felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove and merge sources that are already present deps.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 15:33:57 +01:00
parent 41e4012902
commit 2129e23596
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
141 changed files with 92 additions and 4400 deletions
Download patch file Download diff file Expand all files Collapse all files

70
apparmor.d/abstractions/X
View file

@ -1,70 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2018-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/dri-common>
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner @{HOME}/.local/share/sddm/.Xauthority r,
owner @{run}/gdm{,3}/*/database r,
owner @{run}/lightdm/authority/[0-9]* r,
owner @{run}/lightdm/*/xauthority r,
owner @{run}/user/*/gdm/Xauthority r,
owner @{run}/user/*/X11/Xauthority r,
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
# The X tree changes and is large -- grant read access to the whole thing
/usr/X11R6/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
/usr/X11R6/**.so* mr,
# EGL
/usr/lib/@{multiarch}/egl/*.so* mr,
# Xcompose
owner @{HOME}/.XCompose r,
/var/cache/libx11/compose/* r,
deny /var/cache/libx11/compose/* wlk,
# mouse themes
/etc/X11/cursors/ r,
/etc/X11/cursors/** r,
# Xwayland
owner @{run}/user/*/.mutter-Xwaylandauth.* r,
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,
# Include additions to the abstraction
include if exists <abstractions/X.d>

7
apparmor.d/abstractions/X.d/complete Normal file
View file

@ -0,0 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,

39
apparmor.d/abstractions/apache2-common
View file

@ -1,39 +0,0 @@
# vim:syntax=apparmor
# This file contains basic permissions for Apache and every vHost
abi <abi/3.0>,
include <abstractions/nameservice>
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow apache to send us signals by default
signal (receive) peer=apache2,
# Allow other hats to signal by default
signal peer=apache2//*,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Apache
network inet stream,
network inet6 stream,
# apache manual, error pages and icons
/usr/share/apache2/** r,
# changehat itself
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
# htaccess files - for what ever it is worth
/**/.htaccess r,
/dev/urandom r,
# sasl-auth
@{run}/saslauthd/mux rw,
# OCSP stapling
@{run}/lock/apache2/stapling-cache* rw,
# Include additions to the abstraction
include if exists <abstractions/apache2-common.d>

13
apparmor.d/abstractions/apparmor_api/change_profile
View file

@ -1,13 +0,0 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,

14
apparmor.d/abstractions/apparmor_api/examine
View file

@ -1,14 +0,0 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
abi <abi/3.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

16
apparmor.d/abstractions/apparmor_api/find_mountpoint
View file

@ -1,16 +0,0 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/mounts r,

14
apparmor.d/abstractions/apparmor_api/introspect
View file

@ -1,14 +0,0 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,

19
apparmor.d/abstractions/apparmor_api/is_enabled
View file

@ -1,19 +0,0 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global
# when using this abstraction
include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
# TODO: add alternate apparmorfs interface for enabled

18
apparmor.d/abstractions/aspell
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
# aspell permissions
abi <abi/3.0>,
# per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
# system libraries and dictionaries
/usr/lib/aspell/ r,
/usr/lib/aspell/* r,
/usr/lib/aspell/*.so m,
/usr/share/aspell/ r,
/usr/share/aspell/* r,
/var/lib/aspell/* r,
# Include additions to the abstraction
include if exists <abstractions/aspell.d>

94
apparmor.d/abstractions/audio
View file

@ -1,94 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/dev/admmidi* rw,
/dev/adsp* rw,
/dev/aload* rw,
/dev/amidi* rw,
/dev/audio* rw,
/dev/dmfm* rw,
/dev/dmmidi* rw,
/dev/dsp* rw,
/dev/midi* rw,
/dev/mixer* rw,
/dev/mpu401data rw,
/dev/mpu401stat rw,
/dev/patmgr* rw,
/dev/phone* rw,
/dev/radio* rw,
/dev/rmidi* rw,
/dev/sequencer rw,
/dev/sequencer2 rw,
/dev/smpte* rw,
/dev/snd/* rw,
/dev/sound/* rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,
/usr/share/sounds/ r,
/usr/share/sounds/** r,
owner @{HOME}/.esd_auth r,
/etc/asound.conf r,
owner @{HOME}/.asoundrc r,
/etc/esound/esd.conf r,
# libao
/etc/libao.conf r,
owner @{HOME}/.libao r,
# libcanberra
owner @{HOME}/.cache/event-sound-cache.* rwk,
# pulse
/etc/pulse/ r,
/etc/pulse/** r,
/dev/shm/ r,
@{run}/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{run}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner @{run}/user/*/pulse/ rw,
owner @{run}/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/*.conf r,
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
# PulseAudio module-ladspa-sink (plugin sc4m_1916)
/usr/lib/ladspa/ r,
/usr/lib/ladspa/*.so mr,
# libgnome2
/etc/sound/ r,
/etc/sound/** r,
# openal
/etc/alsa/conf.d/{,*} r,
/etc/openal/alsoft.conf r,
owner @{HOME}/.alsoftrc r,
/usr/{,local/}share/openal/hrtf/{,**} r,
owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

10
apparmor.d/abstractions/audio.d/complete Normal file
View file

@ -0,0 +1,10 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/share/sounds/ r,
# PulseAudio module-ladspa-sink (plugin sc4m_1916)
/usr/lib/ladspa/ r,
/usr/lib/ladspa/*.so mr,

56
apparmor.d/abstractions/authentication
View file

@ -1,56 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd
# Copyright (C) 2019 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Some services need to perform authentication of users
# Such authentication almost certainly needs access to the local users
# databases containing passwords, PAM configuration files, PAM libraries
@{etc_ro}/nologin r,
@{etc_ro}/pam.d/* r,
@{etc_ro}/securetty r,
@{etc_ro}/security/* r,
@{etc_ro}/shadow r,
@{etc_ro}/gshadow r,
@{etc_ro}/pwdb.conf r,
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
/{usr/,}lib{,32,64}/security/pam_*.so mr,
/{usr/,}lib{,32,64}/security/ r,
/{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
/{usr/,}lib/@{multiarch}/security/ r,
# kerberos
include <abstractions/kerberosclient>
# SuSE's pwdutils are different:
@{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
# nis
include <abstractions/nis>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# smbpass
include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration)
include <abstractions/p11-kit>
# Include additions to the abstraction
include if exists <abstractions/authentication.d>

191
apparmor.d/abstractions/base
View file

@ -1,191 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
/{usr/,}lib{,32,64}/** r,
/{usr/,}lib{,32,64}/**.so* mr,
/{usr/,}lib/@{multiarch}/** r,
/{usr/,}lib/@{multiarch}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
# Allow to write a user defined fifo log devices
owner /dev/log-xsession w,
owner /dev/log-gnupg w,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
#owner @{HOME}/.Private/ r,
#owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>

26
apparmor.d/abstractions/base.d/complete Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/writable/localtime r,
/usr/share/locale/ r,
# Allow to receive some signals
signal (receive) peer=top,
signal (receive) peer=htop,
signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=su,
signal (receive) peer=sudo,
# Allow to write a user defined fifo log devices
owner /dev/log-xsession w,
owner /dev/log-gnupg w,
deny owner @{HOME}/.Private/ r,
deny owner @{HOME}/.Private/** mrixwlk,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
deny owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

49
apparmor.d/abstractions/bash
View file

@ -1,49 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# user-specific bash files
@{HOMEDIRS} r,
@{HOME}/.bashrc r,
@{HOME}/.profile r,
@{HOME}/.bash_profile r,
@{HOME}/.bash_history rw,
# system-wide bash configuration
/etc/profile.dos r,
/etc/profile r,
/etc/profile.d/ r,
/etc/profile.d/* r,
/etc/bashrc r,
/etc/bash.bashrc r,
/etc/bash.bashrc.local r,
/etc/bash_completion r,
/etc/bash_completion.d/ r,
/etc/bash_completion.d/* r,
# bash relies on system-wide readline configuration
/etc/inputrc r,
# bash inspects filesystems at startup
/etc/mtab r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
# probably readline wants to know terminal capabilities
/usr/share/terminfo/** r,
# run out of /etc/bash.bashrc
/etc/DIR_COLORS r,
/{usr/,}bin/ls mix,
/usr/bin/dircolors mix,
# Include additions to the abstraction
include if exists <abstractions/bash.d>

27
apparmor.d/abstractions/consoles
View file

@ -1,27 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# there are three common ways to refer to consoles
/dev/console rw,
/dev/tty rw,
# this next entry is a tad unfortunate; /dev/tty will always be
# associated with the controlling terminal by the kernel, but if a
# program uses the /dev/pts/ interface, it actually has access to
# -all- xterm, sshd, etc, terminals on the system.
/dev/pts/[0-9]* rw,
/dev/pts/ r,
# Include additions to the abstraction
include if exists <abstractions/consoles.d>

23
apparmor.d/abstractions/cups-client
View file

@ -1,23 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
@{run}/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
# Include additions to the abstraction
include if exists <abstractions/cups-client.d>

21
apparmor.d/abstractions/dbus
View file

@ -1,21 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-strict>
dbus bus=system,
# Include additions to the abstraction
include if exists <abstractions/dbus.d>

21
apparmor.d/abstractions/dbus-accessibility
View file

@ -1,21 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-accessibility-strict>
dbus bus=accessibility,
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility.d>

22
apparmor.d/abstractions/dbus-accessibility-strict
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
dbus send
bus=accessibility
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility-strict.d>

47
apparmor.d/abstractions/dbus-network-manager-strict
View file

@ -1,47 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member={GetDevices,ListConnections}
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
include if exists <abstractions/dbus-network-manager-strict.d>

22
apparmor.d/abstractions/dbus-session
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-session-strict>
/usr/bin/dbus-launch ix,
dbus bus=session,
# Include additions to the abstraction
include if exists <abstractions/dbus-session.d>

33
apparmor.d/abstractions/dbus-session-strict
View file

@ -1,33 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# unique per-machine identifier
/etc/machine-id r,
/var/lib/dbus/machine-id r,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/dbus-*"),
# dbus with systemd and --enable-user-session
owner @{run}/user/[0-9]*/bus rw,
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-session-strict.d>

24
apparmor.d/abstractions/dbus-strict
View file

@ -1,24 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
@{run}/dbus/system_bus_socket rw,
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-strict.d>

13
apparmor.d/abstractions/dconf
View file

@ -1,13 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.
/etc/dconf/** r,
owner @{run}/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r,
# Include additions to the abstraction
include if exists <abstractions/dconf.d>

24
apparmor.d/abstractions/dovecot-common
View file

@ -1,24 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2014 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with dovecot/*
abi <abi/3.0>,
capability setgid,
deny capability block_suspend,
# dovecot's master can send us signals
signal receive peer=dovecot,
owner @{run}/dovecot/config rw,
# Include additions to the abstraction
include if exists <abstractions/dovecot-common.d>

19
apparmor.d/abstractions/dri-common
View file

@ -1,19 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).
/usr/lib{,32,64}/dri/** mr,
/usr/lib/@{multiarch}/dri/** mr,
/usr/lib/fglrx/dri/** mr,
/dev/dri/ r,
/dev/dri/** rw,
/etc/drirc r,
/usr/share/drirc.d/{,*.conf} r,
owner @{HOME}/.drirc r,
# Include additions to the abstraction
include if exists <abstractions/dri-common.d>

13
apparmor.d/abstractions/dri-enumerate
View file

@ -1,13 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction
include if exists <abstractions/dri-enumerate.d>

64
apparmor.d/abstractions/enchant
View file

@ -1,64 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r,
/usr/share/enchant-2/ r,
/usr/share/enchant-2/enchant.ordering r,
# aspell
include <abstractions/aspell>
/var/lib/dictionaries-common/aspell/ r,
/var/lib/dictionaries-common/aspell/* r,
# hspell
/usr/share/hspell/ r,
/usr/share/hspell/*.wgz.* r,
# hunspell
/usr/share/hunspell/ r,
/usr/share/hunspell/* r,
# ispell
/usr/lib/ispell/ r,
/usr/lib/ispell/*.hash r,
/usr/share/dict/ r,
/usr/share/dict/* r,
/var/lib/dictionaries-common/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/* r,
# myspell
/usr/share/myspell/ r,
/usr/share/myspell/** r,
# voikko
/usr/lib/voikko/ r,
/usr/lib/voikko/2/ r,
/usr/lib/voikko/2/mor-standard/ r,
/usr/lib/voikko/2/mor-standard/voikko* r,
# zemberek
/usr/share/java/ r,
/usr/share/java/zemberek-[0-9]*.jar r,
/usr/share/java/zemberek-tr-[0-9]*.jar r,
# per-user dictionaries
owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk,
# Include additions to the abstraction
include if exists <abstractions/enchant.d>

76
apparmor.d/abstractions/exo-open
View file

@ -1,76 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# Deny DBus
# for GTK error message dialog, not required exo-open to work.
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
include if exists <abstractions/exo-open.d>

18
apparmor.d/abstractions/fcitx
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/fcitx-strict>
dbus bus=fcitx,
# Include additions to the abstraction
include if exists <abstractions/fcitx.d>

26
apparmor.d/abstractions/fcitx-strict
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/dbus-session-strict>
dbus send
bus=fcitx
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# Include additions to the abstraction
include if exists <abstractions/fcitx-strict.d>

68
apparmor.d/abstractions/fonts
View file

@ -1,68 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr,
/usr/share/fonts/{,**} r,
/usr/share/fonts-*/{,**} r,
/etc/fonts/** r,
# Debian, openSUSE paths are different
/usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
/opt/kde3/share/fonts/** r,
/usr/lib{,32,64}/openoffice/share/fonts/** r,
/var/cache/fonts/** r,
/var/cache/fontconfig/** mr,
/var/lib/defoma/** mr,
/usr/share/a2ps/fonts/** r,
/usr/share/xfce/fonts/** r,
/usr/share/ghostscript/fonts/** r,
/usr/share/javascript/*/fonts/** r,
/usr/share/texmf/{,*/}fonts/** r,
/usr/share/texlive/texmf-dist/fonts/** r,
/var/lib/ghostscript/** r,
owner @{HOME}/.fonts.conf r,
owner @{HOME}/.fonts/ r,
owner @{HOME}/.fonts/** r,
owner @{HOME}/.local/share/fonts/ r,
owner @{HOME}/.local/share/fonts/** r,
owner @{HOME}/.fonts.cache-2 mr,
owner @{HOME}/.{,cache/}fontconfig/ rw,
owner @{HOME}/.{,cache/}fontconfig/** mrl,
owner @{HOME}/.fonts.conf.d/ r,
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
owner @{HOME}/.config/fontconfig/** r,
owner @{HOME}/.Fontmatrix/Activated/ r,
owner @{HOME}/.Fontmatrix/Activated/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
# poppler CMap tables
/usr/share/poppler/cMap/** r,
# data files for LibThai
/usr/share/libthai/thbrk.tri r,
# Include additions to the abstraction
include if exists <abstractions/fonts.d>

34
apparmor.d/abstractions/freedesktop.org
View file

@ -1,34 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# system configuration
@{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r,
@{system_share_dirs}/pixmaps/{**,} r,
# this should probably go elsewhere
@{system_share_dirs}/mime/** r,
# per-user configurations
owner @{HOME}/.icons/ r,
owner @{HOME}/.icons/default/index.theme r,
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
owner @{HOME}/.config/mimeapps.list r,
owner @{user_share_dirs}/applications/{**,} r,
owner @{user_share_dirs}/icons/{**,} r,
owner @{user_share_dirs}/mime/{**,} r,
# Include additions to the abstraction
include if exists <abstractions/freedesktop.org.d>

6
apparmor.d/abstractions/freedesktop.org.d/complete Normal file
View file

@ -0,0 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r,

59
apparmor.d/abstractions/gio-open
View file

@ -1,59 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>

117
apparmor.d/abstractions/gnome
View file

@ -1,117 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
/usr/lib{,32,64}/gtk-[0-9]*/** mr,
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
# for gnome 1 applications
/etc/orbitrc r,
# gtk-2 needed some new rights
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
# per-user gtk configuration
owner @{HOME}/.config/gtk-3.0/ w,
owner @{HOME}/.config/gtk-3.0/* r,
owner @{HOME}/.gnome/Gnome r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.themes/ r,
owner @{HOME}/.themes/** r,
owner @{user_share_dirs}/themes/ r,
owner @{user_share_dirs}/themes/** r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ w,
owner @{HOME}/.config/gtk-2.0/** r,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# from evolution-mail
owner @{HOME}/.gconfd/lock/* r,
owner @{HOME}/.gnome/application-info r,
# per-user font business
owner @{HOME}/.fonts.cache-* rwl,
# GtkComposeTable
owner @{HOME}/.cache/gtk-3.0/** r,
# icon caches
/var/cache/**/icon-theme.cache r,
/usr/share/**/icon-theme.cache r,
# GLib schemas
/usr/{local/,}share/glib-[0-9]*/schemas/ r,
/usr/{local/,}share/glib-[0-9]*/schemas/** r,
# gnome VFS modules
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
# printing
/etc/papersize r,
/etc/cups/lpoptions r,
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner @{run}/gdm/auth*/database r,
# mime-types
/etc/gnome/defaults.list r,
/etc/xdg/{,*-}mimeapps.list r,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
unix (send, receive, connect)
type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>

16
apparmor.d/abstractions/gnupg
View file

@ -1,16 +0,0 @@
# vim:syntax=apparmor
# gnupg sub-process running permissions
abi <abi/3.0>,
# user configurations
owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r,
owner @{HOME}/.gnupg/pubring.kbx r,
owner @{HOME}/.gnupg/random_seed rw,
owner @{HOME}/.gnupg/secring.gpg r,
owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
include if exists <abstractions/gnupg.d>

47
apparmor.d/abstractions/gvfs-open
View file

@ -1,47 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# Include additions to the abstraction
include if exists <abstractions/gvfs-open.d>

17
apparmor.d/abstractions/hosts_access
View file

@ -1,17 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts.deny r,
/etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

34
apparmor.d/abstractions/ibus
View file

@ -1,34 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,
# abstract path in ibus < 1.5.22 uses /tmp
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# Include additions to the abstraction
include if exists <abstractions/ibus.d>

18
apparmor.d/abstractions/ibus.d/complete Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# abstract path in ibus < 1.5.22 uses /tmp
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),

82
apparmor.d/abstractions/kde
View file

@ -1,82 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/qt5>
/etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r,
/etc/qt3/qtrc r,
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,
/etc/xdg/kdeglobals r,
/etc/xdg/Trolltech.conf r,
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
/usr/share/kubuntu-default-settings/kf5-settings/* r,
owner @{HOME}/.DCOPserver_* r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.fonts.* lrw,
owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
owner @{HOME}/.qt/** rw,
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,
# kde3
/usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/lib*so* mr,
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
/usr/lib/@{multiarch}/kde3/lib*so* mr,
/usr/lib*/qt3/lib*/lib*so* mr,
/usr/lib*/qt3/plugins/** mr,
/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mt*so* mr,
/usr/lib*/libqui*so* mr,
/usr/lib/@{multiarch}/libqt-mt*so* mr,
/usr/lib/@{multiarch}/libqui*so* mr,
/usr/share/qt3/lib*/libqt-mt*so* mr,
/usr/share/qt3/lib*/libqui*so* mr,
# kde4
/usr/lib*/kde4/plugins/*/*.so mr,
/usr/lib*/kde4/plugins/*/ r,
/usr/lib*/kde4/lib*so* mr,
/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
/usr/lib/@{multiarch}/kde4/plugins/*/ r,
/usr/lib/@{multiarch}/kde4/lib*so* mr,
/usr/lib*/qt4/lib*/lib*so* mr,
/usr/lib*/qt4/plugins/** mr,
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# Include additions to the abstraction
include if exists <abstractions/kde.d>

15
apparmor.d/abstractions/kde-globals-write
View file

@ -1,15 +0,0 @@
# vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other).
abi <abi/3.0>,
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-globals-write.d>

12
apparmor.d/abstractions/kde-icon-cache-write
View file

@ -1,12 +0,0 @@
# vim:syntax=apparmor
# Rules for writing KDE icon cache
abi <abi/3.0>,
# User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Include additions to the abstraction
include if exists <abstractions/kde-icon-cache-write.d>

18
apparmor.d/abstractions/kde-language-write
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file.
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/klanguageoverridesrc rw,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-language-write.d>

106
apparmor.d/abstractions/kde-open5
View file

@ -1,106 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>

39
apparmor.d/abstractions/kerberosclient
View file

@ -1,39 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
/usr/lib{,32,64}/krb5/plugins/preauth/ r,
/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
/etc/krb5.keytab rk,
/etc/krb5.conf r,
/etc/krb5.conf.d/ r,
/etc/krb5.conf.d/* r,
# config files found via strings on libs
/etc/krb.conf r,
/etc/krb.realms r,
/etc/srvtab r,
# credential caches
/tmp/krb5cc* r,
# Include additions to the abstraction
include if exists <abstractions/kerberosclient.d>

29
apparmor.d/abstractions/ldapclient
View file

@ -1,29 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r,
/etc/ldap.secret r,
/etc/openldap/* r,
/etc/openldap/cacerts/* r,
# SASL plugins and config
/etc/sasl2/* r,
/usr/lib{,32,64}/sasl2/* r,
# local LDAP name service daemon
@{run}/nslcd/socket rw,
include <abstractions/ssl_certs>
# Include additions to the abstraction
include if exists <abstractions/ldapclient.d>

24
apparmor.d/abstractions/libpam-systemd
View file

@ -1,24 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015-2016 Simon Deziel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
dbus send
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession},
# Include additions to the abstraction
include if exists <abstractions/libpam-systemd.d>

18
apparmor.d/abstractions/likewise
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
# Include additions to the abstraction
include if exists <abstractions/likewise.d>

19
apparmor.d/abstractions/mdns
View file

@ -1,19 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mdnsd
/etc/mdns.allow r,
/etc/nss_mdns.conf r,
@{run}/mdnsd w,
# Include additions to the abstraction
include if exists <abstractions/mdns.d>

29
apparmor.d/abstractions/mesa
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API
abi <abi/3.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# Needed to check if the kernel supports the i915 perf interface
# (src/intel/perf/gen_perf.c, load_oa_metrics())
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Fallback location when @{HOME}/.cache is not available
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>

22
apparmor.d/abstractions/mir
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mir libraries sometimes do not have a lib prefix
# see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr,
/usr/lib/@{multiarch}/mir/**/*.so* mr,
# unprivileged mir socket for clients
# Include additions to the abstraction
include if exists <abstractions/mir.d>

17
apparmor.d/abstractions/mozc
View file

@ -1,17 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction
include if exists <abstractions/mozc.d>

20
apparmor.d/abstractions/mysql
View file

@ -1,20 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
# Include additions to the abstraction
include if exists <abstractions/mysql.d>

118
apparmor.d/abstractions/nameservice
View file

@ -1,118 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/gai.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
# libtirpc (used for NIS/YP login) needs this
@{etc_ro}/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/initgroups r,
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
@{etc_ro}/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
@{etc_ro}/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
@{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
@{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution
@{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
@{etc_ro}/libnl-*/classid r,
# nis
include <abstractions/nis>
# ldap
include <abstractions/ldapclient>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# mdnsd
include <abstractions/mdns>
# kerberos
include <abstractions/kerberosclient>
#libnss-systemd
include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
# interface details
@{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
include if exists <abstractions/nameservice.d>

20
apparmor.d/abstractions/nis
View file

@ -1,20 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# NIS rules
/var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports
capability net_bind_service,
# Include additions to the abstraction
include if exists <abstractions/nis.d>

30
apparmor.d/abstractions/nss-systemd
View file

@ -1,30 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nss-systemd.d>

33
apparmor.d/abstractions/nvidia
View file

@ -1,33 +0,0 @@
# vim:syntax=apparmor
# nvidia access requirements
abi <abi/3.0>,
# configuration queries
capability ipc_lock,
/usr/share/nvidia/nvidia-application-profiles* r,
# libvdpau config file for nvidia workarounds
/etc/vdpau_wrapper.cfg r,
# device files
/dev/nvidiactl rw,
/dev/nvidia-modeset rw,
/dev/nvidia[0-9]* rw,
@{PROC}/interrupts r,
@{PROC}/sys/vm/max_map_count r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
owner @{HOME}/.nv/GLCache/** rwk,
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
# Include additions to the abstraction
include if exists <abstractions/nvidia.d>

15
apparmor.d/abstractions/opencl
View file

@ -1,15 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements
# TODO: use conditionals to select allowed implementations
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/opencl-pocl>
# Include additions to the abstraction
include if exists <abstractions/opencl.d>

16
apparmor.d/abstractions/opencl-common
View file

@ -1,16 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# implementation-independent OpenCL access requirements
# System files
/etc/OpenCL/** r,
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
# Include additions to the abstraction
include if exists <abstractions/opencl-common.d>

23
apparmor.d/abstractions/opencl-intel
View file

@ -1,23 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Intel implementation
include <abstractions/opencl-common>
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
include <abstractions/X>
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
include <abstractions/dri-enumerate>
# System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,
# Include additions to the abstraction
include if exists <abstractions/opencl-intel.d>

26
apparmor.d/abstractions/opencl-mesa
View file

@ -1,26 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Mesa implementation
include <abstractions/opencl-common>
# Additional libraries
/usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
/usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
# System files
/dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
/dev/dri/render* rw, # libMesaOpenCL.so
/etc/drirc r, # libMesaOpenCL.so
# User files
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
# Include additions to the abstraction
include if exists <abstractions/opencl-mesa.d>

36
apparmor.d/abstractions/opencl-nvidia
View file

@ -1,36 +0,0 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for NVIDIA implementation
include <abstractions/nvidia>
include <abstractions/opencl-common>
# Executables
# https://github.com/NVIDIA/nvidia-modprobe
# This setuid executable is used to create various device files and load the
# the nvidia kernel module.
/usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
# System files
# libnvidia-opencl.so rules:
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw,
@{sys}/devices/pci[0-9]*/**/config r,
@{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r,
@{PROC}/devices r,
@{PROC}/sys/vm/mmap_min_addr r,
# User files
owner @{HOME}/.nv/ComputeCache/ w,
owner @{HOME}/.nv/ComputeCache/** rw,
owner @{HOME}/.nv/ComputeCache/index rwk,
# Include additions to the abstraction
include if exists <abstractions/opencl-nvidia.d>

81
apparmor.d/abstractions/opencl-pocl
View file

@ -1,81 +0,0 @@
# vim:syntax=apparmor
# OpenCL access requirements for POCL implementation
abi <abi/3.0>,
include <abstractions/opencl-common>
# Executables
/usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
# System files
/ r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files
owner @{HOME}/.cache/pocl/ w,
owner @{HOME}/.cache/pocl/kcache/ w,
owner @{HOME}/.cache/pocl/kcache/** rw,
owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
# Child profiles
profile opencl_pocl_ld {
include <abstractions/base>
# Main executables
/usr/bin/{,@{multiarch}-}ld.bfd mr,
# User files
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
owner @{HOME}/.cache/pocl/kcache/**.so.o r,
}
profile opencl_pocl_clang {
include <abstractions/base>
# Main executables
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
# Additional executables
/usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
# System files
/etc/debian-version r,
/etc/lsb-release r,
# User files
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
}
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>

19
apparmor.d/abstractions/openssl
View file

@ -1,19 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/ssl/openssl.cnf r,
/usr/share/ssl/openssl.cnf r,
@{PROC}/sys/crypto/fips_enabled r,
# Include additions to the abstraction
include if exists <abstractions/openssl.d>

10
apparmor.d/abstractions/orbit2
View file

@ -1,10 +0,0 @@
# vim:syntax=apparmor
# orbit2 permissions
abi <abi/3.0>,
# system library
/usr/lib/orbit-2.0/*.so mr,
# Include additions to the abstraction
include if exists <abstractions/orbit2.d>

32
apparmor.d/abstractions/p11-kit
View file

@ -1,32 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r,
/etc/pkcs11/modules/* r,
/usr/lib{,32,64}/pkcs11/*.so mr,
/usr/lib/@{multiarch}/pkcs11/*.so mr,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
# gnome-keyring pkcs11 module
owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
# Include additions to the abstraction
include if exists <abstractions/p11-kit.d>

28
apparmor.d/abstractions/perl
View file

@ -1,28 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# a few files typically required for perl scripts
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
/usr/lib{,32,64}/perl5/** r,
/usr/lib{,32,64}/perl{,5}/**.so* mr,
/usr/lib/@{multiarch}/perl{,5,-base}/** r,
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
/etc/perl/** r,
# Include additions to the abstraction
include if exists <abstractions/perl.d>

44
apparmor.d/abstractions/php
View file

@ -1,44 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# shared snippets for config files
/etc/php{,5,7}/**/ r,
/etc/php{,5,7}/**.ini r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
# php extensions
/usr/lib{64,}/php{,5,7}/*/*.so mr,
# ICU (unicode support) data tables
/usr/share/icu/*/*.dat r,
# php session mmap socket
/var/lib/php{,5,7}/session_mm_* rwlk,
# file based session handler
/var/lib/php{,5,7}/sess_* rwlk,
/var/lib/php{,5,7}/sessions/* rwlk,
# php libraries
/usr/share/php{,5,7}/ r,
/usr/share/php{,5,7}/** mr,
# MySQL extension
/usr/share/mysql/** r,
# Zend opcache
/tmp/.ZendSem.* rwlk,
# Include additions to the abstraction
include if exists <abstractions/php.d>

22
apparmor.d/abstractions/php-worker
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
# This file contains basic permissions for php-fpm workers
abi <abi/3.0>,
# load common libraries and their support files
include <abstractions/base>
# common php files and support files that php needs
include <abstractions/php>
signal (receive) peer=php-fpm,
# This is some php opcaching file
/tmp/.ZendSem.* rwk,
# I think this is adaptive memory management
/sys/devices/system/node/* r,
/sys/devices/system/node/*/meminfo r,
/sys/devices/system/node/ r,
include if exists <abstractions/php-worker.d>

8
apparmor.d/abstractions/php5
View file

@ -1,8 +0,0 @@
#backwards compatibility include, actual abstraction moved from php5 to php
abi <abi/3.0>,
include <abstractions/php>
# Include additions to the abstraction
include if exists <abstractions/php5.d>

44
apparmor.d/abstractions/postfix-common
View file

@ -1,44 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015-2018 Canonical, Ltd.
# Copyright (C) 2020 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with postfix/*
abi <abi/3.0>,
capability setuid,
capability setgid,
capability sys_chroot,
# postfix's master can send us signals
signal receive peer=postfix-master,
unix (send, receive) peer=(label=postfix-master),
/etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,
/usr/lib{,32,64}/sasl2/ r,
/usr/lib/@{multiarch}/sasl2/* mr,
/usr/lib/@{multiarch}/sasl2/ r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# Include additions to the abstraction
include if exists <abstractions/postfix-common.d>

52
apparmor.d/abstractions/private-files
View file

@ -1,52 +0,0 @@
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access
abi <abi/3.0>,
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*.bak mrwkl,
# special attention to (potentially) executable files
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/autostart/{,**} wl,
audit deny @{HOME}/.config/upstart/{,**} wl,
audit deny @{HOME}/.init/{,**} wl,
audit deny @{HOME}/.kde{,4}/ w,
audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
audit deny @{HOME}/.kde{,4}/env/{,**} wl,
audit deny @{HOME}/.local/{,share/} w,
audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
audit deny @{HOME}/.pki/ w,
audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
# sh/dash/csh/tcsh/pdksh/zsh
deny @{HOME}/.{,z}profile* mrk,
audit deny @{HOME}/.{,z}profile* wl,
deny @{HOME}/.{,z}log{in,out} mrk,
audit deny @{HOME}/.{,z}log{in,out} wl,
deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl,
# Include additions to the abstraction
include if exists <abstractions/private-files.d>

30
apparmor.d/abstractions/private-files-strict
View file

@ -1,30 +0,0 @@
# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access
abi <abi/3.0>,
include <abstractions/private-files>
# potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl,
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny @{run}/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>

46
apparmor.d/abstractions/python
View file

@ -1,46 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
/usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
/usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
# Silencer
/{usr/,}lib/python3/** w,
# Include additions to the abstraction
include if exists <abstractions/python.d>

9
apparmor.d/abstractions/python.d/complete Normal file
View file

@ -0,0 +1,9 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/**/ r,
# Silencer
/{usr/,}lib/python3/** w,

27
apparmor.d/abstractions/qt5
View file

@ -1,27 +0,0 @@
# vim:syntax=apparmor
# Common rules for Qt5-based applications
abi <abi/3.0>,
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
# User files
owner @{HOME}/.config/QtProject/qtlogging.ini r,
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# Include additions to the abstraction
include if exists <abstractions/qt5.d>

13
apparmor.d/abstractions/qt5-compose-cache-write
View file

@ -1,13 +0,0 @@
# vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/3.0>,
# User files
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Include additions to the abstraction
include if exists <abstractions/qt5-compose-cache-write.d>

16
apparmor.d/abstractions/qt5-settings-write
View file

@ -1,16 +0,0 @@
# vim:syntax=apparmor
# Allow writing shared settings for Qt-based applications
abi <abi/3.0>,
# User files
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
# for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/qt5-settings-write.d>

15
apparmor.d/abstractions/recent-documents-write
View file

@ -1,15 +0,0 @@
# vim:syntax=apparmor
# Allow updating recent documents
abi <abi/3.0>,
# User files
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/recent-documents-write.d>

26
apparmor.d/abstractions/ruby
View file

@ -1,26 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
# Include additions to the abstraction
include if exists <abstractions/ruby.d>

36
apparmor.d/abstractions/samba
View file

@ -1,36 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/samba/* r,
/usr/lib*/ldb/*.so mr,
/usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
/var/cache/samba/lck/* rwk,
/var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/* w,
@{run}/samba/ w,
@{run}/samba/*.tdb rw,
@{run}/samba/msg.lock/ rwk,
@{run}/samba/msg.lock/[0-9]* rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,
# required for clustering
/var/lib/ctdb/** rwk,
# Include additions to the abstraction
include if exists <abstractions/samba.d>

18
apparmor.d/abstractions/smbpass
View file

@ -1,18 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# libpam-smbpass/pam_smbpass.so permissions
/var/lib/samba/*.[lt]db rwk,
# Include additions to the abstraction
include if exists <abstractions/smbpass.d>

49
apparmor.d/abstractions/ssl_certs
View file

@ -1,49 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2010-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/certs/* r,
/etc/pki/trust/ r,
/etc/pki/trust/* r,
/etc/pki/trust/anchors/ r,
/etc/pki/trust/anchors/** r,
/usr/share/ca-certificates/ r,
/usr/share/ca-certificates/** r,
/usr/share/ssl/certs/ca-bundle.crt r,
/usr/local/share/ca-certificates/ r,
/usr/local/share/ca-certificates/** r,
/var/lib/ca-certificates/ r,
/var/lib/ca-certificates/** r,
# acmetool
/var/lib/acme/certs/*/chain r,
/var/lib/acme/certs/*/cert r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
/{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
# certbot
/etc/letsencrypt/archive/*/cert*.pem r,
/etc/letsencrypt/archive/*/chain*.pem r,
/etc/letsencrypt/archive/*/fullchain*.pem r,
/etc/certbot/archive/*/cert*.pem r,
/etc/certbot/archive/*/chain*.pem r,
/etc/certbot/archive/*/fullchain*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_certs.d>

35
apparmor.d/abstractions/ssl_keys
View file

@ -1,35 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# private ssl permissions
# Just include the whole /etc/ssl directory if we should have access to
# private keys too
/etc/ssl/ r,
/etc/ssl/** r,
# acmetool
/var/lib/acme/live/* r,
/var/lib/acme/certs/** r,
/var/lib/acme/keys/** r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
# certbot / letsencrypt
/etc/letsencrypt/archive/*/privkey*.pem r,
/etc/certbot/archive/*/privkey*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_keys.d>

57
apparmor.d/abstractions/svn-repositories
View file

@ -1,57 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This little snippet should abstract the read/write access to a repository.
# it is intended to be included in profiles for svnserve/apache2 and maybe
# some repository viewers like trac/viewvc
# no hooks exec by default; please define whatever you need explicitely.
/srv/svn/**/conf/* r,
/srv/svn/**/format r,
/srv/svn/**/db/fs-type r,
/srv/svn/**/db/format r,
# FSFS
/srv/svn/**/db/ r,
/srv/svn/**/db/uuid r,
/srv/svn/**/db/write-lock rwl,
/srv/svn/**/db/current rwl,
/srv/svn/**/db/current*.tmp rwl,
/srv/svn/**/db/revs/ r,
/srv/svn/**/db/revs/* rw,
/srv/svn/**/db/revprops/ r,
/srv/svn/**/db/revprops/* rw,
/srv/svn/**/db/transactions/** rw,
# BDB
/srv/svn/**/db/DB_CONFIG r,
/srv/svn/**/db/__db.[0-9]* rwl,
/srv/svn/**/db/log.[0-9]* rwl,
/srv/svn/**/db/nodes rwl,
/srv/svn/**/db/revisions rwl,
/srv/svn/**/db/transactions rwl,
/srv/svn/**/db/copies rwl,
/srv/svn/**/db/changes rwl,
/srv/svn/**/db/representations rwl,
/srv/svn/**/db/strings rwl,
/srv/svn/**/db/uuids rwl,
/srv/svn/**/db/locks rwl,
/srv/svn/**/db/lock-tokens rwl,
# temp files
/tmp/apr* rwl,
/var/tmp/apr* rwl,
/tmp/report*.tmp rwl,
# Include additions to the abstraction
include if exists <abstractions/svn-repositories.d>

22
apparmor.d/abstractions/ubuntu-bittorrent-clients
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing graphical bittorrent clients in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/azureus Cxr -> sanitized_helper,
/usr/bin/bitstormlite Cxr -> sanitized_helper,
/usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
/usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
/usr/bin/gnome-btdownload Cxr -> sanitized_helper,
/usr/bin/kget Cxr -> sanitized_helper,
/usr/bin/ktorrent Cxr -> sanitized_helper,
/usr/bin/qbittorrent Cxr -> sanitized_helper,
/usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-bittorrent-clients.d>

41
apparmor.d/abstractions/ubuntu-browsers
View file

@ -1,41 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing access to graphical browsers in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/arora Cx -> sanitized_helper,
/usr/bin/dillo Cx -> sanitized_helper,
/usr/bin/Dooble Cx -> sanitized_helper,
/usr/bin/epiphany Cx -> sanitized_helper,
/usr/bin/epiphany-browser Cx -> sanitized_helper,
/usr/bin/epiphany-webkit Cx -> sanitized_helper,
/usr/lib/fennec-*/fennec Cx -> sanitized_helper,
/usr/bin/kazehakase Cx -> sanitized_helper,
/usr/bin/konqueror Cx -> sanitized_helper,
/usr/bin/midori Cx -> sanitized_helper,
/usr/bin/netsurf Cx -> sanitized_helper,
/usr/bin/seamonkey Cx -> sanitized_helper,
/usr/bin/sensible-browser Pixr,
/usr/bin/chromium{,-browser} Cx -> sanitized_helper,
/usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
# this should cover all firefox browsers and versions (including shiretoko
# and abrowser)
/usr/bin/firefox Cxr -> sanitized_helper,
/usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
# Iceweasel
/usr/bin/iceweasel Cxr -> sanitized_helper,
/usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
# some unpackaged, but popular browsers
/usr/lib/icecat-*/icecat Cx -> sanitized_helper,
/usr/bin/opera Cx -> sanitized_helper,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,

23
apparmor.d/abstractions/ubuntu-console-browsers
View file

@ -1,23 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing access to text-only browsers in Ubuntu. These will
# typically also need a terminal, so when using this abstraction, should also
# do something like:
#
# include <abstractions/ubuntu-gnome-terminal>
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/elinks Cx -> sanitized_helper,
/usr/bin/links Cx -> sanitized_helper,
/usr/bin/lynx.cur Cx -> sanitized_helper,
/usr/bin/netrik Cx -> sanitized_helper,
/usr/bin/w3m Cx -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-console-browsers.d>

23
apparmor.d/abstractions/ubuntu-console-email
View file

@ -1,23 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing console email clients in Ubuntu. These will
# typically also need a terminal, so when using this abstraction, should also
# do something like:
#
# include <abstractions/ubuntu-gnome-terminal>
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/alpine Cx -> sanitized_helper,
/usr/bin/citadel Cx -> sanitized_helper,
/usr/bin/cone Cx -> sanitized_helper,
/usr/bin/elmo Cx -> sanitized_helper,
/usr/bin/mutt Cx -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-console-email.d>

29
apparmor.d/abstractions/ubuntu-email
View file

@ -1,29 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing graphical email clients in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/anjal Cx -> sanitized_helper,
/usr/bin/balsa Cx -> sanitized_helper,
/usr/bin/claws-mail Cx -> sanitized_helper,
/usr/bin/evolution Cx -> sanitized_helper,
/usr/bin/geary Cx -> sanitized_helper,
/usr/bin/gnome-gmail Cx -> sanitized_helper,
/usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
/usr/bin/kmail Cx -> sanitized_helper,
/usr/bin/mailody Cx -> sanitized_helper,
/usr/bin/modest Cx -> sanitized_helper,
/usr/bin/seamonkey Cx -> sanitized_helper,
/usr/bin/sylpheed Cx -> sanitized_helper,
/usr/bin/tkrat Cx -> sanitized_helper,
/usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
/usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-email.d>

15
apparmor.d/abstractions/ubuntu-feed-readers
View file

@ -1,15 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing graphical news feed readers in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/akregator Cxr -> sanitized_helper,
/usr/bin/liferea-add-feed Cxr -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-feed-readers.d>

15
apparmor.d/abstractions/ubuntu-gnome-terminal
View file

@ -1,15 +0,0 @@
# vim:syntax=apparmor
#
# for allowing access to gnome-terminal
#
abi <abi/3.0>,
include <abstractions/gnome>
# do not use ux or PUx here. Use at a minimum ix
/usr/bin/gnome-terminal ix,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-gnome-terminal.d>

91
apparmor.d/abstractions/ubuntu-helpers
View file

@ -1,91 +0,0 @@
# Lenient profile that is intended to be used when 'Ux' is desired but
# does not provide enough environment sanitizing. This effectively is an
# open profile that blacklists certain known dangerous files and also
# does not allow any capabilities. For example, it will not allow 'm' on files
# owned be the user invoking the program. While this provides some additional
# protection, please use with care as applications running under this profile
# are effectively running without any AppArmor protection. Use this profile
# only if the process absolutely must be run (effectively) unconfined.
#
# Usage:
# Because this abstraction defines the sanitized_helper profile, it must only
# be included once. Therefore this abstraction should typically not be
# included in other abstractions so as to avoid parser errors regarding
# multiple definitions.
#
# Limitations:
# 1. This does not work for root owned processes, because of the way we use
# owner matching in the sanitized helper. We could do a better job with
# this to support root, but it would make the policy harder to understand
# and going unconfined as root is not desirable any way.
#
# 2. For this sanitized_helper to work, the program running in the sanitized
# environment must open symlinks directly in order for AppArmor to mediate
# it. This is confirmed to work with:
# - compiled code which can load shared libraries
# - python imports
# It is known not to work with:
# - perl includes
# 3. Sanitizing ruby and java
#
# Use at your own risk. This profile was developed as an interim workaround for
# LP: #851986 until AppArmor utilizes proper environment filtering.
abi <abi/3.0>,
profile sanitized_helper {
include <abstractions/base>
include <abstractions/X>
# Allow all networking
network inet,
network inet6,
# Allow all DBus communications
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
dbus,
# Needed for Google Chrome
ptrace (trace) peer=**//sanitized_helper,
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
/{usr/,usr/local/,}{bin,sbin}/* Pixr,
# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
/usr/{,local/}lib*/{,**/}* Pixr,
# Allow exec of software-center scripts. We may need to allow wider
# permissions for /usr/share, but for now just do this. (LP: #972367)
/usr/share/software-center/* Pixr,
# Allow exec of texlive font build scripts (LP: #1010909)
/usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
# While the chromium and chrome sandboxes are setuid root, they only link
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
/usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
/usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
/opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
/opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
/opt/google/chrome{,-beta,-unstable}/chrome Pixr,
/opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
# The same is needed for Brave
/opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
/opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
# Full access
/ r,
/** rwkl,
/{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
audit deny owner /**/*.py* r, # python imports
}

22
apparmor.d/abstractions/ubuntu-konsole
View file

@ -1,22 +0,0 @@
# vim:syntax=apparmor
#
# for allowing access to konsole
#
abi <abi/3.0>,
include <abstractions/consoles>
include <abstractions/kde>
capability sys_ptrace,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
/{,var/}run/utmp r,
/dev/ptmx rw,
# do not use ux or Ux here. Use at a minimum ix
/usr/bin/konsole ix,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-konsole.d>

65
apparmor.d/abstractions/ubuntu-media-players
View file

@ -1,65 +0,0 @@
# vim:syntax=apparmor
#
# abstraction for allowing access to media players in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/3.0>,
/usr/bin/amarok Cxr -> sanitized_helper,
/usr/bin/audacious2 Cxr -> sanitized_helper,
/usr/bin/audacity Cxr -> sanitized_helper,
/usr/bin/bangarang Cxr -> sanitized_helper,
/usr/bin/banshee Cxr -> sanitized_helper,
/usr/bin/banshee-1 Cxr -> sanitized_helper,
/usr/bin/decibel Cxr -> sanitized_helper,
/usr/bin/dragon Cxr -> sanitized_helper,
/usr/bin/esperanza Cxr -> sanitized_helper,
/usr/bin/exaile Cxr -> sanitized_helper,
/usr/bin/freevo Cxr -> sanitized_helper,
/usr/bin/gmerlin Cxr -> sanitized_helper,
/usr/bin/gxmms Cxr -> sanitized_helper,
/usr/bin/gxmms2 Cxr -> sanitized_helper,
/usr/bin/hornsey Cxr -> sanitized_helper,
/usr/bin/jlgui Cxr -> sanitized_helper,
/usr/bin/juk Cxr -> sanitized_helper,
/usr/bin/kaffeine Cxr -> sanitized_helper,
/usr/bin/listen Cxr -> sanitized_helper,
/usr/share/minirok/minirok.py Cxr -> sanitized_helper,
# mplayer
/etc/mplayerplug-in.conf r,
/usr/bin/gmplayer Cxr -> sanitized_helper,
/usr/bin/gnome-mplayer Cxr -> sanitized_helper,
/usr/bin/kmplayer Cxr -> sanitized_helper,
/usr/bin/mplayer Cxr -> sanitized_helper,
/usr/bin/smplayer Cxr -> sanitized_helper,
/usr/bin/muine Cxr -> sanitized_helper,
/usr/bin/potamus Cxr -> sanitized_helper,
/usr/bin/promoe Cxr -> sanitized_helper,
/usr/bin/qmmp Cxr -> sanitized_helper,
/usr/bin/quodlibet Cxr -> sanitized_helper,
/usr/bin/rhythmbox Cxr -> sanitized_helper,
/usr/bin/strange-quark Cxr -> sanitized_helper,
/usr/bin/swfdec-player Cxr -> sanitized_helper,
/usr/bin/timidity Cxr -> sanitized_helper,
/usr/lib/totem/** ixr,
/usr/bin/totem-gstreamer Cxr -> sanitized_helper,
/usr/bin/totem-xine Cxr -> sanitized_helper,
/usr/bin/totem Cxr -> sanitized_helper,
/usr/bin/vlc Cxr -> sanitized_helper,
/usr/bin/xfmedia Cxr -> sanitized_helper,
/usr/bin/xmms Cxr -> sanitized_helper,
# gnash
/usr/bin/gtk-gnash ixr,
/etc/gnashrc r,
/etc/gnashpluginrc r,
owner @{HOME}/.gnash/ rw,
owner @{HOME}/.gnash/** rw,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-media-players.d>

105
apparmor.d/abstractions/ubuntu-unity7-base
View file

@ -1,105 +0,0 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013-2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#
# Rules common to applications running under Unity 7
#
include <abstractions/gnome>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
#
# Access required for connecting to/communication with Unity HUD
#
dbus (send)
bus=session
path="/com/canonical/hud",
dbus (send)
bus=session
interface="com.canonical.hud.*",
dbus (send)
bus=session
path="/com/canonical/hud/applications/*",
dbus (receive)
bus=session
path="/com/canonical/hud",
dbus (receive)
bus=session
interface="com.canonical.hud.*",
#
# Allow access for connecting to/communication with the appmenu
#
# dbusmenu
dbus (send)
bus=session
interface="com.canonical.AppMenu.*",
dbus (receive, send)
bus=session
path=/com/canonical/menu/**,
# gmenu
dbus (receive, send)
bus=session
interface=org.gtk.Actions,
dbus (receive, send)
bus=session
interface=org.gtk.Menus,
#
# Access required for using freedesktop notifications
#
dbus (send)
bus=session
path=/org/freedesktop/Notifications
member=GetCapabilities,
dbus (send)
bus=session
path=/org/freedesktop/Notifications
member=GetServerInformation,
dbus (send)
bus=session
path=/org/freedesktop/Notifications
member=Notify,
dbus (receive)
bus=session
member="Notify"
peer=(name="org.freedesktop.DBus"),
dbus (receive)
bus=session
path=/org/freedesktop/Notifications
member=NotificationClosed,
dbus (send)
bus=session
path=/org/freedesktop/Notifications
member=CloseNotification,
# accessibility
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi*,
dbus (receive, send)
bus=accessibility,
#
# Deny potentially dangerous access
#
deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-unity7-base.d>

12
apparmor.d/abstractions/ubuntu-unity7-launcher
View file

@ -1,12 +0,0 @@
abi <abi/3.0>,
#
# Access required for connecting to/communicating with the Unity Launcher
#
dbus (send)
bus=session
interface="com.canonical.Unity.LauncherEntry"
member="Update",
# Include additions to the abstraction
include if exists <abstractions/ubuntu-unity7-launcher.d>

Some files were not shown because too many files have changed in this diff Show more