mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Compare commits
45 Commits
v4.0.0-bet
...
apparmor-2
Author | SHA1 | Date | |
---|---|---|---|
|
cac95f10ce | ||
|
8c6e3a9724 | ||
|
3f29d38f0f | ||
|
d0bde41d90 | ||
|
823a2f71dd | ||
|
f5c4d066e8 | ||
|
805f51c7da | ||
|
ec87c2e552 | ||
|
3bff5df489 | ||
|
ba01770cfc | ||
|
3ffe77d087 | ||
|
022a988e4e | ||
|
95f9b1d07c | ||
|
4258749515 | ||
|
62b2a00331 | ||
|
463415347d | ||
|
a52313485f | ||
|
67b440a019 | ||
|
da1bb2f219 | ||
|
0badfb7816 | ||
|
87bf30b6d0 | ||
|
51369a0c3e | ||
|
6ae5a71ea2 | ||
|
850a565dce | ||
|
a0cf904972 | ||
|
8760451216 | ||
|
d096f8f7a5 | ||
|
beb695f7b0 | ||
|
ac80b7ca03 | ||
|
a729e8fd75 | ||
|
f4c661e070 | ||
|
15e636a329 | ||
|
49b9a83d9e | ||
|
069d98d007 | ||
|
8c82eec301 | ||
|
455d8a5140 | ||
|
efd20f879c | ||
|
977929f558 | ||
|
cb60e9b3df | ||
|
f57d90d935 | ||
|
f66a2e2e66 | ||
|
d1281c4988 | ||
|
c93fc7c758 | ||
|
e2c5ecafce | ||
|
888ef7b0e2 |
2
Makefile
2
Makefile
@@ -12,7 +12,7 @@ DIRS=parser \
|
||||
changehat/pam_apparmor \
|
||||
tests
|
||||
|
||||
REPO_URL?=lp:apparmor
|
||||
REPO_URL?=lp:apparmor/2.7
|
||||
# alternate possibilities to export from
|
||||
#REPO_URL=.
|
||||
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
|
||||
|
@@ -1 +1 @@
|
||||
2.7.0
|
||||
2.7.2
|
||||
|
@@ -158,6 +158,8 @@ $ac_distutils_result])
|
||||
AC_MSG_CHECKING([consistency of all components of python development environment])
|
||||
AC_LANG_PUSH([C])
|
||||
# save current global flags
|
||||
ac_save_LIBS="$LIBS"
|
||||
ac_save_CPPFLAGS="$CPPFLAGS"
|
||||
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
|
||||
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
|
||||
AC_TRY_LINK([
|
||||
|
@@ -3,7 +3,8 @@ INCLUDES = $(all_includes)
|
||||
BUILT_SOURCES = grammar.h scanner.h af_protos.h
|
||||
AM_LFLAGS = -v
|
||||
AM_YFLAGS = -d -p aalogparse_
|
||||
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
|
||||
AM_CFLAGS = -Wall
|
||||
AM_CPPFLAGS = -D_GNU_SOURCE
|
||||
scanner.h: scanner.l
|
||||
$(LEX) -v $<
|
||||
|
||||
|
@@ -141,6 +141,10 @@ typedef struct
|
||||
char *net_family;
|
||||
char *net_protocol;
|
||||
char *net_sock_type;
|
||||
char *net_local_addr;
|
||||
unsigned long net_local_port;
|
||||
char *net_foreign_addr;
|
||||
unsigned long net_foreign_port;
|
||||
} aa_log_record;
|
||||
|
||||
/**
|
||||
|
@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
|
||||
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
|
||||
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
|
||||
%token <t_str> TOK_IP_ADDR
|
||||
|
||||
%token TOK_EQUALS
|
||||
%token TOK_COLON
|
||||
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%token TOK_KEY_CAPNAME
|
||||
%token TOK_KEY_OFFSET
|
||||
%token TOK_KEY_TARGET
|
||||
%token TOK_KEY_LADDR
|
||||
%token TOK_KEY_FADDR
|
||||
%token TOK_KEY_LPORT
|
||||
%token TOK_KEY_FPORT
|
||||
|
||||
%token TOK_SYSLOG_KERNEL
|
||||
|
||||
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ /* target was always name2 in the past */
|
||||
ret_record->name2 = $3;
|
||||
}
|
||||
| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
|
||||
{ ret_record->net_local_addr = $3;}
|
||||
| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
|
||||
{ ret_record->net_foreign_addr = $3;}
|
||||
| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->net_local_port = $3;}
|
||||
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->net_foreign_port = $3;}
|
||||
| TOK_MSG_REST
|
||||
{
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
|
@@ -133,8 +133,15 @@ key_capability "capability"
|
||||
key_capname "capname"
|
||||
key_offset "offset"
|
||||
key_target "target"
|
||||
key_laddr "laddr"
|
||||
key_faddr "faddr"
|
||||
key_lport "lport"
|
||||
key_fport "fport"
|
||||
audit "audit"
|
||||
|
||||
/* network addrs */
|
||||
ip_addr [a-f[:digit:].:]{3,}
|
||||
|
||||
/* syslog tokens */
|
||||
syslog_kernel kernel{colon}
|
||||
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
|
||||
@@ -149,6 +156,7 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
||||
%x dmesg_timestamp
|
||||
%x safe_string
|
||||
%x audit_types
|
||||
%x ip_addr
|
||||
%x other_audit
|
||||
%x unknown_message
|
||||
|
||||
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
|
||||
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<ip_addr>{
|
||||
{ip_addr} { yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<audit_types>{
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
|
||||
@@ -270,6 +284,10 @@ yy_flex_debug = 0;
|
||||
{key_capname} { return(TOK_KEY_CAPNAME); }
|
||||
{key_offset} { return(TOK_KEY_OFFSET); }
|
||||
{key_target} { return(TOK_KEY_TARGET); }
|
||||
{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
|
||||
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
|
||||
{key_lport} { return(TOK_KEY_LPORT); }
|
||||
{key_fport} { return(TOK_KEY_FPORT); }
|
||||
|
||||
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
|
||||
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
|
||||
|
@@ -10,7 +10,7 @@ WriteMakefile(
|
||||
'FIRST_MAKEFILE' => 'Makefile.perl',
|
||||
'ABSTRACT' => q[Perl interface to AppArmor] ,
|
||||
'VERSION' => q[@VERSION@],
|
||||
'INC' => q[-I@top_srcdir@/src @CFLAGS@],
|
||||
'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
|
||||
'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
|
||||
'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
|
||||
) ;
|
||||
|
@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
|
||||
noinst_PROGRAMS = test_multi.multi
|
||||
|
||||
test_multi_multi_SOURCES = test_multi.c
|
||||
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
|
||||
test_multi_multi_LDFLAGS = $(LDFLAGS)
|
||||
test_multi_multi_CFLAGS = -Wall
|
||||
test_multi_multi_LDADD = -L../src/.libs -lapparmor
|
||||
|
||||
clean-local:
|
||||
|
@@ -51,6 +51,18 @@ int main(int argc, char **argv)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#define print_string(description, var) \
|
||||
if ((var) != NULL) { \
|
||||
printf("%s: %s\n", (description), (var)); \
|
||||
}
|
||||
|
||||
/* unset is the value that the library sets to the var to indicate
|
||||
that it is unset */
|
||||
#define print_long(description, var, unset) \
|
||||
if ((var) != (unsigned long) (unset)) { \
|
||||
printf("%s: %ld\n", (description), (var)); \
|
||||
}
|
||||
|
||||
int print_results(aa_log_record *record)
|
||||
{
|
||||
printf("Event type: ");
|
||||
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
|
||||
{
|
||||
printf("Protocol: %s\n", record->net_protocol);
|
||||
}
|
||||
print_string("Local addr", record->net_local_addr);
|
||||
print_string("Foreign addr", record->net_foreign_addr);
|
||||
print_long("Local port", record->net_local_port, 0);
|
||||
print_long("Foreign port", record->net_foreign_port, 0);
|
||||
|
||||
printf("Epoch: %lu\n", record->epoch);
|
||||
printf("Audit subid: %u\n", record->audit_sub_id);
|
||||
return(0);
|
||||
|
@@ -0,0 +1 @@
|
||||
Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
|
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_01.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1308766940.698:3704
|
||||
Operation: sendmsg
|
||||
Profile: /usr/bin/evince-thumbnailer
|
||||
Command: evince-thumbnai
|
||||
Parent: 24737
|
||||
PID: 24743
|
||||
Network family: inet
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: 192.168.66.150
|
||||
Foreign addr: 192.168.66.200
|
||||
Local port: 765
|
||||
Foreign port: 2049
|
||||
Epoch: 1308766940
|
||||
Audit subid: 3704
|
@@ -0,0 +1 @@
|
||||
Apr 5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
|
@@ -0,0 +1,16 @@
|
||||
START
|
||||
File: test_multi/testcase_network_02.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1308766940.698:3704
|
||||
Operation: sendmsg
|
||||
Profile: /usr/bin/evince-thumbnailer
|
||||
Command: evince-thumbnai
|
||||
Parent: 24737
|
||||
PID: 24743
|
||||
Network family: inet
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local port: 765
|
||||
Foreign port: 2049
|
||||
Epoch: 1308766940
|
||||
Audit subid: 3704
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
|
@@ -0,0 +1,15 @@
|
||||
START
|
||||
File: test_multi/testcase_network_03.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1333648169.009:11707146
|
||||
Operation: accept
|
||||
Profile: /usr/lib/dovecot/imap-login
|
||||
Command: imap-login
|
||||
Parent: 25932
|
||||
PID: 5049
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local port: 143
|
||||
Epoch: 1333648169
|
||||
Audit subid: 11707146
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
|
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_04.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1333697181.284:273901
|
||||
Operation: recvmsg
|
||||
Profile: /home/ubuntu/tmp/nc
|
||||
Command: nc
|
||||
Parent: 1596
|
||||
PID: 1056
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: ::1
|
||||
Foreign addr: ::1
|
||||
Local port: 2048
|
||||
Foreign port: 33986
|
||||
Epoch: 1333697181
|
||||
Audit subid: 273901
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
|
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_05.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1333698107.128:273917
|
||||
Operation: recvmsg
|
||||
Profile: /home/ubuntu/tmp/nc
|
||||
Command: nc
|
||||
Parent: 1596
|
||||
PID: 1875
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: ::ffff:127.0.0.1
|
||||
Foreign addr: ::ffff:127.0.0.1
|
||||
Local port: 2048
|
||||
Foreign port: 59180
|
||||
Epoch: 1333698107
|
||||
Audit subid: 273917
|
@@ -56,6 +56,7 @@ install: local
|
||||
${PROFILES_DEST}/program-chunks \
|
||||
${PROFILES_DEST}/tunables \
|
||||
${PROFILES_DEST}/tunables/home.d \
|
||||
${PROFILES_DEST}/tunables/multiarch.d \
|
||||
${PROFILES_DEST}/local
|
||||
install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
|
||||
install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions
|
||||
|
@@ -17,7 +17,7 @@
|
||||
|
||||
# .Xauthority files required for X connections, per user
|
||||
@{HOME}/.Xauthority r,
|
||||
owner /{,var/}run/gdm/*/database r,
|
||||
owner /{,var/}run/gdm{,3}/*/database r,
|
||||
owner /{,var/}run/lightdm/authority/[0-9]* r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
|
@@ -1,9 +1,20 @@
|
||||
# vim:syntax=apparmor
|
||||
|
||||
# This file contains basic permissions for Apache and every vHost
|
||||
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
# Apache
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
# apache manual, error pages and icons
|
||||
/usr/share/apache2/** r,
|
||||
|
||||
# changehat itself
|
||||
/proc/*/attr/current w,
|
||||
|
||||
# htaccess files - for what ever it is worth
|
||||
/**/.htaccess r,
|
||||
|
||||
/dev/urandom r,
|
||||
|
||||
|
@@ -2,7 +2,7 @@
|
||||
# aspell permissions
|
||||
|
||||
# per-user settings and dictionaries
|
||||
@{HOME}/.aspell.*.{pws,prepl} rk,
|
||||
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
|
||||
|
||||
# system libraries and dictionaries
|
||||
/usr/lib/aspell/ r,
|
||||
|
@@ -1,7 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2011 Canonical Ltd
|
||||
# Copyright (C) 2009-2012 Canonical Ltd
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -47,3 +47,5 @@
|
||||
# smbpass
|
||||
#include <abstractions/smbpass>
|
||||
|
||||
# p11-kit (PKCS#11 modules configuration)
|
||||
#include <abstractions/p11-kit>
|
||||
|
@@ -36,8 +36,8 @@
|
||||
/usr/lib{,32,64}/locale/** mr,
|
||||
/usr/lib{,32,64}/gconv/*.so mr,
|
||||
/usr/lib{,32,64}/gconv/gconv-modules* mr,
|
||||
/usr/lib/@{multiarch}/gconv/*.so mr,
|
||||
/usr/lib/@{multiarch}/gconv/gconv-modules mr,
|
||||
/usr/lib/@{multiarch}/gconv/*.so mr,
|
||||
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
|
||||
|
||||
# used by glibc when binding to ephemeral ports
|
||||
/etc/bindresvport.blacklist r,
|
||||
@@ -86,6 +86,7 @@
|
||||
@{PROC}/meminfo r,
|
||||
@{PROC}/stat r,
|
||||
@{PROC}/cpuinfo r,
|
||||
/sys/devices/system/cpu/online r,
|
||||
|
||||
# glibc's *printf protections read the maps file
|
||||
@{PROC}/*/maps r,
|
||||
|
@@ -1,7 +1,7 @@
|
||||
# vim:syntax=apparmor
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2009 Canonical Ltd.
|
||||
# Copyright (C) 2009-2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -13,3 +13,6 @@
|
||||
/etc/cups/client.conf r,
|
||||
# client should be able to talk the local cupsd
|
||||
/{,var/}run/cups/cups.sock w,
|
||||
# client should be able to read user-specified cups configuration
|
||||
owner @{HOME}/.cups/client.conf r,
|
||||
owner @{HOME}/.cups/lpoptions r,
|
||||
|
@@ -52,5 +52,5 @@
|
||||
/usr/share/java/zemberek-tr-[0-9]*.jar r,
|
||||
|
||||
# per-user dictionaries
|
||||
owner @{HOME}/.config/enchant/ r,
|
||||
owner @{HOME}/.config/enchant/ rw,
|
||||
owner @{HOME}/.config/enchant/* rwk,
|
||||
|
@@ -39,6 +39,8 @@
|
||||
@{HOME}/.fonts.cache-2 mr,
|
||||
@{HOME}/.fontconfig/ r,
|
||||
@{HOME}/.fontconfig/** mrl,
|
||||
@{HOME}/.fonts.conf.d/ r,
|
||||
@{HOME}/.fonts.conf.d/** r,
|
||||
|
||||
/usr/local/share/fonts/ r,
|
||||
/usr/local/share/fonts/** r,
|
||||
|
@@ -25,8 +25,8 @@
|
||||
@{HOME}/.DCOPserver_* r,
|
||||
@{HOME}/.ICEauthority r,
|
||||
@{HOME}/.fonts.* lrw,
|
||||
@{HOME}/.kde/share/config/kdeglobals rw,
|
||||
@{HOME}/.kde/share/config/*.lock rwl,
|
||||
@{HOME}/.kde{,4}/share/config/kdeglobals rw,
|
||||
@{HOME}/.kde{,4}/share/config/*.lock rwl,
|
||||
@{HOME}/.qt/** rw,
|
||||
@{HOME}/.config/Trolltech.conf rwk,
|
||||
|
||||
|
21
profiles/apparmor.d/abstractions/p11-kit
Normal file
21
profiles/apparmor.d/abstractions/p11-kit
Normal file
@@ -0,0 +1,21 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
/etc/pkcs11/ r,
|
||||
/etc/pkcs11/pkcs11.conf r,
|
||||
/etc/pkcs11/modules/ r,
|
||||
/etc/pkcs11/modules/* r,
|
||||
|
||||
/usr/lib{,32,64}/pkcs11/*.so mr,
|
||||
/usr/lib/@{multiarch}/pkcs11/*.so mr,
|
||||
|
||||
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
|
||||
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
|
||||
# included in this abstraction.
|
@@ -1,6 +1,6 @@
|
||||
# vim:syntax=apparmor
|
||||
# privacy-violations contains rules for common files that you want to explicity
|
||||
# deny access
|
||||
# privacy-violations contains rules for common files that you want to
|
||||
# explicitly deny access
|
||||
|
||||
# privacy violations (don't audit files under $HOME otherwise get a
|
||||
# lot of false positives when reading contents of directories)
|
||||
@@ -15,7 +15,9 @@
|
||||
# special attention to (potentially) executable files
|
||||
audit deny @{HOME}/bin/** wl,
|
||||
audit deny @{HOME}/.config/autostart/** wl,
|
||||
audit deny @{HOME}/.kde/Autostart/** wl,
|
||||
audit deny @{HOME}/.kde{,4}/Autostart/** wl,
|
||||
audit deny @{HOME}/.kde{,4}/env/** wl,
|
||||
audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
|
||||
|
||||
# don't allow reading/updating of run control files
|
||||
deny @{HOME}/.*rc mrk,
|
||||
|
@@ -1,6 +1,6 @@
|
||||
# vim:syntax=apparmor
|
||||
# privacy-violations-strict contains additional rules for sensitive
|
||||
# files that you want to explicity deny access
|
||||
# files that you want to explicitly deny access
|
||||
|
||||
#include <abstractions/private-files>
|
||||
|
||||
@@ -13,6 +13,6 @@
|
||||
audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
|
||||
audit deny @{HOME}/.evolution/** mrwkl,
|
||||
audit deny @{HOME}/.config/evolution/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
|
||||
|
||||
|
@@ -31,4 +31,7 @@
|
||||
/usr/lib/wx/python/*.pth r,
|
||||
|
||||
# python build configuration and headers
|
||||
/usr/include/python{2,3}.[0-7]*/pyconfig.h
|
||||
/usr/include/python{2,3}.[0-7]*/pyconfig.h r,
|
||||
|
||||
# python setup script used by apport
|
||||
/etc/python{2,3}.[0-7]*/sitecustomize.py r,
|
||||
|
@@ -10,4 +10,4 @@
|
||||
/usr/bin/kget PUxr,
|
||||
/usr/bin/ktorrent PUxr,
|
||||
/usr/bin/qbittorrent PUxr,
|
||||
/usr/bin/transmission PUxr,
|
||||
/usr/bin/transmission{,-gtk,-qt,-cli} PUxr,
|
||||
|
@@ -28,6 +28,10 @@
|
||||
# and abrowser)
|
||||
/usr/lib/firefox-*/firefox.sh PUx,
|
||||
|
||||
# Iceweasel
|
||||
/usr/bin/iceweasel PUx,
|
||||
/usr/lib/iceweasel/iceweasel PUx,
|
||||
|
||||
# some unpackaged, but popular browsers
|
||||
/usr/lib/icecat-*/icecat PUx,
|
||||
/usr/bin/opera PUx,
|
||||
|
@@ -46,3 +46,11 @@
|
||||
/opt/google/talkplugin/lib/*.so mr,
|
||||
/opt/google/talkplugin/GoogleTalkPlugin ixr,
|
||||
owner @{HOME}/.config/google-googletalkplugin/** rw,
|
||||
|
||||
# If we allow the above, nvidia based systems will also need these
|
||||
/dev/nvidactl rw,
|
||||
/dev/nvidia0 rw,
|
||||
@{PROC}/interrupts r,
|
||||
|
||||
# Virus scanners
|
||||
/usr/bin/clamscan PUx,
|
||||
|
@@ -8,3 +8,4 @@
|
||||
/usr/bin/vim.gnome PUxr,
|
||||
/usr/bin/leafpad PUxr,
|
||||
/usr/bin/mousepad PUxr,
|
||||
/usr/bin/kate PUxr,
|
||||
|
@@ -7,6 +7,7 @@
|
||||
/usr/bin/apturl PUxr,
|
||||
/usr/bin/gnome-codec-install PUxr,
|
||||
/usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
|
||||
/usr/share/software-center/software-center PUxr,
|
||||
|
||||
# Input Methods
|
||||
/usr/bin/scim PUx,
|
||||
@@ -14,10 +15,13 @@
|
||||
|
||||
# File managers
|
||||
/usr/bin/nautilus PUxr,
|
||||
/usr/bin/thunar PUxr,
|
||||
/usr/bin/{t,T}hunar PUxr,
|
||||
|
||||
# Themes
|
||||
/usr/bin/gnome-appearance-properties PUxr,
|
||||
|
||||
# Kubuntu
|
||||
/usr/lib/mozilla/kmozillahelper PUxr,
|
||||
|
||||
# Exo-aware applications
|
||||
/usr/bin/exo-open ixr,
|
||||
|
@@ -11,7 +11,7 @@
|
||||
#include <abstractions/private-files>
|
||||
audit deny @{HOME}/.ssh/** mrwkl,
|
||||
audit deny @{HOME}/.gnome2_private/** mrwkl,
|
||||
audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
|
||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
|
||||
|
||||
# Comment this out if using gpg plugin/addons
|
||||
audit deny @{HOME}/.gnupg/** mrwkl,
|
||||
|
@@ -4,6 +4,7 @@
|
||||
#
|
||||
/usr/bin/amarok PUxr,
|
||||
/usr/bin/audacious2 PUxr,
|
||||
/usr/bin/audacity PUxr,
|
||||
/usr/bin/bangarang PUxr,
|
||||
/usr/bin/banshee PUxr,
|
||||
/usr/bin/banshee-1 PUxr,
|
||||
|
@@ -23,6 +23,7 @@
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fsetid,
|
||||
capability fowner,
|
||||
capability sys_tty_config,
|
||||
|
@@ -8,7 +8,11 @@
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
# http://www.postfix.org/SASL_README.html#server_dovecot
|
||||
/etc/dovecot/dovecot.conf r,
|
||||
/etc/dovecot/{auth,conf}.d/*.conf r,
|
||||
/etc/dovecot/dovecot-postfix.conf r,
|
||||
|
||||
@{HOME} r,
|
||||
@{HOME}/Maildir/ rw,
|
||||
@{HOME}/Maildir/** klrw,
|
||||
|
@@ -11,6 +11,7 @@
|
||||
capability sys_chroot,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
/usr/lib/dovecot/imap-login mr,
|
||||
/{,var/}run/dovecot/login/ r,
|
||||
|
@@ -2,6 +2,7 @@
|
||||
/usr/sbin/avahi-daemon {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
@@ -19,10 +20,10 @@
|
||||
/proc/*/fd/ r,
|
||||
/usr/sbin/avahi-daemon mr,
|
||||
/usr/share/avahi/introspection/*.introspect r,
|
||||
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
|
||||
/{,var/}run/avahi-daemon/ w,
|
||||
/{,var/}run/avahi-daemon/pid krw,
|
||||
/{,var/}run/avahi-daemon/socket w,
|
||||
/{,var/}run/dbus/system_bus_socket w,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.avahi-daemon>
|
||||
|
@@ -9,6 +9,8 @@
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
@{TFTP_DIR}=/var/tftp /srv/tftpboot
|
||||
|
||||
#include <tunables/global>
|
||||
/usr/sbin/dnsmasq {
|
||||
#include <abstractions/base>
|
||||
@@ -36,6 +38,10 @@
|
||||
|
||||
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
|
||||
|
||||
# for the read-only TFTP server
|
||||
@{TFTP_DIR}/ r,
|
||||
@{TFTP_DIR}/** r,
|
||||
|
||||
# libvirt lease and hosts files for dnsmasq
|
||||
/var/lib/libvirt/dnsmasq/ r,
|
||||
/var/lib/libvirt/dnsmasq/*.leases rw,
|
||||
|
@@ -21,12 +21,17 @@
|
||||
capability sys_tty_config,
|
||||
|
||||
/etc/mtab r,
|
||||
/etc/netgroup r,
|
||||
/etc/printcap r,
|
||||
/etc/samba/* rwk,
|
||||
/proc/*/mounts r,
|
||||
/proc/sys/kernel/core_pattern r,
|
||||
/usr/lib*/samba/vfs/*.so mr,
|
||||
/usr/lib*/samba/charset/*.so mr,
|
||||
/usr/lib*/samba/auth/script.so mr,
|
||||
/usr/lib*/samba/{lowercase,upcase,valid}.dat r,
|
||||
/usr/sbin/smbd mr,
|
||||
/etc/samba/* rwk,
|
||||
/usr/sbin/smbldap-useradd Px,
|
||||
/var/cache/samba/** rwk,
|
||||
/var/cache/samba/printing/printers.tdb mrw,
|
||||
/var/lib/samba/** rwk,
|
||||
|
37
profiles/apparmor.d/usr.sbin.smbldap-useradd
Normal file
37
profiles/apparmor.d/usr.sbin.smbldap-useradd
Normal file
@@ -0,0 +1,37 @@
|
||||
# Last Modified: Tue Jan 3 00:17:40 2012
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/smbldap-useradd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
|
||||
/dev/tty rw,
|
||||
/bin/bash ix,
|
||||
/etc/init.d/nscd Cx,
|
||||
/etc/shadow r,
|
||||
/etc/smbldap-tools/smbldap.conf r,
|
||||
/etc/smbldap-tools/smbldap_bind.conf r,
|
||||
/usr/sbin/smbldap-useradd r,
|
||||
/usr/sbin/smbldap_tools.pm r,
|
||||
/var/log/samba/log.smbd w,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.smbldap-useradd>
|
||||
|
||||
profile /etc/init.d/nscd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
/bin/bash r,
|
||||
/bin/mountpoint rix,
|
||||
/bin/systemctl rix,
|
||||
/dev/tty rw,
|
||||
/etc/init.d/nscd r,
|
||||
/etc/rc.status r,
|
||||
|
||||
}
|
||||
}
|
@@ -12,6 +12,7 @@
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/httpd2-prefork {
|
||||
#include <abstractions/apache2-common>
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/kerberosclient>
|
||||
@@ -78,8 +79,6 @@
|
||||
/usr/local/tomcat/conf/mod_jk.conf r,
|
||||
/usr/local/tomcat/conf/workers-ajp12.properties r,
|
||||
/usr/sbin/httpd2-prefork r,
|
||||
/usr/share/apache2/error/* r,
|
||||
/usr/share/apache2/error/include/* r,
|
||||
/usr/share/misc/magic.mime r,
|
||||
/usr/share/snmp/mibs r,
|
||||
/usr/share/snmp/mibs/*.{txt,mib} r,
|
||||
@@ -125,21 +124,20 @@
|
||||
/srv/www/icons/*.{gif,jpg,png} r,
|
||||
/srv/www/vhosts r,
|
||||
/srv/www/vhosts/** r,
|
||||
# SuSE location of the apache manual + error pages
|
||||
/usr/share/apache2/** r,
|
||||
|
||||
# php session state
|
||||
/var/lib/php/sess_* rwl,
|
||||
|
||||
|
||||
^HANDLING_UNTRUSTED_INPUT {
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/apache2-common>
|
||||
/var/log/apache2/* w,
|
||||
/**.htaccess r,
|
||||
audit /.htaccess r, # WARNING: .htaccess directly in / will be disallowed in future versions
|
||||
# (.htaccess in subdirectories is and will stay allowed by abstractions/apache2-common)
|
||||
}
|
||||
|
||||
^DEFAULT_URI {
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/apache2-common>
|
||||
#include <abstractions/base>
|
||||
|
||||
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
|
||||
@@ -176,8 +174,6 @@
|
||||
/srv/www/icons/*.{gif,jpg,png} r,
|
||||
/srv/www/vhosts r,
|
||||
/srv/www/vhosts/** r,
|
||||
# SuSE location of the apache manual + error pages
|
||||
/usr/share/apache2/** r,
|
||||
|
||||
# php session state
|
||||
/var/lib/php/sess_* rwl,
|
||||
|
@@ -1,6 +1,7 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
# Copyright (C) 2012 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -33,6 +34,7 @@
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/urandom r,
|
||||
/etc/default/locale r,
|
||||
/etc/environment r,
|
||||
/etc/hosts.allow r,
|
||||
/etc/hosts.deny r,
|
||||
@@ -55,10 +57,12 @@
|
||||
/bin/bash2 rUx,
|
||||
/bin/bsh rUx,
|
||||
/bin/csh rUx,
|
||||
/bin/dash rUx,
|
||||
/bin/ksh rUx,
|
||||
/bin/sh rUx,
|
||||
/bin/tcsh rUx,
|
||||
/bin/zsh rUx,
|
||||
/bin/zsh4 rUx,
|
||||
/sbin/nologin rUx,
|
||||
|
||||
# Call passwd for password change when expired
|
||||
@@ -74,6 +78,7 @@
|
||||
|
||||
# duplicated from AUTHENTICATED
|
||||
/etc/motd r,
|
||||
/{,var/}run/motd r,
|
||||
/tmp/ssh-*/agent.[0-9]* rwl,
|
||||
|
||||
/tmp/ssh-*[0-9]*/ w,
|
||||
@@ -89,10 +94,12 @@
|
||||
/bin/bash2 Ux,
|
||||
/bin/bsh Ux,
|
||||
/bin/csh Ux,
|
||||
/bin/dash Ux,
|
||||
/bin/ksh Ux,
|
||||
/bin/sh Ux,
|
||||
/bin/tcsh Ux,
|
||||
/bin/zsh Ux,
|
||||
/bin/zsh4 Ux,
|
||||
/sbin/nologin Ux,
|
||||
|
||||
# for debugging
|
||||
@@ -161,6 +168,7 @@
|
||||
/etc/localtime r,
|
||||
/etc/login.defs r,
|
||||
/etc/motd r,
|
||||
/{,var/}run/motd r,
|
||||
/tmp/ssh-*/agent.[0-9]* rwl,
|
||||
/tmp/ssh-*[0-9]*/ w,
|
||||
|
||||
|
@@ -28,7 +28,7 @@
|
||||
/bin/cat rmix,
|
||||
/bin/bash rmix,
|
||||
/dev/log w,
|
||||
/etc/.pwd.lock rw,
|
||||
/etc/.pwd.lock rwk,
|
||||
/etc/cron.deny r,
|
||||
/etc/default/useradd r,
|
||||
/etc/group* rwl,
|
||||
|
@@ -770,12 +770,18 @@ sub create_new_profile($) {
|
||||
my $hashbang = head($fqdbin);
|
||||
if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
|
||||
my $interpreter = get_full_path($1);
|
||||
$profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
|
||||
$profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
|
||||
$profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
|
||||
$profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
|
||||
if ($interpreter =~ /perl/) {
|
||||
$profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
|
||||
} elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
|
||||
$profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
|
||||
} elsif ($interpreter =~ m/python/) {
|
||||
$profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
|
||||
} elsif ($interpreter =~ m/ruby/) {
|
||||
$profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
|
||||
}
|
||||
handle_binfmt($profile->{$fqdbin}, $interpreter);
|
||||
} else {
|
||||
@@ -4791,13 +4797,9 @@ sub sub_mode_to_str($) {
|
||||
$str .= "a" if ($mode & $AA_MAY_APPEND);
|
||||
$str .= "l" if ($mode & $AA_MAY_LINK);
|
||||
$str .= "k" if ($mode & $AA_MAY_LOCK);
|
||||
if ($mode & $AA_EXEC_UNCONFINED) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "u";
|
||||
} else {
|
||||
$str .= "U";
|
||||
}
|
||||
}
|
||||
|
||||
# modes P and C *must* come before I and U; otherwise syntactically
|
||||
# invalid profiles result
|
||||
if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "p";
|
||||
@@ -4812,7 +4814,18 @@ sub sub_mode_to_str($) {
|
||||
$str .= "C";
|
||||
}
|
||||
}
|
||||
|
||||
# modes P and C *must* come before I and U; otherwise syntactically
|
||||
# invalid profiles result
|
||||
if ($mode & $AA_EXEC_UNCONFINED) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "u";
|
||||
} else {
|
||||
$str .= "U";
|
||||
}
|
||||
}
|
||||
$str .= "i" if ($mode & $AA_EXEC_INHERIT);
|
||||
|
||||
$str .= "x" if ($mode & $AA_MAY_EXEC);
|
||||
|
||||
return $str;
|
||||
|
Reference in New Issue
Block a user