrausers/group r,
|
||||
/var/lib/extrausers/passwd r,
|
||||
|
||||
# NSS records from systemd-userdbd.service
|
||||
@{run}/systemd/userdb/ r,
|
||||
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
# When using sssd, the passwd and group files are stored in an alternate path
|
||||
# and the nss plugin also needs to talk to a pipe
|
||||
/var/lib/sss/mc/group r,
|
||||
|
@@ -9,6 +9,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/ssl/openssl.cnf r,
|
||||
/etc/ssl/{engdef,engines}.d/ r,
|
||||
/etc/ssl/{engdef,engines}.d/*.cnf r,
|
||||
/usr/share/ssl/openssl.cnf r,
|
||||
@{PROC}/sys/crypto/fips_enabled r,
|
||||
|
||||
|
@@ -11,26 +11,26 @@
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# shared snippets for config files
|
||||
/etc/php{,5,7}/**/ r,
|
||||
/etc/php{,5,7}/**.ini r,
|
||||
/etc/php{,5,7,8}/**/ r,
|
||||
/etc/php{,5,7,8}/**.ini r,
|
||||
|
||||
# Xlibs
|
||||
/usr/X11R6/lib{,32,64}/lib*.so* mr,
|
||||
# php extensions
|
||||
/usr/lib{64,}/php{,5,7}/*/*.so mr,
|
||||
/usr/lib{64,}/php{,5,7,8}/*/*.so mr,
|
||||
|
||||
# ICU (unicode support) data tables
|
||||
/usr/share/icu/*/*.dat r,
|
||||
|
||||
# php session mmap socket
|
||||
/var/lib/php{,5,7}/session_mm_* rwlk,
|
||||
/var/lib/php{,5,7,8}/session_mm_* rwlk,
|
||||
# file based session handler
|
||||
/var/lib/php{,5,7}/sess_* rwlk,
|
||||
/var/lib/php{,5,7}/sessions/* rwlk,
|
||||
/var/lib/php{,5,7,8}/sess_* rwlk,
|
||||
/var/lib/php{,5,7,8}/sessions/* rwlk,
|
||||
|
||||
# php libraries
|
||||
/usr/share/php{,5,7}/ r,
|
||||
/usr/share/php{,5,7}/** mr,
|
||||
/usr/share/php{,5,7,8}/ r,
|
||||
/usr/share/php{,5,7,8}/** mr,
|
||||
|
||||
# MySQL extension
|
||||
/usr/share/mysql/** r,
|
||||
|
@@ -1,7 +1,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2015 Canonical, Ltd.
|
||||
# Copyright (C) 2015-2018 Canonical, Ltd.
|
||||
# Copyright (C) 2020 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -31,6 +32,7 @@
|
||||
/usr/lib{,32,64}/sasl2/ r,
|
||||
/usr/lib/@{multiarch}/sasl2/* mr,
|
||||
/usr/lib/@{multiarch}/sasl2/ r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
/var/spool/postfix/etc/* r,
|
||||
/var/spool/postfix/lib/lib*.so* mr,
|
||||
|
@@ -22,4 +22,4 @@
|
||||
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
||||
|
||||
audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
|
||||
|
@@ -10,18 +10,19 @@
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
|
||||
|
||||
/usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
|
||||
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
|
||||
/usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
|
||||
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
|
||||
/usr/local/lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
|
||||
|
||||
# Site-wide configuration
|
||||
/etc/python{2.[4-7],3.[0-9]}/** r,
|
||||
/etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
|
||||
|
||||
# shared python paths
|
||||
/usr/share/{pyshared,pycentral,python-support}/** r,
|
||||
@@ -34,4 +35,4 @@
|
||||
/usr/lib/wx/python/*.pth r,
|
||||
|
||||
# python build configuration and headers
|
||||
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
|
||||
/usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
|
||||
|
42
profiles/apparmor.d/abstractions/snap_browsers
Normal file
42
profiles/apparmor.d/abstractions/snap_browsers
Normal file
@@ -0,0 +1,42 @@
|
||||
profile snap_browsers {
|
||||
include if exists <abstractions/snap_browsers.d>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
/etc/passwd r,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/fstab r,
|
||||
|
||||
# noisy
|
||||
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
|
||||
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
|
||||
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
|
||||
/var/lib/snapd/system-key r,
|
||||
/run/snapd.socket rw,
|
||||
|
||||
@{PROC}/version r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/kernel/seccomp/actions_avail r,
|
||||
@{PROC}/sys/kernel/random/uuid r,
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{HOME}/.snap/auth.json r, # if exists, required
|
||||
|
||||
dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
|
||||
dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
|
||||
|
||||
/sys/kernel/security/apparmor/features/ r,
|
||||
|
||||
# allow launching official browser snaps.
|
||||
/snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
/snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
|
||||
|
||||
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
|
||||
# add other browsers here
|
||||
}
|
@@ -12,6 +12,7 @@
|
||||
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
||||
audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
|
||||
|
||||
# Comment this out if using gpg plugin/addons
|
||||
audit deny @{HOME}/.gnupg/{,**} mrwkl,
|
||||
|
@@ -70,6 +70,7 @@ profile sanitized_helper {
|
||||
/opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
|
||||
/opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
|
||||
/opt/google/chrome{,-beta,-unstable}/chrome Pixr,
|
||||
/opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
|
||||
/opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
|
||||
|
||||
# Full access
|
||||
|
@@ -2,5 +2,5 @@
|
||||
# video device access
|
||||
|
||||
# System devices
|
||||
@{sys}/class/video4linux r,
|
||||
@{sys}/class/video4linux/ r,
|
||||
@{sys}/class/video4linux/** r,
|
||||
|
@@ -3,10 +3,15 @@
|
||||
|
||||
# System files
|
||||
/dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
|
||||
/etc/glvnd/egl_vendor.d/{*,.json} r,
|
||||
/etc/vulkan/icd.d/{,*.json} r,
|
||||
/etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
|
||||
# for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
|
||||
@{sys}/devices/pci[0-9]*/*/drm/ r,
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
@{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
|
||||
/usr/share/glvnd/egl_vendor.d/{,*.json} r,
|
||||
/usr/share/vulkan/icd.d/{,*.json} r,
|
||||
/usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
|
||||
|
||||
|
@@ -12,5 +12,6 @@
|
||||
# some services update wtmp, utmp, and lastlog with per-user
|
||||
# connection information
|
||||
/var/log/lastlog rwk,
|
||||
/var/log/wtmp wk,
|
||||
/var/log/wtmp rwk,
|
||||
/var/log/btmp rwk,
|
||||
/{,var/}run/utmp rwk,
|
||||
|
84
profiles/apparmor.d/abstractions/xdg-open
Normal file
84
profiles/apparmor.d/abstractions/xdg-open
Normal file
@@ -0,0 +1,84 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This abstraction is designed to be used in a child profile to limit what
|
||||
# confined application can invoke via xdg-open helper. xdg-open abstraction
|
||||
# will allow to use gio-open, kde-open5 and other helpers of the different
|
||||
# desktop environments.
|
||||
#
|
||||
# Usage example:
|
||||
#
|
||||
# ```
|
||||
# profile foo /usr/bin/foo {
|
||||
# ...
|
||||
# /usr/bin/xdg-open rPx -> foo//xdg-open,
|
||||
# ...
|
||||
# } # end of main profile
|
||||
#
|
||||
# # out-of-line child profile
|
||||
# profile foo//xdg-open {
|
||||
# #include <abstractions/xdg-open>
|
||||
#
|
||||
# # Enable a11y support if considered required by
|
||||
# # profile author for (rare) error message boxes.
|
||||
# #include <abstractions/dbus-accessibility>
|
||||
#
|
||||
# # Enable gstreamer support if considered required by
|
||||
# # profile author for (rare) error message boxes.
|
||||
# #include if exists <abstractions/gstreamer>
|
||||
#
|
||||
# # needed for ubuntu-* abstractions
|
||||
# #include <abstractions/ubuntu-helpers>
|
||||
#
|
||||
# # Only allow to handle http[s]: and mailto: links
|
||||
# #include <abstractions/ubuntu-browsers>
|
||||
# #include <abstractions/ubuntu-email>
|
||||
#
|
||||
# # < add additional allowed applications here >
|
||||
# }
|
||||
# ```
|
||||
|
||||
#include <abstractions/base>
|
||||
|
||||
# for openin with `exo-open`
|
||||
#include <abstractions/exo-open>
|
||||
|
||||
# for opening with `gio open <uri>`
|
||||
#include <abstractions/gio-open>
|
||||
|
||||
# for opening with gvfs-open (deprecated)
|
||||
#include <abstractions/gvfs-open>
|
||||
|
||||
# for opening with kde-open5
|
||||
#include <abstractions/kde-open5>
|
||||
|
||||
# Main executables
|
||||
|
||||
/{,usr/}bin/{b,d}ash mr,
|
||||
/usr/bin/xdg-open r,
|
||||
|
||||
# Additional executables
|
||||
|
||||
/usr/bin/xdg-mime rix,
|
||||
/{,usr/}bin/cut rix, # for xdg-mime
|
||||
/{,usr/}bin/head rix, # for xdg-mime
|
||||
/{,usr/}bin/sed rix, # for xdg-open
|
||||
/{,usr/}bin/tr rix, # for xdg-mime
|
||||
/{,usr/}bin/which rix, # for xdg-open
|
||||
/{,usr/}bin/{grep,egrep} rix, # for xdg-open
|
||||
|
||||
# System files
|
||||
|
||||
/dev/pts/[0-9]* rw,
|
||||
/dev/tty w,
|
||||
/etc/gnome/defaults.list r, # for grep
|
||||
/usr/share/applications/mimeinfo.cache r, # for grep
|
||||
/usr/share/terminfo/s/screen r, # for bash on openSUSE
|
||||
/usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
|
||||
/var/lib/menu-xdg/applications/ r, # for xdg-mime
|
||||
|
||||
# Usr files
|
||||
|
||||
owner @{HOME}/.local/share/applications/{,*.desktop} r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
#include if exists <abstractions/xdg-open.d>
|
@@ -16,7 +16,7 @@ profile lsb_release {
|
||||
/dev/tty rw,
|
||||
|
||||
/usr/bin/lsb_release r,
|
||||
/usr/bin/python3.[0-9] mr,
|
||||
/usr/bin/python3.{1,}[0-9] mr,
|
||||
|
||||
/etc/debian_version r,
|
||||
/etc/default/apport r,
|
||||
|
@@ -22,11 +22,13 @@ profile nvidia_modprobe {
|
||||
|
||||
# System files
|
||||
|
||||
/dev/nvidia-modeset w,
|
||||
/dev/nvidia-uvm w,
|
||||
/dev/nvidia-uvm-tools w,
|
||||
@{sys}/bus/pci/devices/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/config r,
|
||||
@{PROC}/devices r,
|
||||
@{PROC}/driver/nvidia/params r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/kernel/modprobe r,
|
||||
|
||||
|
@@ -62,6 +62,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
|
||||
/{var,var/run,run}/log/journal/*/*.journal r,
|
||||
/{var/,}run/syslog-ng.ctl a,
|
||||
/{var/,}run/syslog-ng/additional-log-sockets.conf r,
|
||||
/{var,var/run,run}/log/journal/*.journal r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/sbin.syslog-ng>
|
||||
|
@@ -19,3 +19,4 @@
|
||||
#include <tunables/kernelvars>
|
||||
#include <tunables/xdg-user-dirs>
|
||||
#include <tunables/share>
|
||||
#include <tunables/run>
|
||||
|
1
profiles/apparmor.d/tunables/run
Normal file
1
profiles/apparmor.d/tunables/run
Normal file
@@ -0,0 +1 @@
|
||||
@{run}=/run/ /var/run/
|
@@ -24,6 +24,7 @@
|
||||
|
||||
/etc/dovecot/dovecot-database.conf.ext r,
|
||||
/etc/dovecot/dovecot-dict-sql.conf.ext r,
|
||||
/etc/my.cnf r,
|
||||
/usr/lib/dovecot/dict mr,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
|
@@ -67,9 +67,9 @@
|
||||
/root/.forward r,
|
||||
/root/dead.letter w,
|
||||
/usr/bin/procmail Px,
|
||||
/usr/lib/postfix/master Px,
|
||||
/usr/lib/postfix/showq Px,
|
||||
/usr/lib/postfix/smtpd Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}master Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}showq Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}smtpd Px,
|
||||
/usr/{bin,sbin}/postalias Px,
|
||||
/usr/{bin,sbin}/postdrop Px,
|
||||
/usr/{bin,sbin}/postfix Px,
|
||||
|
@@ -33,7 +33,7 @@
|
||||
/etc/dovecot/conf.d/** r,
|
||||
|
||||
owner /tmp/dovecot.imap.* rw,
|
||||
|
||||
@{PROC}/@{pid}/attr/current rw,
|
||||
/usr/bin/doveconf rix,
|
||||
/usr/lib/dovecot/imap mrix,
|
||||
/usr/share/dovecot/** r,
|
||||
|
@@ -28,7 +28,7 @@
|
||||
@{DOVECOT_MAILSTORE}/** rwkl,
|
||||
|
||||
@{HOME}/.dovecot.svbin r,
|
||||
|
||||
@{PROC}/@{pid}/attr/current rw,
|
||||
/proc/*/mounts r,
|
||||
/tmp/dovecot.lmtp.* rw,
|
||||
/usr/lib/dovecot/lmtp mr,
|
||||
|
33
profiles/apparmor.d/usr.lib.dovecot.script-login
Normal file
33
profiles/apparmor.d/usr.lib.dovecot.script-login
Normal file
@@ -0,0 +1,33 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2020 Michael Hirmke
|
||||
# Copyright (C) 2020 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
# vim: ft=apparmor
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile dovecot-script-login /usr/lib/dovecot/script-login {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dovecot-common>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability setuid,
|
||||
|
||||
/usr/lib/dovecot/script-login mrPx,
|
||||
|
||||
# NOTE: You'll need to allow execution of your actual login script.
|
||||
# The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login
|
||||
# for example
|
||||
# /home/vmail/bin/postlogin.sh Px,
|
||||
# and then to create the profile for the script.
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.lib.dovecot.script-login>
|
||||
}
|
||||
|
@@ -18,6 +18,10 @@
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
|
||||
# for metrics end-point (Prometheus)
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
/usr/lib/dovecot/stats mr,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
|
@@ -20,6 +20,9 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
|
||||
/etc/avahi/services/ r,
|
||||
/etc/avahi/services/*.service r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
/usr/{bin,sbin}/avahi-daemon mr,
|
||||
/usr/share/avahi/introspection/*.introspect r,
|
||||
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
|
||||
|
@@ -42,6 +42,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
|
||||
owner /dev/tty rw,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/etc/dnsmasq.conf r,
|
||||
/etc/dnsmasq.d/ r,
|
||||
/etc/dnsmasq.d/* r,
|
||||
@@ -57,8 +59,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
|
||||
/var/log/dnsmasq*.log w,
|
||||
|
||||
/usr/share/dnsmasq/ r,
|
||||
/usr/share/dnsmasq/* r,
|
||||
/usr/share/dnsmasq{-base,}/ r,
|
||||
/usr/share/dnsmasq{-base,}/* r,
|
||||
|
||||
/{,var/}run/*dnsmasq*.pid w,
|
||||
/{,var/}run/dnsmasq-forwarders.conf r,
|
||||
@@ -87,6 +89,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
|
||||
# libvirt lease helper
|
||||
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
||||
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
||||
|
||||
# lxc-net pid and lease files
|
||||
/{,var/}run/lxc/dnsmasq.pid rw,
|
||||
@@ -113,7 +116,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
||||
|
||||
/etc/libnl-3/classid r,
|
||||
|
||||
/usr/lib{,64}/libvirt/libvirt_leaseshelper m,
|
||||
/usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
|
||||
/usr/libexec/libvirt_leaseshelper mr,
|
||||
|
||||
owner @{PROC}/@{pid}/net/psched r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
|
@@ -31,7 +31,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
|
||||
signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
|
||||
signal send peer=/usr/lib/dovecot/*,
|
||||
signal send peer=dovecot-*,
|
||||
|
||||
unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
|
||||
|
||||
@@ -55,10 +56,12 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
|
||||
/usr/lib/dovecot/managesieve-login Pxmr,
|
||||
/usr/lib/dovecot/pop3 mrPx,
|
||||
/usr/lib/dovecot/pop3-login Pxmr,
|
||||
/usr/lib/dovecot/script-login Px,
|
||||
/usr/lib/dovecot/ssl-build-param rix,
|
||||
/usr/lib/dovecot/ssl-params mrPx,
|
||||
/usr/lib/dovecot/stats Px,
|
||||
/usr/{bin,sbin}/dovecot mrix,
|
||||
/usr/share/dovecot/dh.pem r,
|
||||
/usr/share/dovecot/protocols.d/ r,
|
||||
/usr/share/dovecot/protocols.d/** r,
|
||||
/var/lib/dovecot/ w,
|
||||
|
@@ -21,6 +21,7 @@ profile nscd /usr/{bin,sbin}/nscd {
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/netgroup r,
|
||||
/etc/nscd.conf r,
|
||||
/usr/{bin,sbin}/nscd rmix,
|
||||
|
@@ -6,6 +6,7 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/cups-client>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/samba>
|
||||
#include <abstractions/user-tmp>
|
||||
#include <abstractions/wutmp>
|
||||
|
@@ -25,7 +25,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
|
||||
/usr/lib*/samba/nss_info/*.so mr,
|
||||
/usr/lib*/samba/pdb/*.so mr,
|
||||
/usr/{bin,sbin}/winbindd mr,
|
||||
/var/cache/krb5rcache/* rw,
|
||||
/var/cache/krb5rcache/* rwk,
|
||||
/var/cache/samba/*.tdb rwk,
|
||||
/var/log/samba/log.winbindd rw,
|
||||
/{var/,}run/samba/winbindd.pid rwk,
|
||||
|
@@ -43,6 +43,11 @@ profile dhclient /{usr/,}sbin/dhclient {
|
||||
@{PROC}/interrupts r,
|
||||
@{PROC}/@{pid}/net/dev r,
|
||||
@{PROC}/rtc r,
|
||||
|
||||
# dhcliet wants to update its threads with functional names
|
||||
# see lp1918410
|
||||
owner @{PROC}/@{pid}/task/[0-9]*/comm rw,
|
||||
|
||||
# following rule shouldn't work, self is a symlink
|
||||
@{PROC}/self/status r,
|
||||
/{usr/,}sbin/arp mrix,
|
||||
|
@@ -121,6 +121,10 @@
|
||||
deny /usr/share/mozilla/extensions/**/ w,
|
||||
deny /usr/share/mozilla/ w,
|
||||
|
||||
# needed by widevine
|
||||
ptrace (trace) peer=@{profile_name},
|
||||
@{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
# Local path is disabled, we only enable them for profiles we promote
|
||||
# out of extras.
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,7 +11,7 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/anvil {
|
||||
profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
@@ -18,10 +19,10 @@
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
/usr/lib/postfix/anvil rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}anvil mrix,
|
||||
|
||||
/etc/postfix/main.cf r,
|
||||
/{var/spool/postfix/,}private/anvil rw,
|
||||
/{var/spool/postfix/,}pid/unix.anvil rw,
|
||||
/{var/spool/postfix/,}pid/unix.anvil rwk,
|
||||
@{PROC}/net/if_inet6 r,
|
||||
}
|
||||
|
@@ -1,6 +1,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
# Copyright (C) 2019 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,7 +12,7 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/bounce {
|
||||
profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
@@ -18,16 +20,19 @@
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
/usr/lib/postfix/bounce rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}bounce mrix,
|
||||
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/* rwk,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}bounce/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}bounce/[0-9A-F]/* rwk,
|
||||
/{var/spool/postfix/,}bounce/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/* rwkl,
|
||||
/{var/spool/postfix/,}defer/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}defer/[0-9A-F]/* rwkl,
|
||||
/{var/spool/postfix/,}defer/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
@@ -35,10 +40,11 @@
|
||||
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}trace/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}trace/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}trace/[0-9A-F]* rwk,
|
||||
/{var/spool/postfix/,}public/cleanup w,
|
||||
/{var/spool/postfix/,}pid/unix.bounce rw,
|
||||
/{var/spool/postfix/,}pid/unix.defer rw,
|
||||
/{var/spool/postfix/,}pid/unix.trace rw,
|
||||
/{var/spool/postfix/,}pid/unix.bounce rwk,
|
||||
/{var/spool/postfix/,}pid/unix.defer rwk,
|
||||
/{var/spool/postfix/,}pid/unix.trace rwk,
|
||||
|
||||
/etc/postfix/main.cf r,
|
||||
@{PROC}/net/if_inet6 r,
|
||||
|
@@ -1,6 +1,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
# Copyright (C) 2019 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,23 +12,28 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/cleanup {
|
||||
profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
|
||||
capability net_bind_service,
|
||||
capability dac_read_search,
|
||||
|
||||
/usr/lib/postfix/cleanup rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}cleanup mrix,
|
||||
|
||||
/{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]/ rwl,
|
||||
/{var/spool/postfix/,}private/{rewrite,bounce} w,
|
||||
/{var/spool/postfix/,}public/qmgr w,
|
||||
/{var/spool/postfix/,}incoming/[0-9A-F]* rw,
|
||||
/{var/spool/postfix/,}private/bounce w,
|
||||
/{var/spool/postfix/,}private/rewrite rw,
|
||||
/{var/spool/postfix/,}public/qmgr rw,
|
||||
/{var/spool/postfix/,}hold/[0-9A-F]* w,
|
||||
/{var/spool/postfix/,}pid/unix.cleanup rw,
|
||||
/{var/spool/postfix/,}public/cleanup rw,
|
||||
/{var/spool/postfix/,}pid/unix.cleanup rwk,
|
||||
|
||||
/etc/{m,fs}tab r,
|
||||
/etc/postfix/* r,
|
||||
}
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -11,8 +12,8 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/discard {
|
||||
profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
|
||||
#include <abstractions/base>
|
||||
|
||||
/usr/lib/postfix/discard rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}discard mrix,
|
||||
}
|
||||
|
20
profiles/apparmor/profiles/extras/usr.lib.postfix.dnsblog
Normal file
20
profiles/apparmor/profiles/extras/usr.lib.postfix.dnsblog
Normal file
@@ -0,0 +1,20 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
# vim:syntax=apparmor
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
|
||||
#include <abstractions/base>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
|
||||
|
||||
/var/spool/postfix/private/dnsblog rw,
|
||||
}
|
@@ -2,6 +2,7 @@
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2017 Christian Boltz
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -11,13 +12,14 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/error {
|
||||
profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/{bin/,sbin/,}error mrix,
|
||||
|
||||
@{PROC}/sys/kernel/ngroups_max r,
|
||||
/usr/lib/postfix/error mrix,
|
||||
owner /var/spool/postfix/active/* rwk,
|
||||
/var/spool/postfix/pid/unix.error rwk,
|
||||
/var/spool/postfix/pid/unix.retry rwk,
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,7 +11,7 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/flush {
|
||||
profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
@@ -18,7 +19,7 @@
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
/usr/lib/postfix/flush rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}flush mrix,
|
||||
|
||||
/{var/spool/postfix/,}deferred/ r,
|
||||
/{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,
|
||||
|
@@ -2,6 +2,7 @@
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2017 Christian Boltz
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -11,12 +12,13 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/lmtp {
|
||||
profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/lmtp mrix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}lmtp mrix,
|
||||
|
||||
/var/spool/postfix/active/* rwk,
|
||||
/var/spool/postfix/pid/unix.lmtp rwk,
|
||||
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,7 +11,7 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/local {
|
||||
profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
@@ -23,20 +24,24 @@
|
||||
/var/mailman/mail/wrapper Px,
|
||||
/usr/bin/mlmmj-recieve Px,
|
||||
|
||||
/usr/lib/postfix/local rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}local mrix,
|
||||
/{usr/,}bin/bash mixr,
|
||||
/{usr/,}bin/date mixr,
|
||||
|
||||
/dev/tty rw,
|
||||
/etc/{postfix/,}aliases.db r,
|
||||
/etc/{postfix/,}aliases.db rk,
|
||||
# mailman on SuSE is configed to have its own alias file
|
||||
/var/lib/mailman/data/aliases.db r,
|
||||
/var/lib/mailman/data/aliases.db rk,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rw,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rw,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/ rw,
|
||||
/{var/spool/postfix/,}pid/unix.local rw,
|
||||
/{var/spool/postfix/,}private/{bounce,defer,flush,lmtp,rewrite} rw,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]* rwk,
|
||||
/{var/spool/postfix/,}pid/unix.local rwk,
|
||||
/{var/spool/postfix/,}private/{bounce,defer,flush,lmtp,local,rewrite} rw,
|
||||
/{var/spool/postfix/,}public/{cleanup,flush} rw,
|
||||
/etc/postfix/virtual.db r,
|
||||
/etc/postfix/lists.db r,
|
||||
|
||||
# deliver mail
|
||||
/var/mail/* wk,
|
||||
}
|
||||
|
@@ -1,6 +1,8 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
# Copyright (C) 2019 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,7 +12,7 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/master {
|
||||
profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
@@ -18,29 +20,42 @@
|
||||
capability net_bind_service,
|
||||
capability kill,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
signal send peer=/usr/lib/postfix/*,
|
||||
signal send peer=postfix-*,
|
||||
signal peer=@{profile_name},
|
||||
|
||||
unix (send receive) type=stream peer=(label=/usr/lib/postfix/*),
|
||||
unix (send receive) type=stream peer=(label=postfix-*),
|
||||
|
||||
/etc/postfix/master.cf r,
|
||||
/{var/spool/postfix/,}pid/master.pid rwk,
|
||||
/{var/spool/postfix/,}pid/unix.lmtp wk,
|
||||
|
||||
/{var/spool/postfix/,}private/* wl,
|
||||
/{var/spool/postfix/,}private/tlsmgr rwl,
|
||||
/{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
|
||||
/{var/spool/postfix/,}public/{cleanup,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl,
|
||||
|
||||
/usr/lib/postfix/anvil Px,
|
||||
/usr/lib/postfix/bounce Px,
|
||||
/usr/lib/postfix/cleanup Px,
|
||||
/usr/lib/postfix/flush Px,
|
||||
/usr/lib/postfix/local Px,
|
||||
/usr/lib/postfix/master rmix,
|
||||
/usr/lib/postfix/nqmgr Px,
|
||||
/usr/lib/postfix/proxymap Px,
|
||||
/usr/lib/postfix/pickup Px,
|
||||
/usr/lib/postfix/pipe Px,
|
||||
/usr/lib/postfix/qmgr Px,
|
||||
/usr/lib/postfix/scache Px,
|
||||
/usr/lib/postfix/showq Px,
|
||||
/usr/lib/postfix/smtp Px,
|
||||
/usr/lib/postfix/smtpd Px,
|
||||
/usr/lib/postfix/tlsmgr Px,
|
||||
/usr/lib/postfix/trivial-rewrite Px,
|
||||
/usr/lib/postfix/master rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}anvil Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}bounce Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}cleanup Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}error Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}flush Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}local Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}lmtp mrPx,
|
||||
/usr/lib/postfix/{bin/,sbin/,}master mrix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}nqmgr Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}proxymap Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}pickup Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}pipe Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}qmgr Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}scache Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}showq Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}smtp Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}smtpd Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}tlsmgr Px,
|
||||
/usr/lib/postfix/{bin/,sbin/,}trivial-rewrite Px,
|
||||
|
||||
owner /var/lib/postfix/master.lock rwk,
|
||||
}
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2006 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -10,12 +11,12 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/nqmgr {
|
||||
profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/nqmgr rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}nqmgr mrix,
|
||||
|
||||
/{var/spool/postfix/,}active/ r,
|
||||
/{var/spool/postfix/,}active/[0-9A-F]/ r,
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2018 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -11,10 +12,10 @@
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/postfix/oqmgr {
|
||||
profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/postfix-common>
|
||||
|
||||
/usr/lib/postfix/oqmgr rmix,
|
||||
/usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
|
||||
}
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user