felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

apparmor.d -> profiles

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 16:02:59 +01:00
parent c408a878b7
commit e9b8e62fcd
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
726 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

76
profiles/pam/mappings Normal file
View file

@ -0,0 +1,76 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2019-2021 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
#
# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor. Users
# without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
^DEFAULT {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability setgid,
capability setuid,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
/{usr/,}bin/{,b,d,rb}ash Px -> default_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> default_user,
}
# morfik is a confined user. The hat contains only the permissions necessary
# to transition to gray's login shell. All other permissions have been
# moved into the confined_user profile.
^morfik {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Px -> confined_user,
/{usr/,}bin/{c,k,tc,z}sh Px -> confined_user,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
}
# Don't confine members whose primary group is 'admin' who are not specifically
# confined. Systems without this special primary group may want to define an
# unconfined 'root' hat in this manner (depending on site policy).
^root {
include <abstractions/authentication>
include <abstractions/nameservice>
include <abstractions/wutmp>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
/{usr/,}bin/{,b,d,rb}ash Ux,
/{usr/,}bin/{c,k,tc,z}sh Ux,
/etc/default/su r,
/etc/environment r,
@{HOMEDIRS}/.xauth* w,
}