felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update profiles for apparmor3

Browse source
This commit is contained in:
Mikhail Morfikov 2020-12-10 22:33:39 +01:00
parent 503cf496bf
commit 7067edcf70
No known key found for this signature in database
GPG key ID: 32D9CB634796CCA1
776 changed files with 6867 additions and 5199 deletions
Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/abstractions/X
View file

@ -11,13 +11,14 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
#include <abstractions/dri-common>
include <abstractions/dri-common>
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
@ -30,7 +31,7 @@
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
/tmp/.X11-unix/* r,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@ -58,7 +59,10 @@
/etc/X11/cursors/** r,
# Xwayland
owner /run/user/*/.mutter-Xwaylandauth.* r,
owner @{run}/user/*/.mutter-Xwaylandauth.* r,
# Available Xsessions
/usr/share/xsessions/{,*.desktop} r,
# Include additions to the abstraction
include if exists <abstractions/X.d>

13
apparmor.d/abstractions/apache2-common
View file

@ -2,7 +2,9 @@
# This file contains basic permissions for Apache and every vHost
#include <abstractions/nameservice>
abi <abi/3.0>,
include <abstractions/nameservice>
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
@ -20,7 +22,7 @@
/usr/share/apache2/** r,
# changehat itself
@{PROC}/@{pid}/attr/current rw,
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
# htaccess files - for what ever it is worth
/**/.htaccess r,
@ -28,7 +30,10 @@
/dev/urandom r,
# sasl-auth
/run/saslauthd/mux rw,
@{run}/saslauthd/mux rw,
# OCSP stapling
/var/log/apache2/stapling-cache rw,
@{run}/lock/apache2/stapling-cache* rw,
# Include additions to the abstraction
include if exists <abstractions/apache2-common.d>

2
apparmor.d/abstractions/app-launcher-root
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# Root app location
/ r,

2
apparmor.d/abstractions/app-launcher-user
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# User app location
/ r,

6
apparmor.d/abstractions/apparmor_api/change_profile
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
#include <abstractions/apparmor_api/introspect>
abi <abi/3.0>,
@{PROC}/@{tid}/attr/{current,exec} w,
include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,

4
apparmor.d/abstractions/apparmor_api/examine
View file

@ -9,4 +9,6 @@
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/attr/{current,prev,exec} r,
abi <abi/3.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

2
apparmor.d/abstractions/apparmor_api/find_mountpoint
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars

4
apparmor.d/abstractions/apparmor_api/introspect
View file

@ -6,7 +6,9 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{current,prev,exec} r,
@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,

4
apparmor.d/abstractions/apparmor_api/is_enabled
View file

@ -6,12 +6,14 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global
# when using this abstraction
#include <abstractions/apparmor_api/find_mountpoint>
include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
# TODO: add alternate apparmorfs interface for enabled

2
apparmor.d/abstractions/apt-common
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,

5
apparmor.d/abstractions/aspell
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# aspell permissions
abi <abi/3.0>,
# per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
@ -11,3 +13,6 @@
/usr/share/aspell/ r,
/usr/share/aspell/* r,
/var/lib/aspell/* r,
# Include additions to the abstraction
include if exists <abstractions/aspell.d>

14
apparmor.d/abstractions/audio
View file

@ -10,6 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/dev/admmidi* rw,
@ -56,13 +57,15 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
# pulse
/etc/pulse/ r,
/etc/pulse/** r,
/{run,dev}/shm/ r,
owner /{run,dev}/shm/pulse-shm* rwk,
/dev/shm/ r,
@{run}/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{run}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner /{,var/}run/user/*/pulse/ rw,
owner /{,var/}run/user/*/pulse/{native,pid} rwk,
owner @{run}/user/*/pulse/ rw,
owner @{run}/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/*.conf r,
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
owner @{HOME}/.config/pulse/cookie rwk,
@ -86,3 +89,6 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

34
apparmor.d/abstractions/authentication
View file

@ -10,18 +10,19 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Some services need to perform authentication of users
# Such authentication almost certainly needs access to the local users
# databases containing passwords, PAM configuration files, PAM libraries
/{usr/,}etc/nologin r,
/{usr/,}etc/pam.d/* r,
/{usr/,}etc/securetty r,
/{usr/,}etc/security/* r,
/{usr/,}etc/shadow r,
/{usr/,}etc/gshadow r,
/{usr/,}etc/pwdb.conf r,
@{etc_ro}/nologin r,
@{etc_ro}/pam.d/* r,
@{etc_ro}/securetty r,
@{etc_ro}/security/* r,
@{etc_ro}/shadow r,
@{etc_ro}/gshadow r,
@{etc_ro}/pwdb.conf r,
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
/{usr/,}lib{,32,64}/security/pam_*.so mr,
@ -31,22 +32,25 @@
/{usr/,}lib/@{multiarch}/security/ r,
# kerberos
#include <abstractions/kerberosclient>
include <abstractions/kerberosclient>
# SuSE's pwdutils are different:
/{usr/,}etc/default/passwd r,
/{usr/,}etc/login.defs r,
@{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
# nis
#include <abstractions/nis>
include <abstractions/nis>
# winbind
#include <abstractions/winbind>
include <abstractions/winbind>
# likewise
#include <abstractions/likewise>
include <abstractions/likewise>
# smbpass
#include <abstractions/smbpass>
include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration)
#include <abstractions/p11-kit>
include <abstractions/p11-kit>
# Include additions to the abstraction
include if exists <abstractions/authentication.d>

33
apparmor.d/abstractions/base
View file

@ -10,6 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# (Note that the ldd profile has inlined this file; if you make
@ -26,10 +27,10 @@
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
/run/uuidd/request r,
/etc/locale/** r,
/etc/locale.alias r,
/etc/localtime r,
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
@ -39,13 +40,13 @@
/usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
/run/systemd/journal/dev-log w,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
/run/systemd/journal/socket w,
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
/run/systemd/journal/stdout rw,
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
@ -54,14 +55,14 @@
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r,
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
/etc/ld.so.cache mr,
/etc/ld.so.conf r,
/etc/ld.so.conf.d/{,*.conf} r,
/etc/ld.so.preload r,
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
@ -76,6 +77,11 @@
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
@ -180,3 +186,6 @@
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
#owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>

5
apparmor.d/abstractions/bash
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# user-specific bash files
@{HOMEDIRS} r,
@{HOME}/.bashrc r,
@ -42,3 +44,6 @@
/etc/DIR_COLORS r,
/{usr/,}bin/ls mix,
/usr/bin/dircolors mix,
# Include additions to the abstraction
include if exists <abstractions/bash.d>

5
apparmor.d/abstractions/consoles
View file

@ -9,6 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# there are three common ways to refer to consoles
@ -21,4 +22,6 @@
/dev/pts/[0-9]* rw,
/dev/pts/ r,
/dev/ptmx rw,
# Include additions to the abstraction
include if exists <abstractions/consoles.d>

7
apparmor.d/abstractions/cups-client
View file

@ -9,10 +9,15 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
/{,var/}run/cups/cups.sock rw,
@{run}/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
# Include additions to the abstraction
include if exists <abstractions/cups-client.d>

7
apparmor.d/abstractions/dbus
View file

@ -9,8 +9,13 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-strict>
include <abstractions/dbus-strict>
dbus bus=system,
# Include additions to the abstraction
include if exists <abstractions/dbus.d>

7
apparmor.d/abstractions/dbus-accessibility
View file

@ -9,8 +9,13 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-accessibility-strict>
dbus bus=accessibility,
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility.d>

5
apparmor.d/abstractions/dbus-accessibility-strict
View file

@ -9,9 +9,14 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
dbus send
bus=accessibility
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility-strict.d>

4
apparmor.d/abstractions/dbus-network-manager-strict
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager
@ -42,4 +44,4 @@
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
#include if exists <abstractions/dbus-network-manager-strict.d>
include if exists <abstractions/dbus-network-manager-strict.d>

7
apparmor.d/abstractions/dbus-session
View file

@ -9,9 +9,14 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation.
#include <abstractions/dbus-session-strict>
include <abstractions/dbus-session-strict>
/usr/bin/dbus-launch ix,
dbus bus=session,
# Include additions to the abstraction
include if exists <abstractions/dbus-session.d>

8
apparmor.d/abstractions/dbus-session-strict
View file

@ -9,17 +9,18 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# unique per-machine identifier
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner /run/user/*/bus rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/dbus-*"),
# dbus with systemd and --enable-user-session
owner /run/user/[0-9]*/bus rw,
owner @{run}/user/[0-9]*/bus rw,
dbus send
bus=session
@ -27,3 +28,6 @@
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-session-strict.d>

7
apparmor.d/abstractions/dbus-strict
View file

@ -9,7 +9,9 @@
#
# ------------------------------------------------------------------
/{,var/}run/dbus/system_bus_socket rw,
abi <abi/3.0>,
@{run}/dbus/system_bus_socket rw,
dbus send
bus=system
@ -17,3 +19,6 @@
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-strict.d>

7
apparmor.d/abstractions/dconf
View file

@ -1,8 +1,13 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.
/etc/dconf/** r,
owner /{,var/}run/user/*/dconf/user r,
owner @{run}/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r,
# Include additions to the abstraction
include if exists <abstractions/dconf.d>

2
apparmor.d/abstractions/deny-dconf
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
deny /etc/dconf/{,**} r,

2
apparmor.d/abstractions/deny-root-dir-access
View file

@ -17,7 +17,7 @@
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
# needed files in the user home dir.
#abi <abi/3.0>,
abi <abi/3.0>,
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
audit deny /root/{,**} rwkmlx,

2
apparmor.d/abstractions/disks-read
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# The /sys/ entries probably should be tightened

2
apparmor.d/abstractions/disks-write
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# The /sys/ entries probably should be tightened

7
apparmor.d/abstractions/dovecot-common
View file

@ -9,6 +9,8 @@
# ------------------------------------------------------------------
# used with dovecot/*
abi <abi/3.0>,
capability setgid,
deny capability block_suspend,
@ -16,4 +18,7 @@
# dovecot's master can send us signals
signal receive peer=dovecot,
/{var/,}run/dovecot/config rw,
owner @{run}/dovecot/config rw,
# Include additions to the abstraction
include if exists <abstractions/dovecot-common.d>

5
apparmor.d/abstractions/dri-common
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).
@ -12,3 +14,6 @@
/usr/share/drirc.d/{,*.conf} r,
owner @{HOME}/.drirc r,
# Include additions to the abstraction
include if exists <abstractions/dri-common.d>

5
apparmor.d/abstractions/dri-enumerate
View file

@ -1,8 +1,13 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction
include if exists <abstractions/dri-enumerate.d>

11
apparmor.d/abstractions/enchant
View file

@ -9,14 +9,18 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r,
/usr/share/enchant-[0-9]*/enchant.ordering r,
/usr/share/enchant-2/ r,
/usr/share/enchant-2/enchant.ordering r,
# aspell
#include <abstractions/aspell>
include <abstractions/aspell>
/var/lib/dictionaries-common/aspell/ r,
/var/lib/dictionaries-common/aspell/* r,
@ -55,3 +59,6 @@
# per-user dictionaries
owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk,
# Include additions to the abstraction
include if exists <abstractions/enchant.d>

12
apparmor.d/abstractions/evince
View file

@ -3,9 +3,9 @@
# abstraction used by evince binaries
#
#include <abstractions/gnome>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-helpers>
include <abstractions/gnome>
include <abstractions/p11-kit>
include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r,
@ -94,7 +94,7 @@
# access to the Cache directory, which the browser may tell evince to open
# from directly.
#include <abstractions/private-files>
include <abstractions/private-files>
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
audit deny @{HOME}/.gnome2_private/** mrwkl,
@ -117,8 +117,8 @@
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
# When LP: #451422 is fixed, change the above to simply be:
##include <abstractions/private-files-strict>
include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.evince>
include <local/usr.bin.evince>

24
apparmor.d/abstractions/exo-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
@ -18,27 +20,27 @@
#
# # out-of-line child profile
# profile foo//exo-open {
# #include <abstractions/exo-open>
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility>
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
#include <abstractions/X>
#include <abstractions/audio> # for alert messages
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
#include <abstractions/gnome>
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
@ -71,4 +73,4 @@
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
#include if exists <abstractions/exo-open.d>
include if exists <abstractions/exo-open.d>

7
apparmor.d/abstractions/fcitx
View file

@ -9,5 +9,10 @@
#
# ------------------------------------------------------------------
#include <abstractions/fcitx-strict>
abi <abi/3.0>,
include <abstractions/fcitx-strict>
dbus bus=fcitx,
# Include additions to the abstraction
include if exists <abstractions/fcitx.d>

7
apparmor.d/abstractions/fcitx-strict
View file

@ -9,7 +9,9 @@
#
# ------------------------------------------------------------------
#include <abstractions/dbus-session-strict>
abi <abi/3.0>,
include <abstractions/dbus-session-strict>
dbus send
bus=fcitx
@ -19,3 +21,6 @@
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# Include additions to the abstraction
include if exists <abstractions/fcitx-strict.d>

2
apparmor.d/abstractions/file-browsing-strict
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
deny @{PROC}/@{pid}/mountinfo r,
deny @{PROC}/@{pid}/mounts r,

2
apparmor.d/abstractions/flatpak-snap
View file

@ -11,7 +11,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# Flatpak
/var/lib/flatpak/exports/share/{,**} r,

2
apparmor.d/abstractions/fontconfig-cache-read
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# The fontconfig cache can be generated via the following command:
# $ fc-cache -f -v

2
apparmor.d/abstractions/fontconfig-cache-write
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
owner @{HOME}/.cache/fontconfig/ rw,
owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,

5
apparmor.d/abstractions/fonts
View file

@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr,
@ -59,3 +61,6 @@
# data files for LibThai
/usr/share/libthai/thbrk.tri r,
# Include additions to the abstraction
include if exists <abstractions/fonts.d>

8
apparmor.d/abstractions/freedesktop.org
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# system configuration
@{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r,
@ -18,7 +20,8 @@
@{system_share_dirs}/mime/** r,
# per-user configurations
owner @{HOME}/.icons/{**,} r,
owner @{HOME}/.icons/ r,
owner @{HOME}/.icons/default/index.theme r,
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
@ -26,3 +29,6 @@
owner @{user_share_dirs}/applications/{**,} r,
owner @{user_share_dirs}/icons/{**,} r,
owner @{user_share_dirs}/mime/{**,} r,
# Include additions to the abstraction
include if exists <abstractions/freedesktop.org.d>

2
apparmor.d/abstractions/fzf
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
owner @{HOME}/.fzf/{,**} r,

16
apparmor.d/abstractions/gio-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
@ -18,20 +20,20 @@
#
# # out-of-line child profile
# profile foo//gio-open {
# #include <abstractions/gio-open>
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
@ -54,4 +56,4 @@
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
#include if exists <abstractions/gio-open.d>
include if exists <abstractions/gio-open.d>

24
apparmor.d/abstractions/gnome
View file

@ -9,13 +9,16 @@
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/xdg-desktop>
#include <abstractions/user-tmp>
#include <abstractions/wayland>
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
@ -88,7 +91,7 @@
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r,
/run/mount/utab r,
@{run}/mount/utab r,
# printing
/etc/papersize r,
@ -96,7 +99,7 @@
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner /{,var/}run/gdm/auth*/database r,
owner @{run}/gdm/auth*/database r,
# mime-types
/etc/gnome/defaults.list r,
@ -109,3 +112,6 @@
unix (send, receive, connect)
type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>

5
apparmor.d/abstractions/gnupg
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# gnupg sub-process running permissions
abi <abi/3.0>,
# user configurations
owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r,
@ -9,3 +11,6 @@
owner @{HOME}/.gnupg/secring.gpg r,
owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
include if exists <abstractions/gnupg.d>

6
apparmor.d/abstractions/gstreamer
View file

@ -1,8 +1,8 @@
# vim:syntax=apparmor
#include <abstractions/base>
#include <abstractions/p11-kit>
#include <abstractions/X>
include <abstractions/base>
include <abstractions/p11-kit>
include <abstractions/X>
# TODO: adjust when support finer-grained netlink rules
network netlink raw,

2
apparmor.d/abstractions/gtk
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
/usr/share/themes/{,**} r,

16
apparmor.d/abstractions/gvfs-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
@ -18,23 +20,23 @@
#
# # out-of-line child profile
# profile foo//gvfs-open {
# #include <abstractions/gvfs-open>
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
#include <abstractions/base>
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
#include <abstractions/gio-open>
include <abstractions/gio-open>
# Main executables
@ -42,4 +44,4 @@
/{,usr/}bin/dash mr,
# Include additions to the abstraction
#include if exists <abstractions/gvfs-open.d>
include if exists <abstractions/gvfs-open.d>

4
apparmor.d/abstractions/hosts_access
View file

@ -9,5 +9,9 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/hosts.deny r,
/etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

5
apparmor.d/abstractions/ibus
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw,
@ -27,3 +29,6 @@
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# Include additions to the abstraction
include if exists <abstractions/ibus.d>

19
apparmor.d/abstractions/kde
View file

@ -9,13 +9,15 @@
#
# ------------------------------------------------------------------
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/xdg-desktop>
#include <abstractions/user-tmp>
#include <abstractions/qt5>
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/qt5>
/etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r,
@ -75,3 +77,6 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# Include additions to the abstraction
include if exists <abstractions/kde.d>

9
apparmor.d/abstractions/kde-globals-write
View file

@ -1,10 +1,15 @@
# vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other).
# User files
abi <abi/3.0>,
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-globals-write.d>

5
apparmor.d/abstractions/kde-icon-cache-write
View file

@ -1,7 +1,12 @@
# vim:syntax=apparmor
# Rules for writing KDE icon cache
abi <abi/3.0>,
# User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Include additions to the abstraction
include if exists <abstractions/kde-icon-cache-write.d>

8
apparmor.d/abstractions/kde-language-write
View file

@ -1,4 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file.
@ -7,6 +10,9 @@
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/klanguageoverridesrc rw,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-language-write.d>

46
apparmor.d/abstractions/kde-open5
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
@ -18,40 +20,40 @@
#
# # out-of-line child profile
# profile foo//kde-open5 {
# #include <abstractions/kde-open5>
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility>
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# #include if exists <abstractions/gstreamer>
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
#include <abstractions/audio> # for alert messages
#include <abstractions/base>
#include <abstractions/dbus-accessibility-strict>
#include <abstractions/dbus-network-manager-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
#include <abstractions/openssl>
#include <abstractions/qt5>
#include <abstractions/recent-documents-write>
#include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
@ -96,9 +98,9 @@
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
#include if exists <abstractions/kde-open5.d>
include if exists <abstractions/kde-open5.d>

2
apparmor.d/abstractions/kde4
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
/usr/share/kde4/** r,

6
apparmor.d/abstractions/kde5-plasma5
View file

@ -9,9 +9,9 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
#include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-read>
# KDE/Plasma5 themes
#/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
@ -52,7 +52,7 @@
# Think what to do about this #FIXME#
# It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
##include <abstractions/recent-documents-write>
include <abstractions/recent-documents-write>
#signal (send) set=(term, kill) peer=unconfined,
#deny @{sys}/bus/ r,
#deny @{sys}/bus/usb/devices/ r,

5
apparmor.d/abstractions/kerberosclient
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
@ -32,3 +34,6 @@
# credential caches
/tmp/krb5cc* r,
# Include additions to the abstraction
include if exists <abstractions/kerberosclient.d>

9
apparmor.d/abstractions/ldapclient
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r,
/etc/ldap.secret r,
@ -19,6 +21,9 @@
/usr/lib{,32,64}/sasl2/* r,
# local LDAP name service daemon
/{,var/}run/nslcd/socket rw,
@{run}/nslcd/socket rw,
#include <abstractions/ssl_certs>
include <abstractions/ssl_certs>
# Include additions to the abstraction
include if exists <abstractions/ldapclient.d>

7
apparmor.d/abstractions/libpam-systemd
View file

@ -9,7 +9,9 @@
#
# ------------------------------------------------------------------
#include <abstractions/dbus-strict>
abi <abi/3.0>,
include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
dbus send
@ -17,3 +19,6 @@
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession},
# Include additions to the abstraction
include if exists <abstractions/libpam-systemd.d>

2
apparmor.d/abstractions/libvirt-lxc
View file

@ -1,4 +1,4 @@
#include <abstractions/base>
include <abstractions/base>
umount,

6
apparmor.d/abstractions/libvirt-qemu
View file

@ -1,6 +1,6 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
# required for reading disk images
capability dac_override,

14
apparmor.d/abstractions/lightdm
View file

@ -9,13 +9,13 @@
# Requires apparmor 2.9
#include <abstractions/authentication>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
include <abstractions/authentication>
include <abstractions/cups-client>
include <abstractions/dbus>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/nameservice>
include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw,

2
apparmor.d/abstractions/lightdm_chromium-browser
View file

@ -31,7 +31,7 @@
profile chromium {
# Allow all the same accesses as other applications in the guest session
#include <abstractions/lightdm>
include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications.

5
apparmor.d/abstractions/likewise
View file

@ -9,5 +9,10 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
# Include additions to the abstraction
include if exists <abstractions/likewise.d>

7
apparmor.d/abstractions/mdns
View file

@ -8,7 +8,12 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mdnsd
/etc/mdns.allow r,
/etc/nss_mdns.conf r,
/{,var/}run/mdnsd w,
@{run}/mdnsd w,
# Include additions to the abstraction
include if exists <abstractions/mdns.d>

5
apparmor.d/abstractions/mesa
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API
abi <abi/3.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
@ -15,3 +17,6 @@
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>

2
apparmor.d/abstractions/mesa-cache-write
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()

5
apparmor.d/abstractions/mir
View file

@ -9,9 +9,14 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mir libraries sometimes do not have a lib prefix
# see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr,
/usr/lib/@{multiarch}/mir/**/*.so* mr,
# unprivileged mir socket for clients
# Include additions to the abstraction
include if exists <abstractions/mir.d>

5
apparmor.d/abstractions/mozc
View file

@ -9,4 +9,9 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction
include if exists <abstractions/mozc.d>

7
apparmor.d/abstractions/mysql
View file

@ -9,7 +9,12 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw,
/{var/,}run/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
# Include additions to the abstraction
include if exists <abstractions/mysql.d>

76
apparmor.d/abstractions/nameservice
View file

@ -9,31 +9,28 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/passwd r,
/etc/protocols r,
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/gai.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
# libtirpc (used for NIS/YP login) needs this
/etc/netconfig r,
@{etc_ro}/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# NSS records from systemd-userdbd.service
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
@ -41,56 +38,68 @@
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
/etc/resolv.conf r,
@{etc_ro}/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
/{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
/etc/resolvconf/run/resolv.conf r,
/{,var/}run/systemd/resolve/stub-resolv.conf r,
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
@{etc_ro}/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
/etc/samba/lmhosts r,
/etc/services r,
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
/{,var/}run/.nscd_socket rw,
/{,var/}run/nscd/socket rw,
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
/{,var/}run/nscd/db* rmix,
@{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
/etc/default/nss r,
@{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution
/{,var/}run/avahi-daemon/socket rw,
@{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
/etc/libnl-*/classid r,
@{etc_ro}/libnl-*/classid r,
# nis
#include <abstractions/nis>
include <abstractions/nis>
# ldap
#include <abstractions/ldapclient>
include <abstractions/ldapclient>
# winbind
#include <abstractions/winbind>
include <abstractions/winbind>
# likewise
#include <abstractions/likewise>
include <abstractions/likewise>
# mdnsd
#include <abstractions/mdns>
include <abstractions/mdns>
# kerberos
#include <abstractions/kerberosclient>
include <abstractions/kerberosclient>
#libnss-systemd
include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# TCP/UDP network access
network inet stream,
@ -104,3 +113,6 @@
# interface details
@{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
include if exists <abstractions/nameservice.d>

2
apparmor.d/abstractions/nameservice-strict
View file

@ -9,7 +9,7 @@
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
abi <abi/3.0>,
/etc/hosts r,
/etc/host.conf r,

5
apparmor.d/abstractions/nis
View file

@ -8,8 +8,13 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# NIS rules
/var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports
capability net_bind_service,
# Include additions to the abstraction
include if exists <abstractions/nis.d>

30
apparmor.d/abstractions/nss-systemd Normal file
View file

@ -0,0 +1,30 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nss-systemd.d>

7
apparmor.d/abstractions/nvidia
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# nvidia access requirements
abi <abi/3.0>,
# configuration queries
capability ipc_lock,
@ -26,3 +28,6 @@
owner @{HOME}/.nv/GLCache/** rwk,
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
# Include additions to the abstraction
include if exists <abstractions/nvidia.d>

14
apparmor.d/abstractions/opencl
View file

@ -1,9 +1,15 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements
# TODO: use conditionals to select allowed implementations
#include <abstractions/opencl-intel>
#include <abstractions/opencl-mesa>
#include <abstractions/opencl-nvidia>
#include <abstractions/opencl-pocl>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/opencl-pocl>
# Include additions to the abstraction
include if exists <abstractions/opencl.d>

6
apparmor.d/abstractions/opencl-common
View file

@ -1,4 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# implementation-independent OpenCL access requirements
# System files
@ -8,3 +11,6 @@
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
# Include additions to the abstraction
include if exists <abstractions/opencl-common.d>

12
apparmor.d/abstractions/opencl-intel
View file

@ -1,13 +1,16 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Intel implementation
#include <abstractions/opencl-common>
include <abstractions/opencl-common>
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
#include <abstractions/X>
include <abstractions/X>
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
#include <abstractions/dri-enumerate>
include <abstractions/dri-enumerate>
# System files
@ -15,3 +18,6 @@
@{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,
# Include additions to the abstraction
include if exists <abstractions/opencl-intel.d>

8
apparmor.d/abstractions/opencl-mesa
View file

@ -1,7 +1,10 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for Mesa implementation
#include <abstractions/opencl-common>
include <abstractions/opencl-common>
# Additional libraries
@ -18,3 +21,6 @@
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
# Include additions to the abstraction
include if exists <abstractions/opencl-mesa.d>

10
apparmor.d/abstractions/opencl-nvidia
View file

@ -1,8 +1,11 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements for NVIDIA implementation
#include <abstractions/nvidia>
#include <abstractions/opencl-common>
include <abstractions/nvidia>
include <abstractions/opencl-common>
# Executables
@ -28,3 +31,6 @@
owner @{HOME}/.nv/ComputeCache/** rw,
owner @{HOME}/.nv/ComputeCache/index rwk,
# Include additions to the abstraction
include if exists <abstractions/opencl-nvidia.d>

13
apparmor.d/abstractions/opencl-pocl
View file

@ -1,7 +1,9 @@
# vim:syntax=apparmor
# OpenCL access requirements for POCL implementation
#include <abstractions/opencl-common>
abi <abi/3.0>,
include <abstractions/opencl-common>
# Executables
@ -28,7 +30,7 @@
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
/{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files
@ -41,7 +43,7 @@
# Child profiles
profile opencl_pocl_ld {
#include <abstractions/base>
include <abstractions/base>
# Main executables
@ -54,7 +56,7 @@
}
profile opencl_pocl_clang {
#include <abstractions/base>
include <abstractions/base>
# Main executables
@ -74,3 +76,6 @@
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
}
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>

5
apparmor.d/abstractions/openssl
View file

@ -8,7 +8,12 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/ssl/openssl.cnf r,
/usr/share/ssl/openssl.cnf r,
@{PROC}/sys/crypto/fips_enabled r,
# Include additions to the abstraction
include if exists <abstractions/openssl.d>

5
apparmor.d/abstractions/orbit2
View file

@ -1,5 +1,10 @@
# vim:syntax=apparmor
# orbit2 permissions
abi <abi/3.0>,
# system library
/usr/lib/orbit-2.0/*.so mr,
# Include additions to the abstraction
include if exists <abstractions/orbit2.d>

7
apparmor.d/abstractions/p11-kit
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r,
@ -20,8 +22,11 @@
/usr/share/p11-kit/modules/* r,
# gnome-keyring pkcs11 module
owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
# Include additions to the abstraction
include if exists <abstractions/p11-kit.d>

5
apparmor.d/abstractions/perl
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# a few files typically required for perl scripts
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
@ -21,3 +23,6 @@
/usr/share/perl/** r,
/usr/share/perl5/** r,
/etc/perl/** r,
# Include additions to the abstraction
include if exists <abstractions/perl.d>

5
apparmor.d/abstractions/php
View file

@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# shared snippets for config files
/etc/php{,5,7}/**/ r,
/etc/php{,5,7}/**.ini r,
@ -37,3 +39,6 @@
# Zend opcache
/tmp/.ZendSem.* rwlk,
# Include additions to the abstraction
include if exists <abstractions/php.d>

22
apparmor.d/abstractions/php-worker Normal file
View file

@ -0,0 +1,22 @@
# vim:syntax=apparmor
# This file contains basic permissions for php-fpm workers
abi <abi/3.0>,
# load common libraries and their support files
include <abstractions/base>
# common php files and support files that php needs
include <abstractions/php>
signal (receive) peer=php-fpm,
# This is some php opcaching file
/tmp/.ZendSem.* rwk,
# I think this is adaptive memory management
/sys/devices/system/node/* r,
/sys/devices/system/node/*/meminfo r,
/sys/devices/system/node/ r,
include if exists <abstractions/php-worker.d>

7
apparmor.d/abstractions/php5
View file

@ -1,3 +1,8 @@
#backwards compatibility include, actual abstraction moved from php5 to php
#include <abstractions/php>
abi <abi/3.0>,
include <abstractions/php>
# Include additions to the abstraction
include if exists <abstractions/php5.d>

9
apparmor.d/abstractions/postfix-common
View file

@ -11,16 +11,16 @@
# ------------------------------------------------------------------
# used with postfix/*
abi <abi/3.0>,
capability setuid,
capability setgid,
capability sys_chroot,
# postfix's master can send us signals
signal receive peer=/usr/lib/postfix/master,
signal receive peer=postfix-master,
unix (send, receive) peer=(label=/usr/lib/postfix/master),
unix (send, receive) peer=(label=postfix-master),
/etc/mailname r,
@ -37,3 +37,8 @@
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# Include additions to the abstraction
include if exists <abstractions/postfix-common.d>

5
apparmor.d/abstractions/private-files
View file

@ -2,6 +2,8 @@
# privacy-violations contains rules for common files that you want to
# explicitly deny access
abi <abi/3.0>,
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl,
@ -45,3 +47,6 @@
deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl,
# Include additions to the abstraction
include if exists <abstractions/private-files.d>

9
apparmor.d/abstractions/private-files-strict
View file

@ -2,7 +2,9 @@
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access
#include <abstractions/private-files>
abi <abi/3.0>,
include <abstractions/private-files>
# potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl,
@ -12,7 +14,7 @@
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
audit deny @{run}/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
@ -23,3 +25,6 @@
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>

6
apparmor.d/abstractions/python
View file

@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
/usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
@ -37,5 +39,5 @@
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
# Silencer
deny /usr/lib{,32,64}/python*/** w,
# Include additions to the abstraction
include if exists <abstractions/python.d>

5
apparmor.d/abstractions/qt5
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Common rules for Qt5-based applications
abi <abi/3.0>,
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
@ -20,3 +22,6 @@
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# Include additions to the abstraction
include if exists <abstractions/qt5.d>

5
apparmor.d/abstractions/qt5-compose-cache-write
View file

@ -1,8 +1,13 @@
# vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/3.0>,
# User files
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Include additions to the abstraction
include if exists <abstractions/qt5-compose-cache-write.d>

5
apparmor.d/abstractions/qt5-settings-write
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Allow writing shared settings for Qt-based applications
abi <abi/3.0>,
# User files
owner @{HOME}/.config/#[0-9]*[0-9] rw,
@ -9,3 +11,6 @@
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/qt5-settings-write.d>

7
apparmor.d/abstractions/recent-documents-write
View file

@ -1,10 +1,15 @@
# vim:syntax=apparmor
# Allow updating recent documents
abi <abi/3.0>,
# User files
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> /home/*/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/recent-documents-write.d>

5
apparmor.d/abstractions/ruby
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
@ -19,3 +21,6 @@
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
# Include additions to the abstraction
include if exists <abstractions/ruby.d>

Some files were not shown because too many files have changed in this diff Show more