felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refractor: move more profiles to groups.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-10 00:20:15 +01:00
parent fadc08b1ea
commit 9d74168be2
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
51 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

31
apparmor.d/profiles-m-r/newgidmap
View file

@ -1,31 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/newgidmap
profile newgidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setgid,
capability sys_admin,
@{exec_path} mr,
/etc/subgid r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/logingid r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/gid_map w,
include if exists <local/newgidmap>
}
# vim:syntax=apparmor

35
apparmor.d/profiles-m-r/newgrp
View file

@ -1,35 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/newgrp
profile newgrp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability audit_write,
capability setgid,
capability setuid,
network netlink raw,
@{exec_path} mr,
@{bin}/@{shells} rUx,
@{etc_ro}/login.defs r,
/etc/{passwd,group,shadow,gshadow} r,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/newgrp>
}
# vim:syntax=apparmor

31
apparmor.d/profiles-m-r/newuidmap
View file

@ -1,31 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/newuidmap
profile newuidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setuid,
capability sys_admin,
@{exec_path} mr,
/etc/subuid r,
@{PROC}/@{pids}/ r,
@{PROC}/@{pids}/logingid r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/uid_map w,
include if exists <local/newuidmap>
}
# vim:syntax=apparmor

22
apparmor.d/profiles-m-r/nologin
View file

@ -1,22 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/nologin
profile nologin @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/nologin>
}
# vim:syntax=apparmor

46
apparmor.d/profiles-m-r/passwd
View file

@ -1,46 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/passwd
profile passwd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write,
capability chown,
capability fsetid,
capability net_admin,
capability setuid,
signal receive set=(term kill) peer=gnome-control-center,
network netlink raw,
@{exec_path} mr,
/etc/nshadow rw,
/etc/shadow rw,
/etc/shadow- rw,
/etc/shadow.@{int} rw,
/etc/shadow.lock rwl,
/etc/shadow+ rw,
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
owner @{PROC}/@{pid}/loginuid r,
include if exists <local/passwd>
}
# vim:syntax=apparmor

57
apparmor.d/profiles-m-r/ps
View file

@ -1,57 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ps
profile ps @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{run}/systemd/sessions/* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/wchan r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner /dev/tty@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/ps>
}
# vim:syntax=apparmor

34
apparmor.d/profiles-m-r/pstree
View file

@ -1,34 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pstree
profile pstree @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
/usr/share/terminfo/** r,
@{PROC} r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/pstree>
}
# vim:syntax=apparmor

34
apparmor.d/profiles-m-r/pwck
View file

@ -1,34 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pwck
profile pwck @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@{bin}/nscd rix,
@{etc_ro}/login.defs r,
/etc/.pwd.lock wk,
/etc/passwd rw,
/etc/passwd.@{int} rw,
/etc/passwd.lock wl,
/etc/shadow rw,
/etc/shadow.@{int} rw,
/etc/shadow.lock wl,
/etc/machine-id r,
include if exists <local/pwck>
}
# vim:syntax=apparmor