557d905543
* 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables
158 lines
3.5 KiB
Text
158 lines
3.5 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest
|
|
profile cron-popularity-contest @{exec_path} {
|
|
include <abstractions/base>
|
|
|
|
@{exec_path} r,
|
|
@{bin}/{,ba,da}sh rix,
|
|
|
|
@{bin}/popularity-contest rPx,
|
|
|
|
@{bin}/logger rix,
|
|
@{bin}/date rix,
|
|
@{bin}/mktemp rix,
|
|
@{bin}/mkdir rix,
|
|
@{bin}/rm rix,
|
|
@{bin}/mv rix,
|
|
@{bin}/cat rix,
|
|
@{bin}/setsid rix,
|
|
|
|
# To send reports via TOR
|
|
@{bin}/torify rix,
|
|
@{bin}/torsocks rix,
|
|
@{bin}/getcap rix,
|
|
|
|
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
|
|
@{bin}/gpg{,2} rCx -> gpg,
|
|
@{bin}/runuser rCx -> runuser,
|
|
@{bin}/savelog rCx -> savelog,
|
|
|
|
/usr/share/popularity-contest/ r,
|
|
/usr/share/popularity-contest/default.conf r,
|
|
|
|
/etc/popularity-contest.conf r,
|
|
|
|
# For shell pwd
|
|
/ r,
|
|
/root/ r,
|
|
|
|
/var/log/ r,
|
|
/var/log/popularity-contest{,.new} rw,
|
|
/var/log/popularity-contest{,.new}.gpg rw,
|
|
/var/log/popularity-contest.[0-9]* rw,
|
|
|
|
# Store last successful http submission timestamp
|
|
/var/lib/popularity-contest/ rw,
|
|
/var/lib/popularity-contest/lastsub rw,
|
|
|
|
owner /tmp/tmp.*/ rw,
|
|
owner /tmp/tmp.*/random_seed w,
|
|
|
|
# file_inherit
|
|
owner /tmp/#@{int} rw,
|
|
|
|
|
|
profile savelog {
|
|
include <abstractions/base>
|
|
|
|
@{bin}/savelog mr,
|
|
|
|
@{bin}/date rix,
|
|
@{bin}/basename rix,
|
|
@{bin}/which{,.debianutils} rix,
|
|
@{bin}/dirname rix,
|
|
@{bin}/rm rix,
|
|
@{bin}/mv rix,
|
|
@{bin}/touch rix,
|
|
@{bin}/gzip rix,
|
|
|
|
@{bin}/{,ba,da}sh rix,
|
|
|
|
/var/log/ r,
|
|
/var/log/popularity-contest.[0-9]*.gz rw,
|
|
/var/log/popularity-contest.[0-9]* rw,
|
|
/var/log/popularity-contest rw,
|
|
|
|
# file_inherit
|
|
owner /tmp/#@{int} rw,
|
|
|
|
}
|
|
|
|
profile runuser {
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/authentication>
|
|
|
|
@{bin}/runuser mr,
|
|
|
|
@{bin}/{,ba,da}sh rix,
|
|
|
|
@{bin}/popularity-contest rPx,
|
|
|
|
owner @{PROC}/@{pids}/loginuid r,
|
|
@{PROC}/1/limits r,
|
|
|
|
@{etc_ro}/security/limits.d/ r,
|
|
|
|
/var/log/popularity-contest.new w,
|
|
|
|
# file_inherit
|
|
owner /tmp/#@{int} rw,
|
|
|
|
}
|
|
|
|
profile gpg {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice-strict>
|
|
|
|
@{bin}/gpg{,2} mr,
|
|
|
|
/usr/share/popularity-contest/debian-popcon.gpg r,
|
|
|
|
/var/log/popularity-contest.new r,
|
|
/var/log/popularity-contest.new.gpg rw,
|
|
/var/log/popularity-contest.[0-9]* r,
|
|
/var/log/popularity-contest.[0-9]*.gpg rw,
|
|
|
|
owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
|
|
|
|
# file_inherit
|
|
owner /tmp/#@{int} rw,
|
|
|
|
}
|
|
|
|
profile popcon-upload {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/perl>
|
|
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network netlink raw,
|
|
|
|
/usr/share/popularity-contest/popcon-upload r,
|
|
@{bin}/perl r,
|
|
|
|
@{bin}/gzip rix,
|
|
|
|
/var/log/ r,
|
|
/var/log/popularity-contest.new.gpg r,
|
|
/var/log/popularity-contest.[0-9]*.gpg r,
|
|
|
|
# file_inherit
|
|
owner /tmp/#@{int} rw,
|
|
|
|
}
|
|
|
|
include if exists <local/cron-popularity-contest>
|
|
}
|