commit: 0220644d206867047363867c1ec3906f5618ab4c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 15 Apr 2020 13:32:36 +0200
Initial Commit
Diffstat:
215 files changed, 5585 insertions(+), 0 deletions(-)
diff --git a/abstractions/X b/abstractions/X
@@ -0,0 +1,58 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ #include <abstractions/dri-common>
+
+
+ # .ICEauthority files required for X authentication, per user
+ owner @{HOME}/.ICEauthority r,
+
+ # .Xauthority files required for X connections, per user
+ owner @{HOME}/.Xauthority r,
+ owner @{HOME}/.local/share/sddm/.Xauthority r,
+ owner /{,var/}run/gdm{,3}/*/database r,
+ owner /{,var/}run/lightdm/authority/[0-9]* r,
+ owner /{,var/}run/lightdm/*/xauthority r,
+ owner /{,var/}run/user/*/gdm/Xauthority r,
+ owner /{,var/}run/user/*/X11/Xauthority r,
+
+ # the unix socket to use to connect to the display
+ /tmp/.X11-unix/* rw,
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+
+ /usr/include/X11/ r,
+ /usr/include/X11/** r,
+
+ # The X tree changes and is large -- grant read access to the whole thing
+ /usr/X11R6/** r,
+ /usr/share/X11/ r,
+ /usr/share/X11/** r,
+ /usr/X11R6/**.so* mr,
+
+ # EGL
+ /usr/lib/@{multiarch}/egl/*.so* mr,
+
+ # Xcompose
+ owner @{HOME}/.XCompose r,
+
+ # mouse themes
+ /etc/X11/cursors/ r,
+ /etc/X11/cursors/** r,
+
+ # Xwayland
+ owner /run/user/*/.mutter-Xwaylandauth.* r,
+
diff --git a/abstractions/apache2-common b/abstractions/apache2-common
@@ -0,0 +1,34 @@
+# vim:syntax=apparmor
+
+# This file contains basic permissions for Apache and every vHost
+
+ #include <abstractions/nameservice>
+
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
+ # Allow apache to send us signals by default
+ signal (receive) peer=apache2,
+ # Allow other hats to signal by default
+ signal peer=apache2//*,
+ # Allow us to signal ourselves
+ signal peer=@{profile_name},
+
+ # Apache
+ network inet stream,
+ network inet6 stream,
+ # apache manual, error pages and icons
+ /usr/share/apache2/** r,
+
+ # changehat itself
+ @{PROC}/@{pid}/attr/current rw,
+
+ # htaccess files - for what ever it is worth
+ /**/.htaccess r,
+
+ /dev/urandom r,
+
+ # sasl-auth
+ /run/saslauthd/mux rw,
+
+ # OCSP stapling
+ /var/log/apache2/stapling-cache rw,
diff --git a/abstractions/apparmor_api/change_profile b/abstractions/apparmor_api/change_profile
@@ -0,0 +1,11 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <abstractions/apparmor_api/introspect>
+
+@{PROC}/@{tid}/attr/{current,exec} w,
diff --git a/abstractions/apparmor_api/examine b/abstractions/apparmor_api/examine
@@ -0,0 +1,12 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+@{PROC}/@{pids}/attr/{current,prev,exec} r,
diff --git a/abstractions/apparmor_api/find_mountpoint b/abstractions/apparmor_api/find_mountpoint
@@ -0,0 +1,14 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#permissions needed for aa_find_mountpoint
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+@{PROC}/@{pids}/mounts r,
diff --git a/abstractions/apparmor_api/introspect b/abstractions/apparmor_api/introspect
@@ -0,0 +1,12 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+@{PROC}/@{tid}/attr/{current,prev,exec} r,
diff --git a/abstractions/apparmor_api/is_enabled b/abstractions/apparmor_api/is_enabled
@@ -0,0 +1,17 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# permissions needed for aa_is_enabled
+
+# Make sure to include tunables/apparmorfs and tunables/global
+# when using this abstraction
+
+#include <abstractions/apparmor_api/find_mountpoint>
+@{sys}/module/apparmor/parameters/enabled r,
+
+# TODO: add alternate apparmorfs interface for enabled
diff --git a/abstractions/aspell b/abstractions/aspell
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# aspell permissions
+
+ # per-user settings and dictionaries
+ owner @{HOME}/.aspell.*.{pws,prepl} rwk,
+
+ # system libraries and dictionaries
+ /usr/lib/aspell/ r,
+ /usr/lib/aspell/* r,
+ /usr/lib/aspell/*.so m,
+ /usr/share/aspell/ r,
+ /usr/share/aspell/* r,
+ /var/lib/aspell/* r,
diff --git a/abstractions/audio b/abstractions/audio
@@ -0,0 +1,83 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+
+/dev/admmidi* rw,
+/dev/adsp* rw,
+/dev/aload* rw,
+/dev/amidi* rw,
+/dev/audio* rw,
+/dev/dmfm* rw,
+/dev/dmmidi* rw,
+/dev/dsp* rw,
+/dev/midi* rw,
+/dev/mixer* rw,
+/dev/mpu401data rw,
+/dev/mpu401stat rw,
+/dev/patmgr* rw,
+/dev/phone* rw,
+/dev/radio* rw,
+/dev/rmidi* rw,
+/dev/sequencer rw,
+/dev/sequencer2 rw,
+/dev/smpte* rw,
+
+/dev/snd/* rw,
+/dev/sound/* rw,
+
+@{PROC}/asound/** rw,
+
+/usr/share/alsa/** r,
+/usr/share/sounds/** r,
+
+owner @{HOME}/.esd_auth r,
+/etc/asound.conf r,
+owner @{HOME}/.asoundrc r,
+/etc/esound/esd.conf r,
+
+# libao
+/etc/libao.conf r,
+owner @{HOME}/.libao r,
+
+# libcanberra
+owner @{HOME}/.cache/event-sound-cache.* rwk,
+
+# pulse
+/etc/pulse/ r,
+/etc/pulse/** r,
+/{run,dev}/shm/ r,
+owner /{run,dev}/shm/pulse-shm* rwk,
+owner @{HOME}/.pulse-cookie rwk,
+owner @{HOME}/.pulse/ rw,
+owner @{HOME}/.pulse/* rwk,
+owner /{,var/}run/user/*/pulse/ rw,
+owner /{,var/}run/user/*/pulse/{native,pid} rwk,
+owner @{HOME}/.config/pulse/*.conf r,
+owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
+owner @{HOME}/.config/pulse/cookie rwk,
+owner /tmp/pulse-*/ rw,
+owner /tmp/pulse-*/* rw,
+
+# libgnome2
+/etc/sound/ r,
+/etc/sound/** r,
+
+# openal
+/etc/alsa/conf.d/{,*} r,
+/etc/openal/alsoft.conf r,
+owner @{HOME}/.alsoftrc r,
+/usr/{,local/}share/openal/hrtf/{,**} r,
+owner @{HOME}/.local/share/openal/hrtf/{,**} r,
+
+# wildmidi
+/etc/wildmidi/wildmidi.cfg r,
diff --git a/abstractions/authentication b/abstractions/authentication
@@ -0,0 +1,52 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2012 Canonical Ltd
+# Copyright (C) 2019 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+
+ # Some services need to perform authentication of users
+ # Such authentication almost certainly needs access to the local users
+ # databases containing passwords, PAM configuration files, PAM libraries
+ /{usr/,}etc/nologin r,
+ /{usr/,}etc/pam.d/* r,
+ /{usr/,}etc/securetty r,
+ /{usr/,}etc/security/* r,
+ /{usr/,}etc/shadow r,
+ /{usr/,}etc/gshadow r,
+ /{usr/,}etc/pwdb.conf r,
+
+ /{usr/,}lib{,32,64}/security/pam_filter/* mr,
+ /{usr/,}lib{,32,64}/security/pam_*.so mr,
+ /{usr/,}lib{,32,64}/security/ r,
+ /{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
+ /{usr/,}lib/@{multiarch}/security/pam_*.so mr,
+ /{usr/,}lib/@{multiarch}/security/ r,
+
+ # kerberos
+ #include <abstractions/kerberosclient>
+ # SuSE's pwdutils are different:
+ /{usr/,}etc/default/passwd r,
+ /{usr/,}etc/login.defs r,
+
+ # nis
+ #include <abstractions/nis>
+
+ # winbind
+ #include <abstractions/winbind>
+
+ # likewise
+ #include <abstractions/likewise>
+
+ # smbpass
+ #include <abstractions/smbpass>
+
+ # p11-kit (PKCS#11 modules configuration)
+ #include <abstractions/p11-kit>
diff --git a/abstractions/base b/abstractions/base
@@ -0,0 +1,149 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+
+ # (Note that the ldd profile has inlined this file; if you make
+ # modifications here, please consider including them in the ldd
+ # profile as well.)
+
+ # The __canary_death_handler function writes a time-stamped log
+ # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
+ # and localisations of date should be available EVERYWHERE, so
+ # StackGuard, FormatGuard, etc., alerts can be properly logged.
+ /dev/log w,
+ /dev/random r,
+ /dev/urandom r,
+ # Allow access to the uuidd daemon (this daemon is a thin wrapper around
+ # time and getrandom()/{,u}random and, when available, runs under an
+ # unprivilged, dedicated user).
+ /run/uuidd/request r,
+ /etc/locale/** r,
+ /etc/locale.alias r,
+ /etc/localtime r,
+ /usr/share/locale-bundle/** r,
+ /usr/share/locale-langpack/** r,
+ /usr/share/locale/** r,
+ /usr/share/**/locale/** r,
+ /usr/share/zoneinfo/ r,
+ /usr/share/zoneinfo/** r,
+ /usr/share/X11/locale/** r,
+ /run/systemd/journal/dev-log w,
+ # systemd native journal API (see sd_journal_print(4))
+ /run/systemd/journal/socket w,
+ # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+ # be required but applications fail without it. journald doesn't leak
+ # anything when reading so this is ok.
+ /run/systemd/journal/stdout rw,
+
+ /usr/lib{,32,64}/locale/** mr,
+ /usr/lib{,32,64}/gconv/*.so mr,
+ /usr/lib{,32,64}/gconv/gconv-modules* mr,
+ /usr/lib/@{multiarch}/gconv/*.so mr,
+ /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
+
+ # used by glibc when binding to ephemeral ports
+ /etc/bindresvport.blacklist r,
+
+ # ld.so.cache and ld are used to load shared libraries; they are best
+ # available everywhere
+ /etc/ld.so.cache mr,
+ /etc/ld.so.conf r,
+ /etc/ld.so.conf.d/{,*.conf} r,
+ /etc/ld.so.preload r,
+ /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
+
+ # we might as well allow everything to use common libraries
+ /{usr/,}lib{,32,64}/** r,
+ /{usr/,}lib{,32,64}/**.so* mr,
+ /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib/@{multiarch}/**.so* mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
+
+ # /dev/null is pretty harmless and frequently used
+ /dev/null rw,
+ # as is /dev/zero
+ /dev/zero rw,
+ # recent glibc uses /dev/full in preference to /dev/null for programs
+ # that don't have open fds at exec()
+ /dev/full rw,
+
+ # Sometimes used to determine kernel/user interfaces to use
+ @{PROC}/sys/kernel/version r,
+ # Depending on which glibc routine uses this file, base may not be the
+ # best place -- but many profiles require it, and it is quite harmless.
+ @{PROC}/sys/kernel/ngroups_max r,
+
+ # glibc's sysconf(3) routine to determine free memory, etc
+ @{PROC}/meminfo r,
+ @{PROC}/stat r,
+ @{PROC}/cpuinfo r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/online r,
+
+ # glibc's *printf protections read the maps file
+ @{PROC}/@{pid}/{maps,auxv,status} r,
+
+ # libgcrypt reads some flags from /proc
+ @{PROC}/sys/crypto/* r,
+
+ # some applications will display license information
+ /usr/share/common-licenses/** r,
+
+ # glibc statvfs
+ @{PROC}/filesystems r,
+
+ # glibc malloc (man 5 proc)
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # Allow determining the highest valid capability of the running kernel
+ @{PROC}/sys/kernel/cap_last_cap r,
+
+ # Allow other processes to read our /proc entries, futexes, perf tracing and
+ # kcmp for now (they will need 'read' in the first place). Administrators can
+ # override with:
+ # deny ptrace (readby) ...
+ ptrace (readby),
+
+ # Allow other processes to trace us by default (they will need 'trace' in
+ # the first place). Administrators can override with:
+ # deny ptrace (tracedby) ...
+ ptrace (tracedby),
+
+ # Allow us to ptrace read ourselves
+ ptrace (read) peer=@{profile_name},
+
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
+
+ # Allow us to signal ourselves
+ signal peer=@{profile_name},
+
+ # Checking for PID existence is quite common so add it by default for now
+ signal (receive, send) set=("exists"),
+
+ # Allow us to create and use abstract and anonymous sockets
+ unix peer=(label=@{profile_name}),
+
+ # Allow unconfined processes to us via unix sockets
+ unix (receive) peer=(label=unconfined),
+
+ # Allow us to create abstract and anonymous sockets
+ unix (create),
+
+ # Allow us to getattr, getopt, setop and shutdown on unix sockets
+ unix (getattr, getopt, setopt, shutdown),
diff --git a/abstractions/bash b/abstractions/bash
@@ -0,0 +1,44 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # user-specific bash files
+ @{HOMEDIRS} r,
+ @{HOME}/.bashrc r,
+ @{HOME}/.profile r,
+ @{HOME}/.bash_profile r,
+ @{HOME}/.bash_history rw,
+
+ # system-wide bash configuration
+ /etc/profile.dos r,
+ /etc/profile r,
+ /etc/profile.d/ r,
+ /etc/profile.d/* r,
+ /etc/bashrc r,
+ /etc/bash.bashrc r,
+ /etc/bash.bashrc.local r,
+ /etc/bash_completion r,
+ /etc/bash_completion.d/ r,
+ /etc/bash_completion.d/* r,
+
+ # bash relies on system-wide readline configuration
+ /etc/inputrc r,
+
+ # bash inspects filesystems at startup
+ /etc/mtab r,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/filesystems r,
+
+ # probably readline wants to know terminal capabilities
+ /usr/share/terminfo/** r,
+
+ # run out of /etc/bash.bashrc
+ /etc/DIR_COLORS r,
+ /{usr/,}bin/ls mix,
+ /usr/bin/dircolors mix,
diff --git a/abstractions/consoles b/abstractions/consoles
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+
+ # there are three common ways to refer to consoles
+ /dev/console rw,
+ /dev/tty rw,
+ # this next entry is a tad unfortunate; /dev/tty will always be
+ # associated with the controlling terminal by the kernel, but if a
+ # program uses the /dev/pts/ interface, it actually has access to
+ # -all- xterm, sshd, etc, terminals on the system.
+ /dev/pts/[0-9]* rw,
+ /dev/pts/ r,
+
diff --git a/abstractions/cups-client b/abstractions/cups-client
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # discoverable system configuration for non-local cupsd
+ /etc/cups/client.conf r,
+ # client should be able to talk the local cupsd
+ /{,var/}run/cups/cups.sock rw,
+ # client should be able to read user-specified cups configuration
+ owner @{HOME}/.cups/client.conf r,
+ owner @{HOME}/.cups/lpoptions r,
diff --git a/abstractions/dbus b/abstractions/dbus
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # This abstraction grants full system bus access. Consider using the
+ # dbus-strict abstraction for fine-grained bus mediation.
+
+ #include <abstractions/dbus-strict>
+ dbus bus=system,
diff --git a/abstractions/dbus-accessibility b/abstractions/dbus-accessibility
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # This abstraction grants full accessibility bus access. Consider using the
+ # dbus-accessibility-strict abstraction for fine-grained bus mediation.
+
+ #include <abstractions/dbus-accessibility-strict>
+ dbus bus=accessibility,
diff --git a/abstractions/dbus-accessibility-strict b/abstractions/dbus-accessibility-strict
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ dbus send
+ bus=accessibility
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
diff --git a/abstractions/dbus-session b/abstractions/dbus-session
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # This abstraction grants full session bus access. Consider using the
+ # dbus-session-strict abstraction for fine-grained bus mediation.
+
+ #include <abstractions/dbus-session-strict>
+ /usr/bin/dbus-launch ix,
+ dbus bus=session,
diff --git a/abstractions/dbus-session-strict b/abstractions/dbus-session-strict
@@ -0,0 +1,29 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # unique per-machine identifier
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+ owner /run/user/*/bus rw,
+
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/dbus-*"),
+
+ # dbus with systemd and --enable-user-session
+ owner /run/user/[0-9]*/bus rw,
+
+ dbus send
+ bus=session
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
diff --git a/abstractions/dbus-strict b/abstractions/dbus-strict
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /{,var/}run/dbus/system_bus_socket rw,
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
diff --git a/abstractions/dconf b/abstractions/dconf
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+# permissions for querying dconf settings; granting write access should
+# be specified in a specific application's profile.
+
+ /etc/dconf/** r,
+ owner /{,var/}run/user/*/dconf/user r,
+ owner @{HOME}/.config/dconf/user r,
diff --git a/abstractions/dovecot-common b/abstractions/dovecot-common
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# used with dovecot/*
+
+ capability setgid,
+
+ deny capability block_suspend,
+
+ # dovecot's master can send us signals
+ signal receive peer=dovecot,
+
+ /{var/,}run/dovecot/config rw,
diff --git a/abstractions/dri-common b/abstractions/dri-common
@@ -0,0 +1,14 @@
+# vim:syntax=apparmor
+
+# This file contains common DRI-specific rules useful for GUI applications
+# (needed by libdrm and similar).
+
+ /usr/lib{,32,64}/dri/** mr,
+ /usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib/fglrx/dri/** mr,
+ /dev/dri/ r,
+ /dev/dri/** rw,
+ /etc/drirc r,
+ /usr/share/drirc.d/{,*.conf} r,
+ owner @{HOME}/.drirc r,
+
diff --git a/abstractions/dri-enumerate b/abstractions/dri-enumerate
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+# This file contains common DRI-specific rules useful for GUI applications that
+# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
+# libdrm).
+
+ @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+
diff --git a/abstractions/enchant b/abstractions/enchant
@@ -0,0 +1,56 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # abstraction for Enchant spellchecking frontend
+
+ /usr/share/enchant/ r,
+ /usr/share/enchant/enchant.ordering r,
+
+ # aspell
+ #include <abstractions/aspell>
+ /var/lib/dictionaries-common/aspell/ r,
+ /var/lib/dictionaries-common/aspell/* r,
+
+ # hspell
+ /usr/share/hspell/ r,
+ /usr/share/hspell/*.wgz.* r,
+
+ # hunspell
+ /usr/share/hunspell/ r,
+ /usr/share/hunspell/* r,
+
+ # ispell
+ /usr/lib/ispell/ r,
+ /usr/lib/ispell/*.hash r,
+ /usr/share/dict/ r,
+ /usr/share/dict/* r,
+ /var/lib/dictionaries-common/ r,
+ /var/lib/dictionaries-common/{ispell,wordlist}/ r,
+ /var/lib/dictionaries-common/{ispell,wordlist}/* r,
+
+ # myspell
+ /usr/share/myspell/ r,
+ /usr/share/myspell/** r,
+
+ # voikko
+ /usr/lib/voikko/ r,
+ /usr/lib/voikko/2/ r,
+ /usr/lib/voikko/2/mor-standard/ r,
+ /usr/lib/voikko/2/mor-standard/voikko* r,
+
+ # zemberek
+ /usr/share/java/ r,
+ /usr/share/java/zemberek-[0-9]*.jar r,
+ /usr/share/java/zemberek-tr-[0-9]*.jar r,
+
+ # per-user dictionaries
+ owner @{HOME}/.config/enchant/ rw,
+ owner @{HOME}/.config/enchant/* rwk,
diff --git a/abstractions/fcitx b/abstractions/fcitx
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ #include <abstractions/fcitx-strict>
+ dbus bus=fcitx,
diff --git a/abstractions/fcitx-strict b/abstractions/fcitx-strict
@@ -0,0 +1,21 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ #include <abstractions/dbus-session-strict>
+
+ dbus send
+ bus=fcitx
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
+
+ owner @{HOME}/.config/fcitx/dbus/* r,
diff --git a/abstractions/fonts b/abstractions/fonts
@@ -0,0 +1,61 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /usr/share/AbiSuite/fonts/** r,
+
+ /usr/lib/xorg/modules/fonts/**.so* mr,
+
+ /usr/share/fonts/ r,
+ /usr/share/fonts/** r,
+
+ /etc/fonts/** r,
+ # Debian, openSUSE paths are different
+ /usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
+ /usr/share/ghostscript/fonts/{,**} r,
+
+ /opt/kde3/share/fonts/** r,
+
+ /usr/lib{,32,64}/openoffice/share/fonts/** r,
+
+ /var/cache/fonts/** r,
+ /var/cache/fontconfig/** mr,
+ /var/lib/defoma/** mr,
+
+ /usr/share/a2ps/fonts/** r,
+ /usr/share/xfce/fonts/** r,
+ /usr/share/ghostscript/fonts/** r,
+ /usr/share/javascript/*/fonts/** r,
+ /usr/share/texmf/{,*/}fonts/** r,
+ /usr/share/texlive/texmf-dist/fonts/** r,
+ /var/lib/ghostscript/** r,
+
+ owner @{HOME}/.fonts.conf r,
+ owner @{HOME}/.fonts/ r,
+ owner @{HOME}/.fonts/** r,
+ owner @{HOME}/.local/share/fonts/ r,
+ owner @{HOME}/.local/share/fonts/** r,
+ owner @{HOME}/.fonts.cache-2 mr,
+ owner @{HOME}/.{,cache/}fontconfig/ rw,
+ owner @{HOME}/.{,cache/}fontconfig/** mrl,
+ owner @{HOME}/.fonts.conf.d/ r,
+ owner @{HOME}/.fonts.conf.d/** r,
+ owner @{HOME}/.config/fontconfig/ r,
+ owner @{HOME}/.config/fontconfig/** r,
+
+ /usr/local/share/fonts/ r,
+ /usr/local/share/fonts/** r,
+
+ # poppler CMap tables
+ /usr/share/poppler/cMap/** r,
+
+ # data files for LibThai
+ /usr/share/libthai/thbrk.tri r,
diff --git a/abstractions/freedesktop.org b/abstractions/freedesktop.org
@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # system configuration
+ @{system_share_dirs}/applications/{**,} r,
+ @{system_share_dirs}/icons/{**,} r,
+ @{system_share_dirs}/pixmaps/{**,} r,
+
+ # this should probably go elsewhere
+ @{system_share_dirs}/mime/** r,
+
+ # per-user configurations
+ owner @{HOME}/.icons/ r,
+ owner @{HOME}/.recently-used.xbel* rw,
+ owner @{HOME}/.local/share/recently-used.xbel* rw,
+ owner @{HOME}/.config/user-dirs.dirs r,
+ owner @{HOME}/.config/mimeapps.list r,
+ owner @{user_share_dirs}/applications/{**,} r,
+ owner @{user_share_dirs}/icons/{**,} r,
+ owner @{user_share_dirs}/mime/{**,} r,
diff --git a/abstractions/gnome b/abstractions/gnome
@@ -0,0 +1,109 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+#include <abstractions/base>
+#include <abstractions/fonts>
+#include <abstractions/X>
+#include <abstractions/freedesktop.org>
+#include <abstractions/xdg-desktop>
+#include <abstractions/user-tmp>
+#include <abstractions/wayland>
+
+ # systemwide gtk defaults
+ /etc/gnome/gtkrc* r,
+ /etc/gtk/* r,
+ /usr/lib{,32,64}/gtk/** mr,
+ /usr/lib/@{multiarch}/gtk/** mr,
+ /usr/lib{,32,64}/gtk-[0-9]*/** mr,
+ /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
+ /usr/share/themes/ r,
+ /usr/share/themes/** r,
+
+ # for gnome 1 applications
+ /etc/orbitrc r,
+
+ # gtk-2 needed some new rights
+ /etc/fonts/* r,
+ /etc/gtk-*/* r,
+ /etc/pango/* r,
+ /usr/lib{,32,64}/pango/** mr,
+ /usr/lib{,32,64}/gtk-*/** mr,
+ /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
+ /usr/lib/@{multiarch}/pango/** mr,
+ /usr/lib/@{multiarch}/gtk-*/** mr,
+ /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
+
+ # per-user gtk configuration
+ owner @{HOME}/.config/gtk-3.0/ w,
+ owner @{HOME}/.config/gtk-3.0/* r,
+ owner @{HOME}/.gnome/Gnome r,
+ owner @{HOME}/.gtk r,
+ owner @{HOME}/.gtkrc r,
+ owner @{HOME}/.gtkrc-2.0 r,
+ owner @{HOME}/.gtk-bookmarks r,
+ owner @{HOME}/.themes/ r,
+ owner @{HOME}/.themes/** r,
+ owner @{user_share_dirs}/themes/ r,
+ owner @{user_share_dirs}/themes/** r,
+
+ # for gtk file dialog
+ owner @{HOME}/.config/gtk-2.0/ w,
+ owner @{HOME}/.config/gtk-2.0/** r,
+ owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
+
+ # from evolution-mail
+ owner @{HOME}/.gconfd/lock/* r,
+ owner @{HOME}/.gnome/application-info r,
+
+ # per-user font business
+ owner @{HOME}/.fonts.cache-* rwl,
+
+ # GtkComposeTable
+ owner @{HOME}/.cache/gtk-3.0/** r,
+
+ # icon caches
+ /var/cache/**/icon-theme.cache r,
+ /usr/share/**/icon-theme.cache r,
+
+ # GLib schemas
+ /usr/{local/,}share/glib-[0-9]*/schemas/ r,
+ /usr/{local/,}share/glib-[0-9]*/schemas/** r,
+
+ # gnome VFS modules
+ /etc/gnome-vfs-2.0/modules/ r,
+ /etc/gnome-vfs-2.0/modules/* r,
+ /usr/lib/gnome-vfs-2.0/modules/*.so mr,
+ /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
+
+ # gvfs
+ /usr/share/gvfs/remote-volume-monitors/ r,
+ /usr/share/gvfs/remote-volume-monitors/* r,
+ @{PROC}/@{pid}/mounts r,
+
+ # printing
+ /etc/papersize r,
+ /etc/cups/lpoptions r,
+ /usr/share/cups/charmaps/** r,
+
+ # holds MIT-MAGIC-COOKIE for gnome
+ owner /{,var/}run/gdm/auth*/database r,
+
+ # mime-types
+ /etc/gnome/defaults.list r,
+ /etc/xdg/{,*-}mimeapps.list r,
+ /usr/share/gnome/applications/ r,
+ /usr/share/gnome/applications/mimeinfo.cache r,
+
+ # Allow connecting to the GNOME vfs socket (still need corresponding DBus
+ # rules)
+ unix (send, receive, connect)
+ type=stream
+ peer=(addr="@/dbus-vfs-daemon/socket-*"),
diff --git a/abstractions/gnupg b/abstractions/gnupg
@@ -0,0 +1,11 @@
+# vim:syntax=apparmor
+# gnupg sub-process running permissions
+
+ # user configurations
+ owner @{HOME}/.gnupg/options r,
+ owner @{HOME}/.gnupg/pubring.gpg r,
+ owner @{HOME}/.gnupg/pubring.kbx r,
+ owner @{HOME}/.gnupg/random_seed rw,
+ owner @{HOME}/.gnupg/secring.gpg r,
+ owner @{HOME}/.gnupg/so/*.x86_64 mr,
+ owner @{HOME}/.gnupg/trustdb.gpg rw,
diff --git a/abstractions/ibus b/abstractions/ibus
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # abstraction for ibus input methods
+ owner @{HOME}/.config/ibus/ r,
+ owner @{HOME}/.config/ibus/bus/ rw,
+ owner @{HOME}/.config/ibus/bus/* rw,
diff --git a/abstractions/kde b/abstractions/kde
@@ -0,0 +1,77 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <abstractions/base>
+#include <abstractions/fonts>
+#include <abstractions/X>
+#include <abstractions/freedesktop.org>
+#include <abstractions/xdg-desktop>
+#include <abstractions/user-tmp>
+#include <abstractions/qt5>
+
+/etc/qt3/kstylerc r,
+/etc/qt3/qt_plugins_3.3rc r,
+/etc/qt3/qtrc r,
+/etc/kderc r,
+/etc/kde3/* r,
+/etc/kde4rc r,
+/etc/xdg/kdeglobals r,
+/etc/xdg/Trolltech.conf r,
+/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
+/usr/share/kubuntu-default-settings/kf5-settings/* r,
+
+owner @{HOME}/.DCOPserver_* r,
+owner @{HOME}/.ICEauthority r,
+owner @{HOME}/.fonts.* lrw,
+owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
+owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
+owner @{HOME}/.qt/** rw,
+owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
+owner @{HOME}/.config/Trolltech.conf rwk,
+owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
+owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/trashrc r, # Used by KFileWidget
+
+/usr/share/X11/XKeysymDB r,
+
+# kde3
+/usr/lib*/kde3/plugins/styles/ r,
+/usr/lib*/kde3/plugins/styles/* mr,
+/usr/lib*/kde3/lib*so* mr,
+/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
+/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
+/usr/lib/@{multiarch}/kde3/lib*so* mr,
+/usr/lib*/qt3/lib*/lib*so* mr,
+/usr/lib*/qt3/plugins/** mr,
+/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt3/plugins/** mr,
+/usr/lib*/libqt-mt*so* mr,
+/usr/lib*/libqui*so* mr,
+/usr/lib/@{multiarch}/libqt-mt*so* mr,
+/usr/lib/@{multiarch}/libqui*so* mr,
+/usr/share/qt3/lib*/libqt-mt*so* mr,
+/usr/share/qt3/lib*/libqui*so* mr,
+
+# kde4
+/usr/lib*/kde4/plugins/*/*.so mr,
+/usr/lib*/kde4/plugins/*/ r,
+/usr/lib*/kde4/lib*so* mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/ r,
+/usr/lib/@{multiarch}/kde4/lib*so* mr,
+/usr/lib*/qt4/lib*/lib*so* mr,
+/usr/lib*/qt4/plugins/** mr,
+/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt4/plugins/** mr,
+/usr/share/qt4/** r,
diff --git a/abstractions/kde-globals-write b/abstractions/kde-globals-write
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# Rules for changing KDE settings (for KFileDialog and other).
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]* rw,
+ owner @{HOME}/.config/kdeglobals rw,
+ owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
+ owner @{HOME}/.config/kdeglobals.lock rwk,
+
diff --git a/abstractions/kde-icon-cache-write b/abstractions/kde-icon-cache-write
@@ -0,0 +1,7 @@
+# vim:syntax=apparmor
+# Rules for writing KDE icon cache
+
+ # User files
+
+ owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
+
diff --git a/abstractions/kde-language-write b/abstractions/kde-language-write
@@ -0,0 +1,12 @@
+# vim:syntax=apparmor
+# Rules for changing per-application language settings on KDE. Some KDE
+# applications have "Help -> Switch Application Language..." option, that needs
+# write access to language settings file.
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]* rw,
+ owner @{HOME}/.config/klanguageoverridesrc rw,
+ owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
+ owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
+
diff --git a/abstractions/kerberosclient b/abstractions/kerberosclient
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # files required by kerberos client programs
+ /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
+ /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
+ /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
+ /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
+
+ /usr/lib{,32,64}/krb5/plugins/preauth/ r,
+ /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
+ /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
+ /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
+
+ /etc/krb5.keytab rk,
+ /etc/krb5.conf r,
+ /etc/krb5.conf.d/ r,
+ /etc/krb5.conf.d/* r,
+
+ # config files found via strings on libs
+ /etc/krb.conf r,
+ /etc/krb.realms r,
+ /etc/srvtab r,
+
+ # credential caches
+ /tmp/krb5cc* r,
diff --git a/abstractions/ldapclient b/abstractions/ldapclient
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+ /etc/ldap.conf r,
+ /etc/ldap.secret r,
+ /etc/openldap/* r,
+ /etc/openldap/cacerts/* r,
+
+ # SASL plugins and config
+ /etc/sasl2/* r,
+ /usr/lib{,32,64}/sasl2/* r,
+
+ # local LDAP name service daemon
+ /{,var/}run/nslcd/socket rw,
+
+ #include <abstractions/ssl_certs>
diff --git a/abstractions/libpam-systemd b/abstractions/libpam-systemd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015-2016 Simon Deziel
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <abstractions/dbus-strict>
+
+ # libpam-systemd notifies systemd-logind about session logins/logouts
+ dbus send
+ bus=system
+ path=/org/freedesktop/login1
+ interface=org.freedesktop.login1.Manager
+ member={CreateSession,ReleaseSession},
diff --git a/abstractions/likewise b/abstractions/likewise
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /tmp/.lwidentity/pipe rw,
+ /var/lib/likewise-open/lwidentity_privileged/pipe rw,
diff --git a/abstractions/mdns b/abstractions/mdns
@@ -0,0 +1,13 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # mdnsd
+ /etc/nss_mdns.conf r,
+ /{,var/}run/mdnsd w,
diff --git a/abstractions/mesa b/abstractions/mesa
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Rules for Mesa implementation of the OpenGL API
+
+ /usr/share/glvnd/** r,
+
+ # System files
+ /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
+
+ # User files
+ owner @{HOME}/.cache/ w, # if user clears all caches
+ owner @{HOME}/.cache/mesa_shader_cache/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/index rw,
+ owner @{HOME}/.cache/mesa_shader_cache/??/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+
diff --git a/abstractions/mir b/abstractions/mir
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # mir libraries sometimes do not have a lib prefix
+ # see LP: #1422521
+ /usr/lib/@{multiarch}/mir/*.so* mr,
+ /usr/lib/@{multiarch}/mir/**/*.so* mr,
+
+ # unprivileged mir socket for clients
diff --git a/abstractions/mozc b/abstractions/mozc
@@ -0,0 +1,12 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
diff --git a/abstractions/mysql b/abstractions/mysql
@@ -0,0 +1,15 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /var/lib/mysql{,d}/mysql{,d}.sock rw,
+ /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
+ /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
+ /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
diff --git a/abstractions/nameservice b/abstractions/nameservice
@@ -0,0 +1,101 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # Many programs wish to perform nameservice-like operations, such as
+ # looking up users by name or id, groups by name or id, hosts by name
+ # or IP, etc. These operations may be performed through files, dns,
+ # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
+ /etc/group r,
+ /etc/host.conf r,
+ /etc/hosts r,
+ /etc/nsswitch.conf r,
+ /etc/gai.conf r,
+ /etc/passwd r,
+ /etc/protocols r,
+
+ # libtirpc (used for NIS/YP login) needs this
+ /etc/netconfig r,
+
+ # When using libnss-extrausers, the passwd and group files are merged from
+ # an alternate path
+ /var/lib/extrausers/group r,
+ /var/lib/extrausers/passwd r,
+
+ # When using sssd, the passwd and group files are stored in an alternate path
+ # and the nss plugin also needs to talk to a pipe
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/initgroups r,
+ /var/lib/sss/mc/passwd r,
+ /var/lib/sss/pipes/nss rw,
+
+ /etc/resolv.conf r,
+ # On systems where /etc/resolv.conf is managed programmatically, it is
+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+ /etc/resolvconf/run/resolv.conf r,
+ /{,var/}run/systemd/resolve/stub-resolv.conf r,
+
+ /etc/samba/lmhosts r,
+ /etc/services r,
+ # db backend
+ /var/lib/misc/*.db r,
+ # The Name Service Cache Daemon can cache lookups, sometimes leading
+ # to vast speed increases when working with network-based lookups.
+ /{,var/}run/.nscd_socket rw,
+ /{,var/}run/nscd/socket rw,
+ /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
+ # nscd renames and unlinks files in it's operation that clients will
+ # have open
+ /{,var/}run/nscd/db* rmix,
+
+ # The nss libraries are sometimes used in addition to PAM; make sure
+ # they are available
+ /{usr/,}lib{,32,64}/libnss_*.so* mr,
+ /{usr/,}lib/@{multiarch}/libnss_*.so* mr,
+ /etc/default/nss r,
+
+ # avahi-daemon is used for mdns4 resolution
+ /{,var/}run/avahi-daemon/socket rw,
+
+ # libnl-3-200 via libnss-gw-name
+ @{PROC}/@{pid}/net/psched r,
+ /etc/libnl-*/classid r,
+
+ # nis
+ #include <abstractions/nis>
+
+ # ldap
+ #include <abstractions/ldapclient>
+
+ # winbind
+ #include <abstractions/winbind>
+
+ # likewise
+ #include <abstractions/likewise>
+
+ # mdnsd
+ #include <abstractions/mdns>
+
+ # kerberos
+ #include <abstractions/kerberosclient>
+
+ # TCP/UDP network access
+ network inet stream,
+ network inet6 stream,
+ network inet dgram,
+ network inet6 dgram,
+
+ # TODO: adjust when support finer-grained netlink rules
+ # Netlink raw needed for nscd
+ network netlink raw,
+
+ # interface details
+ @{PROC}/@{pid}/net/route r,
diff --git a/abstractions/nis b/abstractions/nis
@@ -0,0 +1,15 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # NIS rules
+ /var/yp/binding/* r,
+ # portmapper may ask root processes to do nis/ldap at low ports
+ capability net_bind_service,
+
diff --git a/abstractions/nvidia b/abstractions/nvidia
@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# nvidia access requirements
+
+ # configuration queries
+ capability ipc_lock,
+
+ /usr/share/nvidia/nvidia-application-profiles* r,
+
+ # libvdpau config file for nvidia workarounds
+ /etc/vdpau_wrapper.cfg r,
+
+ # device files
+ /dev/nvidiactl rw,
+ /dev/nvidia-modeset rw,
+ /dev/nvidia[0-9]* rw,
+
+ @{PROC}/interrupts r,
+ @{PROC}/sys/vm/max_map_count r,
+ @{PROC}/driver/nvidia/params r,
+ @{PROC}/modules r,
+
+ @{sys}/devices/system/memory/block_size_bytes r,
+
+ owner @{HOME}/.nv/ w,
+ owner @{HOME}/.nv/GLCache/ rw,
+ owner @{HOME}/.nv/GLCache/** rwk,
+
+ unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
diff --git a/abstractions/opencl b/abstractions/opencl
@@ -0,0 +1,9 @@
+# vim:syntax=apparmor
+# OpenCL access requirements
+
+ # TODO: use conditionals to select allowed implementations
+ #include <abstractions/opencl-intel>
+ #include <abstractions/opencl-mesa>
+ #include <abstractions/opencl-nvidia>
+ #include <abstractions/opencl-pocl>
+
diff --git a/abstractions/opencl-common b/abstractions/opencl-common
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# implementation-independent OpenCL access requirements
+
+ # System files
+
+ /etc/OpenCL/** r,
+ @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+ @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+ @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+
diff --git a/abstractions/opencl-intel b/abstractions/opencl-intel
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Intel implementation
+
+ #include <abstractions/opencl-common>
+
+ # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
+ #include <abstractions/X>
+
+ # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
+ #include <abstractions/dri-enumerate>
+
+ # System files
+
+ /dev/dri/card[0-9]* rw, # beignet/libcl.so
+ @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+ /usr/lib/@{multiarch}/beignet/** r,
+
diff --git a/abstractions/opencl-mesa b/abstractions/opencl-mesa
@@ -0,0 +1,20 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Mesa implementation
+
+ #include <abstractions/opencl-common>
+
+ # Additional libraries
+
+ /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
+ /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
+
+ # System files
+
+ /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
+ /dev/dri/render* rw, # libMesaOpenCL.so
+ /etc/drirc r, # libMesaOpenCL.so
+
+ # User files
+
+ owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
+
diff --git a/abstractions/opencl-nvidia b/abstractions/opencl-nvidia
@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for NVIDIA implementation
+
+ #include <abstractions/nvidia>
+ #include <abstractions/opencl-common>
+
+ # Executables
+
+ # https://github.com/NVIDIA/nvidia-modprobe
+ # This setuid executable is used to create various device files and load the
+ # the nvidia kernel module.
+ /usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
+
+ # System files
+
+ # libnvidia-opencl.so rules:
+ /dev/nvidia-uvm rw,
+ /dev/nvidia-uvm-tools rw,
+ @{sys}/devices/pci[0-9]*/**/config r,
+ @{sys}/devices/system/memory/block_size_bytes r,
+ /usr/share/nvidia/** r,
+ @{PROC}/devices r,
+ @{PROC}/sys/vm/mmap_min_addr r,
+
+ # User files
+
+ owner @{HOME}/.nv/ComputeCache/ w,
+ owner @{HOME}/.nv/ComputeCache/** rw,
+ owner @{HOME}/.nv/ComputeCache/index rwk,
+
diff --git a/abstractions/opencl-pocl b/abstractions/opencl-pocl
@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for POCL implementation
+
+ #include <abstractions/opencl-common>
+
+ # Executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
+ /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
+
+ # System files
+
+ / r, # libpocl.so -> libhwloc.so
+ @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+ @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+ @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+ @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+ @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+ @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+ @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+ @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+ @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+ @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+ /usr/share/pocl/** r,
+ /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/ w,
+ owner @{HOME}/.cache/pocl/kcache/ w,
+ owner @{HOME}/.cache/pocl/kcache/** rw,
+ owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
+ owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
+
+ # Child profiles
+
+ profile opencl_pocl_ld {
+ #include <abstractions/base>
+
+ # Main executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd mr,
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
+ owner @{HOME}/.cache/pocl/kcache/**.so.o r,
+ }
+
+ profile opencl_pocl_clang {
+ #include <abstractions/base>
+
+ # Main executables
+
+ /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
+
+ # Additional executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
+
+ # System files
+
+ /etc/debian-version r,
+ /etc/lsb-release r,
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
+ }
+
diff --git a/abstractions/openssl b/abstractions/openssl
@@ -0,0 +1,14 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /etc/ssl/openssl.cnf r,
+ /usr/share/ssl/openssl.cnf r,
+ @{PROC}/sys/crypto/fips_enabled r,
+
diff --git a/abstractions/orbit2 b/abstractions/orbit2
@@ -0,0 +1,5 @@
+# vim:syntax=apparmor
+# orbit2 permissions
+
+ # system library
+ /usr/lib/orbit-2.0/*.so mr,
diff --git a/abstractions/p11-kit b/abstractions/p11-kit
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /etc/pkcs11/ r,
+ /etc/pkcs11/pkcs11.conf r,
+ /etc/pkcs11/modules/ r,
+ /etc/pkcs11/modules/* r,
+
+ /usr/lib{,32,64}/pkcs11/*.so mr,
+ /usr/lib/@{multiarch}/pkcs11/*.so mr,
+
+ /usr/share/p11-kit/modules/ r,
+ /usr/share/p11-kit/modules/* r,
+
+ # gnome-keyring pkcs11 module
+ owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
+ # p11-kit also supports reading user configuration from ~/.pkcs11 depending
+ # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
+ # included in this abstraction.
diff --git a/abstractions/perl b/abstractions/perl
@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # a few files typically required for perl scripts
+ /usr/bin/perl rmix,
+ /usr/bin/perl[0-9].[0-9].[0-9] rmix,
+
+ /usr/lib{,32,64}/perl5/** r,
+ /usr/lib{,32,64}/perl{,5}/**.so* mr,
+ /usr/lib/@{multiarch}/perl{,5,-base}/** r,
+ /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
+
+ /usr/share/perl/** r,
+ /usr/share/perl5/** r,
+ /etc/perl/** r,
diff --git a/abstractions/php b/abstractions/php
@@ -0,0 +1,39 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # shared snippets for config files
+ /etc/php{,5,7}/**/ r,
+ /etc/php{,5,7}/**.ini r,
+
+ # Xlibs
+ /usr/X11R6/lib{,32,64}/lib*.so* mr,
+ # php extensions
+ /usr/lib{64,}/php{,5,7}/*/*.so mr,
+
+ # ICU (unicode support) data tables
+ /usr/share/icu/*/*.dat r,
+
+ # php session mmap socket
+ /var/lib/php{,5,7}/session_mm_* rwlk,
+ # file based session handler
+ /var/lib/php{,5,7}/sess_* rwlk,
+ /var/lib/php{,5,7}/sessions/* rwlk,
+
+ # php libraries
+ /usr/share/php{,5,7}/ r,
+ /usr/share/php{,5,7}/** mr,
+
+ # MySQL extension
+ /usr/share/mysql/** r,
+
+ # Zend opcache
+ /tmp/.ZendSem.* rwlk,
diff --git a/abstractions/php5 b/abstractions/php5
@@ -0,0 +1,3 @@
+#backwards compatibility include, actual abstraction moved from php5 to php
+
+#include <abstractions/php>
diff --git a/abstractions/postfix-common b/abstractions/postfix-common
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2015 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# used with postfix/*
+
+
+ capability setuid,
+ capability setgid,
+ capability sys_chroot,
+
+ # postfix's master can send us signals
+ signal receive peer=/usr/lib/postfix/master,
+ signal receive peer=postfix-master,
+
+ unix (send, receive) peer=(label=/usr/lib/postfix/master),
+ unix (send, receive) peer=(label=postfix-master),
+
+ /etc/mailname r,
+ /etc/postfix/*.cf r,
+ /etc/postfix/*.db rk,
+ @{PROC}/net/if_inet6 r,
+ /usr/lib/postfix/*.so mr,
+ /usr/lib{,32,64}/sasl2/* mr,
+ /usr/lib{,32,64}/sasl2/ r,
+ /usr/lib/@{multiarch}/sasl2/* mr,
+ /usr/lib/@{multiarch}/sasl2/ r,
+
+ /var/spool/postfix/etc/* r,
+ /var/spool/postfix/lib/lib*.so* mr,
+ /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
diff --git a/abstractions/private-files b/abstractions/private-files
@@ -0,0 +1,47 @@
+# vim:syntax=apparmor
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
+
+ # privacy violations (don't audit files under $HOME otherwise get a
+ # lot of false positives when reading contents of directories)
+ deny @{HOME}/.*history mrwkl,
+ deny @{HOME}/.fetchmail* mrwkl,
+ deny @{HOME}/.mutt** mrwkl,
+ deny @{HOME}/.viminfo* mrwkl,
+ deny @{HOME}/.*~ mrwkl,
+ deny @{HOME}/.*.swp mrwkl,
+ deny @{HOME}/.*~1~ mrwkl,
+ deny @{HOME}/.*.bak mrwkl,
+
+ # special attention to (potentially) executable files
+ audit deny @{HOME}/.local/{s,}bin/{,**} wl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/autostart/{,**} wl,
+ audit deny @{HOME}/.config/upstart/{,**} wl,
+ audit deny @{HOME}/.init/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/ w,
+ audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+ audit deny @{HOME}/.local/{,share/} w,
+ audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+ audit deny @{HOME}/.pki/ w,
+ audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
+
+ # don't allow reading/updating of run control files
+ deny @{HOME}/.*rc mrk,
+ audit deny @{HOME}/.*rc wl,
+
+ # bash
+ deny @{HOME}/.bash* mrk,
+ audit deny @{HOME}/.bash* wl,
+ deny @{HOME}/.inputrc mrk,
+ audit deny @{HOME}/.inputrc wl,
+
+ # sh/dash/csh/tcsh/pdksh/zsh
+ deny @{HOME}/.{,z}profile* mrk,
+ audit deny @{HOME}/.{,z}profile* wl,
+ deny @{HOME}/.{,z}log{in,out} mrk,
+ audit deny @{HOME}/.{,z}log{in,out} wl,
+
+ deny @{HOME}/.zshenv mrk,
+ audit deny @{HOME}/.zshenv wl,
diff --git a/abstractions/private-files-strict b/abstractions/private-files-strict
@@ -0,0 +1,25 @@
+# vim:syntax=apparmor
+# privacy-violations-strict contains additional rules for sensitive
+# files that you want to explicitly deny access
+
+ #include <abstractions/private-files>
+
+ # potentially extremely sensitive files
+ audit deny @{HOME}/.aws/{,**} mrwkl,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2/ w,
+ audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+ # don't allow access to any gnome-keyring modules
+ audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+ audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+ audit deny @{HOME}/.evolution/{,**} mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+
diff --git a/abstractions/python b/abstractions/python
@@ -0,0 +1,37 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
+ /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+
+ # Site-wide configuration
+ /etc/python{2.[4-7],3.[0-9]}/** r,
+
+ # shared python paths
+ /usr/share/{pyshared,pycentral,python-support}/** r,
+ /{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
+ /usr/lib/{pyshared,pycentral,python-support}/**.so mr,
+ /var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
+ /usr/lib/python3/dist-packages/**.so mr,
+
+ # wx paths
+ /usr/lib/wx/python/*.pth r,
+
+ # python build configuration and headers
+ /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
diff --git a/abstractions/qt5 b/abstractions/qt5
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# Common rules for Qt5-based applications
+
+ # Additional libraries
+
+ /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
+
+ # System files
+
+ /etc/xdg/QtProject/qtlogging.ini r,
+ /usr/share/qt5/translations/*.qm r,
+ /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
+
+ # User files
+
+ owner @{HOME}/.config/QtProject/qtlogging.ini r,
+ owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
+ owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
+
diff --git a/abstractions/qt5-compose-cache-write b/abstractions/qt5-compose-cache-write
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+# Allow writing cache for Qt5 "platforminputcontexts" plugins
+
+ # User files
+
+ owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+ owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
+
diff --git a/abstractions/qt5-settings-write b/abstractions/qt5-settings-write
@@ -0,0 +1,11 @@
+# vim:syntax=apparmor
+# Allow writing shared settings for Qt-based applications
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]*[0-9] rw,
+ owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
+ # for temporary files like QtProject.conf.Aqrgeb
+ owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
+ owner @{HOME}/.config/QtProject.conf.lock rwk,
+
diff --git a/abstractions/recent-documents-write b/abstractions/recent-documents-write
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# Allow updating recent documents
+
+ # User files
+
+ owner @{HOME}/.local/share/RecentDocuments/ rw,
+ owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
+ owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
+ owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
+
diff --git a/abstractions/ruby b/abstractions/ruby
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
+
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
+
+ /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
+ /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
diff --git a/abstractions/samba b/abstractions/samba
@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /etc/samba/* r,
+ /usr/lib*/ldb/*.so mr,
+ /usr/lib*/samba/ldb/*.so mr,
+ /usr/share/samba/*.dat r,
+ /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+ /var/cache/samba/ w,
+ /var/cache/samba/lck/* rwk,
+ /var/lib/samba/** rwk,
+ /var/log/samba/cores/ rw,
+ /var/log/samba/cores/** rw,
+ /var/log/samba/* w,
+ /{,var/}run/samba/ w,
+ /{,var/}run/samba/*.tdb rw,
+
+ # required for clustering
+ /var/lib/ctdb/** rwk,
diff --git a/abstractions/smbpass b/abstractions/smbpass
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # libpam-smbpass/pam_smbpass.so permissions
+ /var/lib/samba/*.[lt]db rwk,
diff --git a/abstractions/ssl_certs b/abstractions/ssl_certs
@@ -0,0 +1,44 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /etc/ssl/ r,
+ /etc/ssl/certs/ r,
+ /etc/ssl/certs/* r,
+ /etc/pki/trust/ r,
+ /etc/pki/trust/* r,
+ /etc/pki/trust/anchors/ r,
+ /etc/pki/trust/anchors/** r,
+ /usr/share/ca-certificates/ r,
+ /usr/share/ca-certificates/** r,
+ /usr/share/ssl/certs/ca-bundle.crt r,
+ /usr/local/share/ca-certificates/ r,
+ /usr/local/share/ca-certificates/** r,
+ /var/lib/ca-certificates/ r,
+ /var/lib/ca-certificates/** r,
+
+ # acmetool
+ /var/lib/acme/certs/*/chain r,
+ /var/lib/acme/certs/*/cert r,
+
+ # dehydrated
+ /{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
+
+ # certbot
+ /etc/letsencrypt/archive/*/cert*.pem r,
+ /etc/letsencrypt/archive/*/chain*.pem r,
+ /etc/letsencrypt/archive/*/fullchain*.pem r,
+
+ /etc/certbot/archive/*/cert*.pem r,
+ /etc/certbot/archive/*/chain*.pem r,
+ /etc/certbot/archive/*/fullchain*.pem r,
diff --git a/abstractions/ssl_keys b/abstractions/ssl_keys
@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # private ssl permissions
+
+ # Just include the whole /etc/ssl directory if we should have access to
+ # private keys too
+ /etc/ssl/ r,
+ /etc/ssl/** r,
+
+ # acmetool
+ /var/lib/acme/live/* r,
+ /var/lib/acme/certs/** r,
+ /var/lib/acme/keys/** r,
+
+ # dehydrated
+ /{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
+
+ # certbot / letsencrypt
+ /etc/letsencrypt/archive/*/privkey*.pem r,
+
+ /etc/certbot/archive/*/privkey*.pem r,
diff --git a/abstractions/svn-repositories b/abstractions/svn-repositories
@@ -0,0 +1,52 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # This little snippet should abstract the read/write access to a repository.
+ # it is intended to be included in profiles for svnserve/apache2 and maybe
+ # some repository viewers like trac/viewvc
+
+ # no hooks exec by default; please define whatever you need explicitely.
+
+ /srv/svn/**/conf/* r,
+ /srv/svn/**/format r,
+ /srv/svn/**/db/fs-type r,
+ /srv/svn/**/db/format r,
+
+ # FSFS
+ /srv/svn/**/db/ r,
+ /srv/svn/**/db/uuid r,
+ /srv/svn/**/db/write-lock rwl,
+ /srv/svn/**/db/current rwl,
+ /srv/svn/**/db/current*.tmp rwl,
+ /srv/svn/**/db/revs/ r,
+ /srv/svn/**/db/revs/* rw,
+ /srv/svn/**/db/revprops/ r,
+ /srv/svn/**/db/revprops/* rw,
+ /srv/svn/**/db/transactions/** rw,
+
+ # BDB
+ /srv/svn/**/db/DB_CONFIG r,
+ /srv/svn/**/db/__db.[0-9]* rwl,
+ /srv/svn/**/db/log.[0-9]* rwl,
+ /srv/svn/**/db/nodes rwl,
+ /srv/svn/**/db/revisions rwl,
+ /srv/svn/**/db/transactions rwl,
+ /srv/svn/**/db/copies rwl,
+ /srv/svn/**/db/changes rwl,
+ /srv/svn/**/db/representations rwl,
+ /srv/svn/**/db/strings rwl,
+ /srv/svn/**/db/uuids rwl,
+ /srv/svn/**/db/locks rwl,
+ /srv/svn/**/db/lock-tokens rwl,
+
+ # temp files
+ /tmp/apr* rwl,
+ /var/tmp/apr* rwl,
+ /tmp/report*.tmp rwl,
diff --git a/abstractions/ubuntu-bittorrent-clients b/abstractions/ubuntu-bittorrent-clients
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical bittorrent clients in Ubuntu
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/azureus Cxr -> sanitized_helper,
+ /usr/bin/bitstormlite Cxr -> sanitized_helper,
+ /usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
+ /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
+ /usr/bin/gnome-btdownload Cxr -> sanitized_helper,
+ /usr/bin/kget Cxr -> sanitized_helper,
+ /usr/bin/ktorrent Cxr -> sanitized_helper,
+ /usr/bin/qbittorrent Cxr -> sanitized_helper,
+ /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers b/abstractions/ubuntu-browsers
@@ -0,0 +1,42 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to graphical browsers in Ubuntu
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/arora Cx -> sanitized_helper,
+ /usr/bin/conkeror Cx -> sanitized_helper,
+ /usr/bin/dillo Cx -> sanitized_helper,
+ /usr/bin/Dooble Cx -> sanitized_helper,
+ /usr/bin/epiphany Cx -> sanitized_helper,
+ /usr/bin/epiphany-browser Cx -> sanitized_helper,
+ /usr/bin/epiphany-webkit Cx -> sanitized_helper,
+ /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
+ /usr/bin/galeon Cx -> sanitized_helper,
+ /usr/bin/kazehakase Cx -> sanitized_helper,
+ /usr/bin/konqueror Cx -> sanitized_helper,
+ /usr/bin/midori Cx -> sanitized_helper,
+ /usr/bin/netsurf Cx -> sanitized_helper,
+ /usr/bin/prism Cx -> sanitized_helper,
+ /usr/bin/rekonq Cx -> sanitized_helper,
+ /usr/bin/seamonkey Cx -> sanitized_helper,
+ /usr/bin/sensible-browser Pixr,
+
+ /usr/bin/chromium{,-browser} Cx -> sanitized_helper,
+ /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
+
+ # this should cover all firefox browsers and versions (including shiretoko
+ # and abrowser)
+ /usr/bin/firefox Cxr -> sanitized_helper,
+ /usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
+
+ # Iceweasel
+ /usr/bin/iceweasel Cxr -> sanitized_helper,
+ /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
+
+ # some unpackaged, but popular browsers
+ /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
+ /usr/bin/opera Cx -> sanitized_helper,
+ /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/java b/abstractions/ubuntu-browsers.d/java
@@ -0,0 +1,116 @@
+# vim:syntax=apparmor
+
+ # Java plugin
+ owner @{HOME}/.java/deployment/deployment.properties k,
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
+ /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
+ /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
+ owner /{,var/}run/user/*/icedteaplugin-*/ rw,
+ owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
+
+ # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
+ # unfortunate workarounds of the proprietary Javas, so have a separate
+ # profile.
+ profile browser_openjdk {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/user-tmp>
+ #include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/@{pid}/net/if_inet6 r,
+ @{PROC}/@{pid}/net/ipv6_route r,
+
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /etc/lsb-release r,
+ /etc/ssl/certs/java/* r,
+ /etc/timezone r,
+
+ @{PROC}/@{pid}/ r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/filesystems r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/** r,
+ /usr/share/** r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/bin/env ix,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
+ /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
+
+ # Why would java need this?
+ deny /usr/bin/gconftool-2 x,
+
+ owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
+ owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
+ owner @{HOME}/ r,
+ owner @{HOME}/** rwk,
+ }
+
+ # Profile for commercial Javas. These need workarounds to work right (eg
+ # Sun's forcing of an executable stack (LP: #535247)).
+ profile browser_java {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/user-tmp>
+ #include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/@{pid}/net/if_inet6 r,
+ @{PROC}/@{pid}/net/ipv6_route r,
+ @{PROC}/loadavg r,
+
+ /etc/debian_version r,
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /etc/lsb-release r,
+ /etc/ssl/certs/java/* r,
+ /etc/timezone r,
+
+ @{PROC}/@{pid}/ r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/filesystems r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/** r,
+ /usr/share/** r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/bin/env ix,
+ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
+ /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
+ /usr/lib/j2*-ibm/jre/bin/java ix,
+
+ # noisy, can't write here anyway
+ deny /etc/.java/ w,
+ deny /etc/.java/** w,
+
+ deny /usr/bin/gconftool-2 x,
+
+ owner @{HOME}/ r,
+ owner @{HOME}/** rwk,
+
+ # These are seriously unfortunate, but required due to LP: #535247
+ /etc/passwd m,
+ owner @{HOME}/.java/**/cache/** m,
+ owner /tmp/** m,
+ /usr/lib{,32,64}/jvm/**/*.jar mr,
+ /usr/share/fonts/** m,
+ }
diff --git a/abstractions/ubuntu-browsers.d/kde b/abstractions/ubuntu-browsers.d/kde
@@ -0,0 +1,7 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ #include <abstractions/kde>
+ /usr/bin/kde4-config Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/mailto b/abstractions/ubuntu-browsers.d/mailto
@@ -0,0 +1,9 @@
+# vim:syntax=apparmor
+
+ # for mailto:
+ #include <abstractions/ubuntu-email>
+ #include <abstractions/ubuntu-console-email>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrct access to what only firefox is allowed to do
+ #include <abstractions/ubuntu-gnome-terminal>
diff --git a/abstractions/ubuntu-browsers.d/multimedia b/abstractions/ubuntu-browsers.d/multimedia
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ #include <abstractions/X>
+
+ # Pulseaudio
+ /usr/bin/pulseaudio Pixr,
+
+ # Image viewers
+ /usr/bin/eog Cxr -> sanitized_helper,
+ /usr/bin/gimp* Cxr -> sanitized_helper,
+ /usr/bin/shotwell Cxr -> sanitized_helper,
+ /usr/bin/digikam Cxr -> sanitized_helper,
+ /usr/bin/f-spot Cxr -> sanitized_helper,
+ /usr/bin/gwenview Cxr -> sanitized_helper,
+
+ #include <abstractions/ubuntu-media-players>
+ owner @{HOME}/.adobe/ w,
+ owner @{HOME}/.adobe/** rw,
+ owner @{HOME}/.macromedia/ w,
+ owner @{HOME}/.macromedia/** rw,
+ /opt/real/RealPlayer/mozilla/nphelix.so rm,
+ /usr/bin/lpstat Cxr -> sanitized_helper,
+ /usr/bin/lpr Cxr -> sanitized_helper,
+
+ # npviewer
+ /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,
+ /var/lib/ r,
+ /var/lib/**/*.so mr,
+ /usr/bin/setarch ixr,
+
+ # Bittorrent clients
+ #include <abstractions/ubuntu-bittorrent-clients>
+
+ # Mozplugger
+ /etc/mozpluggerrc r,
+ /usr/bin/mozplugger-helper Cxr -> sanitized_helper,
+
+ # Archivers
+ /usr/bin/ark Cxr -> sanitized_helper,
+ /usr/bin/file-roller Cxr -> sanitized_helper,
+ /usr/bin/xarchiver Cxr -> sanitized_helper,
+ /usr/local/lib{,32,64}/*.so* mr,
+
+ # News feed readers
+ #include <abstractions/ubuntu-feed-readers>
+
+ # Googletalk
+ /opt/google/talkplugin/*.so mr,
+ /opt/google/talkplugin/lib/*.so mr,
+ /opt/google/talkplugin/GoogleTalkPlugin ixr,
+ owner @{HOME}/.config/google-googletalkplugin/** rw,
+
+ # If we allow the above, nvidia based systems will also need this
+ #include <abstractions/nvidia>
+
+ # Virus scanners
+ /usr/bin/clamscan Cx -> sanitized_helper,
+
+ # gxine (LP: #1057642)
+ /var/lib/xine/gxine.desktop r,
+
+ # For WebRTC camera access (LP: #1665535)
+ /dev/video[0-9]* rw,
diff --git a/abstractions/ubuntu-browsers.d/plugins-common b/abstractions/ubuntu-browsers.d/plugins-common
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+
+ #
+ # Plugins/helpers
+ #
+ @{PROC}/@{pid}/fd/ r,
+ /usr/lib/** rm,
+ /{,usr/}bin/bash ixr,
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/grep ixr,
+ /{,usr/}bin/sed ixr,
+ /usr/bin/m4 ixr,
+
+ # Since all the ubuntu-browsers.d abstractions need this, just include it
+ # here
+ #include <abstractions/ubuntu-helpers>
diff --git a/abstractions/ubuntu-browsers.d/productivity b/abstractions/ubuntu-browsers.d/productivity
@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ # Openoffice.org
+ /usr/bin/ooffice Cxr -> sanitized_helper,
+ /usr/bin/oocalc Cxr -> sanitized_helper,
+ /usr/bin/oodraw Cxr -> sanitized_helper,
+ /usr/bin/ooimpress Cxr -> sanitized_helper,
+ /usr/bin/oowriter Cxr -> sanitized_helper,
+ /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
+
+ # LibreOffice
+ /usr/bin/libreoffice Cxr -> sanitized_helper,
+ /usr/bin/localc Cxr -> sanitized_helper,
+ /usr/bin/lodraw Cxr -> sanitized_helper,
+ /usr/bin/loimpress Cxr -> sanitized_helper,
+ /usr/bin/lowriter Cxr -> sanitized_helper,
+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
+
+ # PDFs
+ /usr/bin/evince Cxr -> sanitized_helper,
+ /usr/bin/okular Cxr -> sanitized_helper,
+
+ owner @{HOME}/.adobe/** rw,
+ /opt/Adobe/Reader9/bin/acroread Cxr -> sanitized_helper,
+ /opt/Adobe/Reader9/** r,
diff --git a/abstractions/ubuntu-browsers.d/text-editors b/abstractions/ubuntu-browsers.d/text-editors
@@ -0,0 +1,14 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
+ /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
+ /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
+ /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
+ /usr/bin/gedit Cxr -> sanitized_helper,
+ /usr/bin/vim.gnome Cxr -> sanitized_helper,
+ /usr/bin/leafpad Cxr -> sanitized_helper,
+ /usr/bin/mousepad Cxr -> sanitized_helper,
+ /usr/bin/kate Cxr -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration b/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -0,0 +1,41 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ # Apport
+ /usr/bin/apport-bug Cx -> sanitized_helper,
+
+ # Package installation
+ /usr/bin/apturl Cxr -> sanitized_helper,
+ /usr/bin/gnome-codec-install Cxr -> sanitized_helper,
+ /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+ /usr/lib/@{multiarch}/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+ /usr/share/software-center/software-center Cxr -> sanitized_helper,
+
+ # Input Methods
+ /usr/bin/scim Cx -> sanitized_helper,
+ /usr/bin/scim-bridge Cx -> sanitized_helper,
+
+ # File managers
+ /usr/bin/nautilus Cxr -> sanitized_helper,
+ /usr/bin/{t,T}hunar Cxr -> sanitized_helper,
+ /usr/bin/dolphin Cxr -> sanitized_helper,
+
+ # Themes
+ /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
+
+ # Kubuntu
+ /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
+
+ # Exo-aware applications
+ /usr/bin/exo-open ixr,
+ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
+ /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
+ /etc/xdg/xfce4/helpers.rc r,
+
+ # unity webapps integration. Could go in its own abstraction
+ owner /run/user/*/dconf/user rw,
+ owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
+ /usr/bin/debconf-communicate Cxr -> sanitized_helper,
+ owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
@@ -0,0 +1,6 @@
+# vim:syntax=apparmor
+
+ # firefox-notify
+ #include <abstractions/python>
+ /usr/bin/python2.[4567] ix,
+ /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
diff --git a/abstractions/ubuntu-browsers.d/user-files b/abstractions/ubuntu-browsers.d/user-files
@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+
+ # Allow read to all files user has DAC access to and write access to all
+ # files owned by the user in $HOME.
+ @{HOME}/ r,
+ @{HOME}/** r,
+ owner @{HOME}/** w,
+
+ # Do not allow read and/or write to particularly sensitive/problematic files
+ #include <abstractions/private-files>
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+
+ # Comment this out if using gpg plugin/addons
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+
+ # Allow read to all files user has DAC access to and write for files the user
+ # owns on removable media and filesystems.
+ /media/** r,
+ /mnt/** r,
+ /srv/** r,
+ /net/** r,
+ owner /media/** w,
+ owner /mnt/** w,
+ owner /srv/** w,
+ owner /net/** w,
diff --git a/abstractions/ubuntu-console-browsers b/abstractions/ubuntu-console-browsers
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to text-only browsers in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# #include <abstractions/ubuntu-gnome-terminal>
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/elinks Cx -> sanitized_helper,
+ /usr/bin/links Cx -> sanitized_helper,
+ /usr/bin/lynx.cur Cx -> sanitized_helper,
+ /usr/bin/netrik Cx -> sanitized_helper,
+ /usr/bin/w3m Cx -> sanitized_helper,
+
diff --git a/abstractions/ubuntu-console-email b/abstractions/ubuntu-console-email
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing console email clients in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# #include <abstractions/ubuntu-gnome-terminal>
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/alpine Cx -> sanitized_helper,
+ /usr/bin/citadel Cx -> sanitized_helper,
+ /usr/bin/cone Cx -> sanitized_helper,
+ /usr/bin/elmo Cx -> sanitized_helper,
+ /usr/bin/mutt Cx -> sanitized_helper,
+
diff --git a/abstractions/ubuntu-email b/abstractions/ubuntu-email
@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical email clients in Ubuntu
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/anjal Cx -> sanitized_helper,
+ /usr/bin/balsa Cx -> sanitized_helper,
+ /usr/bin/claws-mail Cx -> sanitized_helper,
+ /usr/bin/evolution Cx -> sanitized_helper,
+ /usr/bin/geary Cx -> sanitized_helper,
+ /usr/bin/gnome-gmail Cx -> sanitized_helper,
+ /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
+ /usr/bin/kmail Cx -> sanitized_helper,
+ /usr/bin/mailody Cx -> sanitized_helper,
+ /usr/bin/modest Cx -> sanitized_helper,
+ /usr/bin/seamonkey Cx -> sanitized_helper,
+ /usr/bin/sylpheed Cx -> sanitized_helper,
+ /usr/bin/tkrat Cx -> sanitized_helper,
+
+ /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
+ /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-feed-readers b/abstractions/ubuntu-feed-readers
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical news feed readers in Ubuntu
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/akregator Cxr -> sanitized_helper,
+ /usr/bin/liferea-add-feed Cxr -> sanitized_helper,
diff --git a/abstractions/ubuntu-gnome-terminal b/abstractions/ubuntu-gnome-terminal
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+#
+# for allowing access to gnome-terminal
+#
+
+ #include <abstractions/gnome>
+
+ # do not use ux or PUx here. Use at a minimum ix
+ /usr/bin/gnome-terminal ix,
+
diff --git a/abstractions/ubuntu-helpers b/abstractions/ubuntu-helpers
@@ -0,0 +1,83 @@
+# Lenient profile that is intended to be used when 'Ux' is desired but
+# does not provide enough environment sanitizing. This effectively is an
+# open profile that blacklists certain known dangerous files and also
+# does not allow any capabilities. For example, it will not allow 'm' on files
+# owned be the user invoking the program. While this provides some additional
+# protection, please use with care as applications running under this profile
+# are effectively running without any AppArmor protection. Use this profile
+# only if the process absolutely must be run (effectively) unconfined.
+#
+# Usage:
+# Because this abstraction defines the sanitized_helper profile, it must only
+# be #included once. Therefore this abstraction should typically not be
+# included in other abstractions so as to avoid parser errors regarding
+# multiple definitions.
+#
+# Limitations:
+# 1. This does not work for root owned processes, because of the way we use
+# owner matching in the sanitized helper. We could do a better job with
+# this to support root, but it would make the policy harder to understand
+# and going unconfined as root is not desirable any way.
+#
+# 2. For this sanitized_helper to work, the program running in the sanitized
+# environment must open symlinks directly in order for AppArmor to mediate
+# it. This is confirmed to work with:
+# - compiled code which can load shared libraries
+# - python imports
+# It is known not to work with:
+# - perl includes
+# 3. Sanitizing ruby and java
+#
+# Use at your own risk. This profile was developed as an interim workaround for
+# LP: #851986 until AppArmor utilizes proper environment filtering.
+
+profile sanitized_helper {
+ #include <abstractions/base>
+ #include <abstractions/X>
+
+ # Allow all networking
+ network inet,
+ network inet6,
+
+ # Allow all DBus communications
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/dbus-strict>
+ dbus,
+
+ # Needed for Google Chrome
+ ptrace (trace) peer=**//sanitized_helper,
+
+ # Allow exec of anything, but under this profile. Allow transition
+ # to other profiles if they exist.
+ /{usr/,usr/local/,}{bin,sbin}/* Pixr,
+
+ # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
+ /usr/{,local/}lib*/{,**/}* Pixr,
+
+ # Allow exec of software-center scripts. We may need to allow wider
+ # permissions for /usr/share, but for now just do this. (LP: #972367)
+ /usr/share/software-center/* Pixr,
+
+ # Allow exec of texlive font build scripts (LP: #1010909)
+ /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
+ # While the chromium and chrome sandboxes are setuid root, they only link
+ # in limited libraries so glibc's secure execution should be enough to not
+ # require the santized_helper (ie, LD_PRELOAD will only use standard system
+ # paths (man ld.so)).
+ /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+
+ # Full access
+ / r,
+ /** rwkl,
+ /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+
+ # Dangerous files
+ audit deny owner /**/* m, # compiled libraries
+ audit deny owner /**/*.py* r, # python imports
+}
diff --git a/abstractions/ubuntu-konsole b/abstractions/ubuntu-konsole
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+#
+# for allowing access to konsole
+#
+
+ #include <abstractions/consoles>
+ #include <abstractions/kde>
+ capability sys_ptrace,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/@{pid}/cmdline r,
+ /{,var/}run/utmp r,
+ /dev/ptmx rw,
+
+ # do not use ux or Ux here. Use at a minimum ix
+ /usr/bin/konsole ix,
+
diff --git a/abstractions/ubuntu-media-players b/abstractions/ubuntu-media-players
@@ -0,0 +1,60 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to media players in Ubuntu
+#
+# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# #include <abstractions/ubuntu-helpers>
+
+ /usr/bin/amarok Cxr -> sanitized_helper,
+ /usr/bin/audacious2 Cxr -> sanitized_helper,
+ /usr/bin/audacity Cxr -> sanitized_helper,
+ /usr/bin/bangarang Cxr -> sanitized_helper,
+ /usr/bin/banshee Cxr -> sanitized_helper,
+ /usr/bin/banshee-1 Cxr -> sanitized_helper,
+ /usr/bin/decibel Cxr -> sanitized_helper,
+ /usr/bin/dragon Cxr -> sanitized_helper,
+ /usr/bin/esperanza Cxr -> sanitized_helper,
+ /usr/bin/exaile Cxr -> sanitized_helper,
+ /usr/bin/freevo Cxr -> sanitized_helper,
+ /usr/bin/gmerlin Cxr -> sanitized_helper,
+ /usr/bin/gxmms Cxr -> sanitized_helper,
+ /usr/bin/gxmms2 Cxr -> sanitized_helper,
+ /usr/bin/hornsey Cxr -> sanitized_helper,
+ /usr/bin/jlgui Cxr -> sanitized_helper,
+ /usr/bin/juk Cxr -> sanitized_helper,
+ /usr/bin/kaffeine Cxr -> sanitized_helper,
+ /usr/bin/listen Cxr -> sanitized_helper,
+ /usr/share/minirok/minirok.py Cxr -> sanitized_helper,
+
+ # mplayer
+ /etc/mplayerplug-in.conf r,
+ /usr/bin/gmplayer Cxr -> sanitized_helper,
+ /usr/bin/gnome-mplayer Cxr -> sanitized_helper,
+ /usr/bin/kmplayer Cxr -> sanitized_helper,
+ /usr/bin/mplayer Cxr -> sanitized_helper,
+ /usr/bin/smplayer Cxr -> sanitized_helper,
+
+ /usr/bin/muine Cxr -> sanitized_helper,
+ /usr/bin/potamus Cxr -> sanitized_helper,
+ /usr/bin/promoe Cxr -> sanitized_helper,
+ /usr/bin/qmmp Cxr -> sanitized_helper,
+ /usr/bin/quodlibet Cxr -> sanitized_helper,
+ /usr/bin/rhythmbox Cxr -> sanitized_helper,
+ /usr/bin/strange-quark Cxr -> sanitized_helper,
+ /usr/bin/swfdec-player Cxr -> sanitized_helper,
+ /usr/bin/timidity Cxr -> sanitized_helper,
+ /usr/lib/totem/** ixr,
+ /usr/bin/totem-gstreamer Cxr -> sanitized_helper,
+ /usr/bin/totem-xine Cxr -> sanitized_helper,
+ /usr/bin/totem Cxr -> sanitized_helper,
+ /usr/bin/vlc Cxr -> sanitized_helper,
+ /usr/bin/xfmedia Cxr -> sanitized_helper,
+ /usr/bin/xmms Cxr -> sanitized_helper,
+
+ # gnash
+ /usr/bin/gtk-gnash ixr,
+ /etc/gnashrc r,
+ /etc/gnashpluginrc r,
+ owner @{HOME}/.gnash/ rw,
+ owner @{HOME}/.gnash/** rw,
diff --git a/abstractions/ubuntu-unity7-base b/abstractions/ubuntu-unity7-base
@@ -0,0 +1,100 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#
+# Rules common to applications running under Unity 7
+#
+
+#include <abstractions/gnome>
+
+#include <abstractions/dbus-session-strict>
+#include <abstractions/dbus-strict>
+
+ #
+ # Access required for connecting to/communication with Unity HUD
+ #
+ dbus (send)
+ bus=session
+ path="/com/canonical/hud",
+ dbus (send)
+ bus=session
+ interface="com.canonical.hud.*",
+ dbus (send)
+ bus=session
+ path="/com/canonical/hud/applications/*",
+ dbus (receive)
+ bus=session
+ path="/com/canonical/hud",
+ dbus (receive)
+ bus=session
+ interface="com.canonical.hud.*",
+
+ #
+ # Allow access for connecting to/communication with the appmenu
+ #
+ # dbusmenu
+ dbus (send)
+ bus=session
+ interface="com.canonical.AppMenu.*",
+ dbus (receive, send)
+ bus=session
+ path=/com/canonical/menu/**,
+
+ # gmenu
+ dbus (receive, send)
+ bus=session
+ interface=org.gtk.Actions,
+ dbus (receive, send)
+ bus=session
+ interface=org.gtk.Menus,
+
+ #
+ # Access required for using freedesktop notifications
+ #
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=GetCapabilities,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=GetServerInformation,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=Notify,
+ dbus (receive)
+ bus=session
+ member="Notify"
+ peer=(name="org.freedesktop.DBus"),
+ dbus (receive)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=NotificationClosed,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=CloseNotification,
+
+ # accessibility
+ dbus (send)
+ bus=session
+ peer=(name=org.a11y.Bus),
+ dbus (receive)
+ bus=session
+ interface=org.a11y.atspi*,
+ dbus (receive, send)
+ bus=accessibility,
+
+ #
+ # Deny potentially dangerous access
+ #
+ deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
diff --git a/abstractions/ubuntu-unity7-launcher b/abstractions/ubuntu-unity7-launcher
@@ -0,0 +1,7 @@
+ #
+ # Access required for connecting to/communicating with the Unity Launcher
+ #
+ dbus (send)
+ bus=session
+ interface="com.canonical.Unity.LauncherEntry"
+ member="Update",
diff --git a/abstractions/ubuntu-unity7-messaging b/abstractions/ubuntu-unity7-messaging
@@ -0,0 +1,7 @@
+ #
+ # Access required for connecting to/communicating with the Unity messaging
+ # indicator
+ #
+ dbus (receive, send)
+ bus=session
+ path="/com/canonical/indicator/messages/*",
diff --git a/abstractions/ubuntu-xterm b/abstractions/ubuntu-xterm
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+#
+# for allowing access to xterm
+#
+
+ #include <abstractions/consoles>
+ /dev/ptmx rw,
+ /{,var/}run/utmp r,
+ /etc/X11/app-defaults/XTerm r,
+
+ # do not use ux or Ux here. Use at a minimum ix
+ /usr/bin/xterm ix,
+
diff --git a/abstractions/user-download b/abstractions/user-download
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Description: Where common programs should allow users to download
+# files
+
+ owner @{HOME}/tmp/** rwl,
+ owner @{HOME}/[dD]ownload{,s}/ r,
+ owner @{HOME}/[dD]ownload{,s}/** rwl,
+ owner @{HOME}/[^.]* rwl,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/* rwl,
+ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
+ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/* rwl,
+ owner "@{HOME}/My Downloads/" r,
+ owner "@{HOME}/My Downloads/**" rwl,
diff --git a/abstractions/user-mail b/abstractions/user-mail
@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # location of user mail, spool and mboxes
+ owner @{HOME}/[mM]ail/ r,
+ owner @{HOME}/[mM]ail/** rwl,
+ owner @{HOME}/postponed* rwl,
+ /var/{,spool/}mail/ r,
+ owner /var/{,spool/}mail/* rwl,
+ owner @{HOME}/mbox.lock* rwl,
+ owner @{HOME}/mbox rw,
+ owner @{HOME}/inbox rw,
+ owner @{HOME}/.forward r,
+ owner @{HOME}/Maildir/ r,
+ owner @{HOME}/Maildir/** rwl,
diff --git a/abstractions/user-manpages b/abstractions/user-manpages
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # perhaps your configuration has users elsewhere, or you don't wish
+ # them to read their own manpages
+ owner @{HOME}/man/ r,
+ owner @{HOME}/man/** r,
+ owner @{HOME}/tmp/groff* rwl,
+
+ # kindof required
+ owner /tmp/groff* rwl,
+
+ # standard system manpages
+ /usr/local/share/man/man?/ r,
+ /usr/local/share/man/man?/** r,
+ /usr/{share,X11R6,local,kerberos}/man/** r,
+ /usr/man/** r,
diff --git a/abstractions/user-tmp b/abstractions/user-tmp
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # per-user tmp directories
+ owner @{HOME}/tmp/** rwkl,
+ owner @{HOME}/tmp/ rw,
+
+ # global tmp directories
+ owner /var/tmp/** rwkl,
+ /var/tmp/ rw,
+ owner /tmp/** rwkl,
+ /tmp/ rw,
diff --git a/abstractions/user-write b/abstractions/user-write
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # per-user write directories
+ owner @{HOME}/ r,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+ owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ r,
+ owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ r,
+ owner @{HOME}/[^.]*/ rw,
+ owner @{HOME}/[^.]* rwl,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwl,
+ owner @{HOME}/@{XDG_DOCUMENTS_DIR}/** rwl,
+ owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,
diff --git a/abstractions/video b/abstractions/video
@@ -0,0 +1,6 @@
+# vim:syntax=apparmor
+# video device access
+
+ # System devices
+ @{sys}/class/video4linux r,
+ @{sys}/class/video4linux/** r,
diff --git a/abstractions/vulkan b/abstractions/vulkan
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Vulkan access requirements
+
+ # System files
+ /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
+ /etc/vulkan/icd.d/{,*.json} r,
+ /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
+ # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
+ @{sys}/devices/pci[0-9]*/*/drm/ r,
+ /usr/share/vulkan/icd.d/{,*.json} r,
+ /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
+
+ # User files
+ owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,*.json} r,
+
diff --git a/abstractions/wayland b/abstractions/wayland
@@ -0,0 +1,14 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 intrigeri <intrigeri@boum.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ owner /var/run/user/*/weston-shared-* rw,
+ owner /run/user/*/wayland-[0-9]* rw,
+ owner /run/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
diff --git a/abstractions/web-data b/abstractions/web-data
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /srv/www/htdocs/ r,
+ /srv/www/htdocs/** r,
+ # virtual hosting
+ /srv/www/vhosts/ r,
+ /srv/www/vhosts/** r,
+ # mod_userdir
+ @{HOME}/public_html/ r,
+ @{HOME}/public_html/** r,
+
+ /srv/www/rails/*/public/ r,
+ /srv/www/rails/*/public/** r,
+
+ /var/www/html/ r,
+ /var/www/html/** r,
diff --git a/abstractions/winbind b/abstractions/winbind
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # pam_winbindd
+ /tmp/.winbindd/pipe rw,
+ /var/{lib,run}/samba/winbindd_privileged/pipe rw,
+ /etc/samba/smb.conf r,
+ /etc/samba/dhcp.conf r,
+ /usr/lib*/samba/valid.dat r,
+ /usr/lib*/samba/upcase.dat r,
+ /usr/lib*/samba/lowcase.dat r,
+ /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+
diff --git a/abstractions/wutmp b/abstractions/wutmp
@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # some services update wtmp, utmp, and lastlog with per-user
+ # connection information
+ /var/log/lastlog rwk,
+ /var/log/wtmp wk,
+ /{,var/}run/utmp rwk,
diff --git a/abstractions/xad b/abstractions/xad
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2007 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /opt/novell/xad/lib/ r,
+ /opt/novell/xad/lib/lib*.so* mr,
+ /opt/novell/xad/lib/gss/*.so* mr,
+ /opt/novell/lib/libpthread_ext*.so* mr,
+ /opt/novell/lib/libccs2.so* mr,
+ /opt/novell/xad/lib64/ r,
+ /opt/novell/xad/lib64/lib*.so* mr,
+ /opt/novell/xad/lib64/gss/*.so* mr,
+ /opt/novell/lib64/libpthread_ext*.so* mr,
+ /opt/novell/lib64/libccs2.so* mr,
+ /etc/opt/novell/xad/krb5.conf r,
+ /etc/opt/novell/nici.cfg r,
+ /var/opt/novell/nici/* r,
+ /var/opt/novell/nici/*/ r,
+ /var/opt/novell/nici/*/* rw,
diff --git a/abstractions/xdg-desktop b/abstractions/xdg-desktop
@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # Entries based on:
+ # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
+
+ owner @{HOME}/.cache/ rw,
+
+ owner @{HOME}/.config/ rw,
+
+ owner @{HOME}/.local/ rw,
+ owner @{HOME}/.local/share/ rw,
+
+ # fallbacks
+ /usr/share/ r,
+ /usr/local/share/ r,
diff --git a/apache2.d/phpsysinfo b/apache2.d/phpsysinfo
@@ -0,0 +1,48 @@
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+ ^phpsysinfo {
+ #include <abstractions/apache2-common>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/php5>
+ #include <abstractions/python>
+
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/df ixr,
+ /{,usr/}bin/mount ixr,
+ /{,usr/}bin/uname ixr,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+ /etc/debian_version r,
+ /etc/lsb-release r,
+ /etc/mtab r,
+ /etc/phpsysinfo/config.php r,
+ /etc/udev/udev.conf r,
+ @{PROC}/** r,
+ @{sys}/bus/ r,
+ @{sys}/bus/pci/devices/ r,
+ @{sys}/bus/pci/slots/ r,
+ @{sys}/bus/pci/slots/** r,
+ @{sys}/bus/usb/devices/ r,
+ @{sys}/class/ r,
+ @{sys}/devices/** r,
+ /usr/bin/ r,
+ /usr/bin/apt-cache ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/bin/lsb_release ixr,
+ /usr/bin/lspci ixr,
+ /usr/bin/who ixr,
+ /usr/{,s}bin/lsusb ixr,
+ /usr/share/phpsysinfo/** r,
+ /var/lib/dpkg/arch r,
+ /var/lib/dpkg/available r,
+ /var/lib/dpkg/status r,
+ /var/lib/dpkg/triggers/* r,
+ /var/lib/dpkg/updates/ r,
+ /var/lib/{misc,usbutils}/usb.ids r,
+ /var/log/apache2/access.log w,
+ /var/log/apache2/error.log w,
+ /{,var/}run/utmp rk,
+ /usr/share/misc/pci.ids r,
+ }
diff --git a/bin.dmesg b/bin.dmesg
@@ -0,0 +1,17 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/bin/dmesg {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+
+ /bin/dmesg mr,
+
+ capability syslog,
+
+ /etc/terminfo/** r,
+
+ /dev/kmsg r,
+}
diff --git a/bin.ping b/bin.ping
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+profile ping /{usr/,}bin/{,iputils-}ping {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability net_raw,
+ capability setuid,
+ network inet raw,
+ network inet6 raw,
+
+ /{,usr/}bin/{,iputils-}ping mixr,
+ /etc/modules.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/bin.ping>
+}
diff --git a/bin.su b/bin.su
@@ -0,0 +1,26 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/bin/su {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/authentication>
+
+ audit deny network,
+
+ /bin/su mr,
+
+ /{usr/,}bin/*sh rmpx,
+ /usr/bin/xauth rmpx,
+
+ /etc/environment r,
+ /etc/shells r,
+ /run/utmp rk,
+
+ capability setuid,
+ capability setgid,
+
+ @{PROC}/@{pid}/loginuid r,
+}
diff --git a/global b/global
@@ -0,0 +1,20 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile global /** (complain) {
+ #include <abstractions/private-files-strict>
+
+ / rwlk,
+ /** rwlkmpux,
+
+ mount,
+
+ # AppArmor 3.0 TODO: Deny listen
+ network,
+
+ dbus,
+
+ ptrace,
+}
diff --git a/header.txt b/header.txt
@@ -0,0 +1,3 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
diff --git a/lib.rc.sh.openrc-run.sh b/lib.rc.sh.openrc-run.sh
@@ -0,0 +1,19 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+/{lib/rc/sh/openrc-run.sh,sbin/openrc-run} {
+ / rwlk,
+ /** rwlkmpux,
+
+ audit deny network,
+
+ audit deny @{HOME}/{,**} mrwkl,
+
+ signal receive,
+ signal send,
+
+ capability mac_admin,
+ capability dac_override,
+}
diff --git a/local/README b/local/README
@@ -0,0 +1,24 @@
+# This directory is intended to contain profile additions and overrides for
+# inclusion by distributed profiles to aid in packaging AppArmor for
+# distributions.
+#
+# The shipped profiles in /etc/apparmor.d can still be modified by an
+# administrator and people should modify the shipped profile when making
+# large policy changes, rather than trying to make those adjustments here.
+#
+# For simple access additions or the occasional deny override, adjusting them
+# here can prevent the package manager of the distribution from interfering
+# with local modifications. As always, new policy should be reviewed to ensure
+# it is appropriate for your site.
+#
+# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
+# #include <local/usr.sbin.smbd>
+#
+# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
+# contain any additional paths to be allowed, such as:
+#
+# /var/exports/** lrwk,
+#
+# Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
+# be able to allow access to files that are explicitly denied by the shipped
+# profile using this mechanism.
diff --git a/local/bin.ping b/local/bin.ping
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'bin.ping'
diff --git a/local/lsb_release b/local/lsb_release
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'lsb_release'
diff --git a/local/nvidia_modprobe b/local/nvidia_modprobe
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'nvidia_modprobe'
diff --git a/local/sbin.klogd b/local/sbin.klogd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.klogd'
diff --git a/local/sbin.syslog-ng b/local/sbin.syslog-ng
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.syslog-ng'
diff --git a/local/sbin.syslogd b/local/sbin.syslogd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.syslogd'
diff --git a/local/usr.lib.apache2.mpm-prefork.apache2 b/local/usr.lib.apache2.mpm-prefork.apache2
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.apache2.mpm-prefork.apache2'
diff --git a/local/usr.lib.dovecot.anvil b/local/usr.lib.dovecot.anvil
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.anvil'
diff --git a/local/usr.lib.dovecot.auth b/local/usr.lib.dovecot.auth
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.auth'
diff --git a/local/usr.lib.dovecot.config b/local/usr.lib.dovecot.config
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.config'
diff --git a/local/usr.lib.dovecot.deliver b/local/usr.lib.dovecot.deliver
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.deliver'
diff --git a/local/usr.lib.dovecot.dict b/local/usr.lib.dovecot.dict
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dict'
diff --git a/local/usr.lib.dovecot.dovecot-auth b/local/usr.lib.dovecot.dovecot-auth
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-auth'
diff --git a/local/usr.lib.dovecot.dovecot-lda b/local/usr.lib.dovecot.dovecot-lda
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-lda'
diff --git a/local/usr.lib.dovecot.imap b/local/usr.lib.dovecot.imap
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.imap'
diff --git a/local/usr.lib.dovecot.imap-login b/local/usr.lib.dovecot.imap-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.imap-login'
diff --git a/local/usr.lib.dovecot.lmtp b/local/usr.lib.dovecot.lmtp
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.lmtp'
diff --git a/local/usr.lib.dovecot.log b/local/usr.lib.dovecot.log
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.log'
diff --git a/local/usr.lib.dovecot.managesieve b/local/usr.lib.dovecot.managesieve
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.managesieve'
diff --git a/local/usr.lib.dovecot.managesieve-login b/local/usr.lib.dovecot.managesieve-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.managesieve-login'
diff --git a/local/usr.lib.dovecot.pop3 b/local/usr.lib.dovecot.pop3
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.pop3'
diff --git a/local/usr.lib.dovecot.pop3-login b/local/usr.lib.dovecot.pop3-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.pop3-login'
diff --git a/local/usr.lib.dovecot.ssl-params b/local/usr.lib.dovecot.ssl-params
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.ssl-params'
diff --git a/local/usr.lib.dovecot.stats b/local/usr.lib.dovecot.stats
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.stats'
diff --git a/local/usr.sbin.apache2 b/local/usr.sbin.apache2
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.apache2'
diff --git a/local/usr.sbin.avahi-daemon b/local/usr.sbin.avahi-daemon
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.avahi-daemon'
diff --git a/local/usr.sbin.dnsmasq b/local/usr.sbin.dnsmasq
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.dnsmasq'
diff --git a/local/usr.sbin.dovecot b/local/usr.sbin.dovecot
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.dovecot'
diff --git a/local/usr.sbin.identd b/local/usr.sbin.identd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.identd'
diff --git a/local/usr.sbin.mdnsd b/local/usr.sbin.mdnsd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.mdnsd'
diff --git a/local/usr.sbin.nmbd b/local/usr.sbin.nmbd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.nmbd'
diff --git a/local/usr.sbin.nscd b/local/usr.sbin.nscd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.nscd'
diff --git a/local/usr.sbin.ntpd b/local/usr.sbin.ntpd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.ntpd'
diff --git a/local/usr.sbin.smbd b/local/usr.sbin.smbd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.smbd'
diff --git a/local/usr.sbin.smbldap-useradd b/local/usr.sbin.smbldap-useradd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.smbldap-useradd'
diff --git a/local/usr.sbin.traceroute b/local/usr.sbin.traceroute
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.traceroute'
diff --git a/local/usr.sbin.winbindd b/local/usr.sbin.winbindd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.winbindd'
diff --git a/lsb_release b/lsb_release
@@ -0,0 +1,50 @@
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> lsb_release" exec transitions from
+# other profiles. We want to confine the lsb_release(1) utility when it
+# is invoked from other confined applications, but not when it is used
+# in regular (unconfined) shell scripts or run directly by the user.
+
+#include <tunables/global>
+
+# Do not attach to /usr/bin/lsb_release by default
+profile lsb_release {
+ #include <abstractions/base>
+ #include <abstractions/python>
+
+ owner @{PROC}/@{pid}/fd/ r,
+
+ /dev/tty rw,
+
+ /usr/bin/lsb_release r,
+ /usr/bin/python3.[0-9] mr,
+
+ /etc/debian_version r,
+ /etc/default/apport r,
+ /etc/dpkg/origins/** r,
+ /etc/lsb-release r,
+ /etc/lsb-release.d/ r,
+
+ /{usr/,}bin/bash ixr,
+ /{usr/,}bin/dash ixr,
+ /usr/bin/basename ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/bin/getopt ixr,
+ /usr/bin/sed ixr,
+ /usr/bin/tr ixr,
+
+ # TODO - many more permissions needed for this to work
+ deny /usr/bin/apt-cache x,
+
+ /usr/bin/ r,
+ /usr/include/python*/pyconfig.h r,
+ /usr/share/distro-info/** r,
+ /usr/share/dpkg/** r,
+ /usr/share/terminfo/** r,
+ /var/lib/dpkg/** r,
+
+ # file_inherit
+ deny /tmp/gtalkplugin.log w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/lsb_release>
+}
diff --git a/nvidia_modprobe b/nvidia_modprobe
@@ -0,0 +1,63 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+profile nvidia_modprobe {
+ #include <abstractions/base>
+
+ # Capabilities
+
+ capability chown,
+ capability mknod,
+ capability setuid,
+ capability sys_admin,
+
+ # Main executable
+
+ /usr/bin/nvidia-modprobe mr,
+
+ # Other executables
+
+ /usr/bin/kmod Cx -> kmod,
+
+ # System files
+
+ /dev/nvidia-uvm w,
+ /dev/nvidia-uvm-tools w,
+ @{sys}/bus/pci/devices/ r,
+ @{sys}/devices/pci[0-9]*/**/config r,
+ @{PROC}/devices r,
+ @{PROC}/modules r,
+ @{PROC}/sys/kernel/modprobe r,
+
+ # Child profiles
+
+ profile kmod {
+ #include <abstractions/base>
+
+ # Capabilities
+
+ capability sys_module,
+
+ # Main executable
+
+ /usr/bin/kmod mrix,
+
+ # Other executables
+
+ /{,usr/}bin/{,ba,da}sh ix,
+
+ # System files
+
+ /etc/modprobe.d/{,*.conf} r,
+ /etc/nvidia/current/*.conf r,
+ @{sys}/module/ipmi_devintf/initstate r,
+ @{sys}/module/ipmi_msghandler/initstate r,
+ @{sys}/module/nvidia/initstate r,
+ @{PROC}/cmdline r,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/nvidia_modprobe>
+}
+
diff --git a/sbin.apparmor_parser b/sbin.apparmor_parser
@@ -0,0 +1,24 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /sbin/apparmor_parser (complain) {
+ #include <abstractions/base>
+
+ /sbin/apparmor_parser mr,
+
+ capability mac_admin,
+
+ allow /etc/apparmor/ r,
+ allow /etc/apparmor/** r,
+ allow /etc/apparmor.d/ r,
+ allow /etc/apparmor.d/** r,
+
+ allow /sys/kernel/security/apparmor/ rw,
+ allow /sys/kernel/security/apparmor/** rw,
+
+ allow /proc/sys/kernel/osrelease r,
+
+ allow @{PROC}/@{pid}/mounts r,
+}
diff --git a/sbin.klogd b/sbin.klogd
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile klogd /{usr/,}{bin,sbin}/klogd {
+ #include <abstractions/base>
+
+ capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /{usr/,}{bin,sbin}/klogd rmix,
+ /var/log/boot.msg rwl,
+ /{,var/}run/klogd.pid krwl,
+ /{,var/}run/klogd/klogd.pid krwl,
+ /{,var/}run/klogd/kmsg r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.klogd>
+}
diff --git a/sbin.syslog-ng b/sbin.syslog-ng
@@ -0,0 +1,68 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2006 Christian Boltz
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+#define this to be where syslog-ng is chrooted
+@{CHROOT_BASE}=""
+
+profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/mysql>
+ #include <abstractions/openssl>
+ #include <abstractions/python>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability fowner,
+ capability sys_tty_config,
+ capability sys_resource,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log w,
+ /dev/syslog w,
+ /dev/tty10 rw,
+ /dev/xconsole rw,
+ /dev/kmsg r,
+ /etc/machine-id r,
+ /etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
+ @{PROC}/kmsg r,
+ /etc/hosts.deny r,
+ /etc/hosts.allow r,
+ /{usr/,}{bin,sbin}/syslog-ng mr,
+ @{sys}/devices/system/cpu/online r,
+ /usr/share/syslog-ng/** r,
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
+ # chrooted applications
+ @{CHROOT_BASE}/var/lib/*/dev/log w,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
+ @{CHROOT_BASE}/var/log/** w,
+ @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+ /{var,var/run,run}/log/journal/ r,
+ /{var,var/run,run}/log/journal/*/ r,
+ /{var,var/run,run}/log/journal/*/*.journal r,
+ /{var/,}run/syslog-ng.ctl a,
+ /{var/,}run/syslog-ng/additional-log-sockets.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.syslog-ng>
+}
diff --git a/sbin.syslogd b/sbin.syslogd
@@ -0,0 +1,43 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile syslogd /{usr/,}{bin,sbin}/syslogd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/consoles>
+
+ capability sys_tty_config,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+ capability setgid,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log wl,
+ /var/lib/*/dev/log wl,
+
+ /dev/tty* w,
+ /dev/xconsole rw,
+ /etc/syslog.conf r,
+ /{usr/,}{bin,sbin}/syslogd rmix,
+ /var/log/** rw,
+ /{,var/}run/syslogd.pid krwl,
+ /{,var/}run/utmp rw,
+ /var/spool/compaq/nic/messages_fifo rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.syslogd>
+}
diff --git a/shell b/shell
@@ -0,0 +1,34 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile shell /{,usr/}bin/*sh flags=(complain) {
+ / rwlk,
+ /** rwlkmpux,
+
+ audit deny network,
+
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/{,**} mrwkl,
+ audit deny @{HOME}/.mutt** mrwkl,
+ audit deny @{HOME}/.viminfo** mrwkl,
+
+ allow @{HOME}/.ssh/agent.pid r,
+
+ allow @{HOME}/.*shrc rwlkmpux,
+ allow @{HOME}/.*profile rwlkmpux,
+ allow @{HOME}/.*log{in,out} rwlkmpux,
+ allow @{HOME}/.*history rwlkmpux,
+
+ # bash
+ allow @{HOME}/.inputrc mrk,
+ allow @{HOME}/.bash* mrk,
+
+ # zsh
+ allow @{HOME}/.zshenv rwlkmpux,
+
+ signal receive,
+}
diff --git a/tunables/alias b/tunables/alias
@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Alias rules can be used to rewrite paths and are done after variable
+# resolution. For example, if '/usr' is on removable media:
+# alias /usr/ -> /mnt/usr/,
+#
+# Or if mysql databases are stored in /home:
+# alias /var/lib/mysql/ -> /home/mysql/,
diff --git a/tunables/apparmorfs b/tunables/apparmorfs
@@ -0,0 +1,11 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/securityfs>
+
+@{apparmorfs}=@{securityfs}/apparmor/
diff --git a/tunables/dovecot b/tunables/dovecot
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:ft=apparmor
+
+# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
+# where dovecot is allowed to store and read mails
+#
+# The default value is quite broad to avoid breaking existing setups.
+# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
+# you use, and remove everything else.
+
+@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
+
diff --git a/tunables/global b/tunables/global
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2010-2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# All the tunables definitions that should be available to every profile
+# should be included here
+
+#include <tunables/home>
+#include <tunables/multiarch>
+#include <tunables/proc>
+#include <tunables/alias>
+#include <tunables/kernelvars>
+#include <tunables/xdg-user-dirs>
+#include <tunables/share>
diff --git a/tunables/home b/tunables/home
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{HOME} is a space-separated list of all user home directories. While
+# it doesn't refer to a specific home directory (AppArmor doesn't
+# enforce discretionary access controls) it can be used as if it did
+# refer to a specific home directory
+@{HOME}=@{HOMEDIRS}/*/ /root/
+
+# @{HOMEDIRS} is a space-separated list of where user home directories
+# are stored, for programs that must enumerate all home directories on a
+# system.
+@{HOMEDIRS}=/home/
+
+# Also, include files in tunables/home.d for site-specific adjustments to
+# @{HOMEDIRS}.
+#include <tunables/home.d>
diff --git a/tunables/home.d/site.local b/tunables/home.d/site.local
@@ -0,0 +1,13 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional user home
+# directories are stored, each must have a trailing '/'. Directories added
+# here are appended to @{HOMEDIRS}. See tunables/home for details. Eg:
+#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/
diff --git a/tunables/kernelvars b/tunables/kernelvars
@@ -0,0 +1,33 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# This file should contain declarations to kernel vars or variables
+# that will become kernel vars at some point
+
+# until kernel vars are implemented
+# and until the parser supports nested groupings like
+# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# use
+@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{pid} for now
+@{tid}=@{pid}
+
+#A pattern for pids that can appear
+@{pids}=@{pid}
+
+# Placeholder for user id until kernel var is implemented to match
+# current user of the confined application.
+# Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).
+@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{uid} for now
+@{uids}=@{uid}
+
+# until kernel var is implemented
+@{sys}=/sys/
diff --git a/tunables/multiarch b/tunables/multiarch
@@ -0,0 +1,17 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{multiarch} is the set of patterns matching multi-arch library
+# install prefixes.
+@{multiarch}=*-linux-gnu*
+
+# Also, include files in tunables/multiarch.d for site and packaging
+# specific adjustments to @{multiarch}.
+#include <tunables/multiarch.d>
diff --git a/tunables/multiarch.d/site.local b/tunables/multiarch.d/site.local
@@ -0,0 +1,14 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional multipath
+# prefixes are stored, each should not have a trailing '/'. Directories
+# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
+#@{multiarch}+=*-freebsd* s390-hurd-zomg
diff --git a/tunables/ntpd b/tunables/ntpd
@@ -0,0 +1,14 @@
+# Last Modified: Thu Aug 2 14:37:03 2007
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#Add your ntpd devices here eg. if you have a DCF clock
+# @{NTPD_DEVICE}=/dev/ttyS*
+@{NTPD_DEVICE}="/dev/tty10"
diff --git a/tunables/proc b/tunables/proc
@@ -0,0 +1,12 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{PROC} is the location where procfs is mounted.
+@{PROC}=/proc/
diff --git a/tunables/securityfs b/tunables/securityfs
@@ -0,0 +1,10 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{securityfs} is the location where securityfs is mounted.
+@{securityfs}=@{sys}/kernel/security/
diff --git a/tunables/share b/tunables/share
@@ -0,0 +1,15 @@
+@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}
+
+# System-wide directories with behaviour analogous to /usr/share
+# in patterns like the freedesktop.org basedir spec. These are
+# owned by root or a system user, appear in XDG_DATA_DIRS, and
+# are the parent directory for `applications`, `themes`,
+# `dbus-1/services`, etc.
+@{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share
+
+# Per-user/personal directories with behaviour analogous to
+# ~/.local/share in patterns like the freedesktop.org basedir spec.
+# These are owned by the user running an application, appear in
+# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
+# for the same subdirectories as @{system_share_dirs}
+@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
diff --git a/tunables/sys b/tunables/sys
@@ -0,0 +1,9 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now.
diff --git a/tunables/xdg-user-dirs b/tunables/xdg-user-dirs
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Define the common set of XDG user directories (usually defined in
+# /etc/xdg/user-dirs.defaults)
+@{XDG_DESKTOP_DIR}="Desktop"
+@{XDG_DOWNLOAD_DIR}="Downloads"
+@{XDG_TEMPLATES_DIR}="Templates"
+@{XDG_PUBLICSHARE_DIR}="Public"
+@{XDG_DOCUMENTS_DIR}="Documents"
+@{XDG_MUSIC_DIR}="Music"
+@{XDG_PICTURES_DIR}="Pictures"
+@{XDG_VIDEOS_DIR}="Videos"
+
+# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
+# to the various XDG directories
+#include <tunables/xdg-user-dirs.d>
diff --git a/tunables/xdg-user-dirs.d/site.local b/tunables/xdg-user-dirs.d/site.local
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical Ltd.
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following may be used to add additional entries such as for
+# translations. See tunables/xdg-user-dirs for details. Eg:
+#@{XDG_MUSIC_DIR}+="Musique"
+
+#@{XDG_DESKTOP_DIR}+=""
+#@{XDG_DOWNLOAD_DIR}+=""
+#@{XDG_TEMPLATES_DIR}+=""
+#@{XDG_PUBLICSHARE_DIR}+=""
+#@{XDG_DOCUMENTS_DIR}+=""
+#@{XDG_MUSIC_DIR}+=""
+#@{XDG_PICTURES_DIR}+=""
+#@{XDG_VIDEOS_DIR}+=""
diff --git a/usr.bin.badwolf b/usr.bin.badwolf
@@ -0,0 +1,84 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+# BadWolf: Minimalist and privacy-oriented WebKitGTK+ browser
+# Copyright © 2019-2020 Badwolf Authors <https://hacktivis.me/projects/badwolf>
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Made on Gentoo Linux with PREFIX=/usr
+#include <tunables/global>
+
+/usr/bin/badwolf {
+ #include <abstractions/enchant>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ # #include <abstractions/uim>
+ #include <abstractions/private-files-strict>
+
+ /usr/bin/badwolf mr,
+ /usr/bin/bwrap Cx,
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess Cx,
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess Cx,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ owner @{HOME}/.local/share/badwolf/ r,
+ owner @{HOME}/.local/share/badwolf/** r,
+
+ deny @{HOME}/.local/share/webkitgtk/** rwmlk,
+
+ / r,
+ /** r,
+
+ # #include <local/usr.bin.badwolf>
+
+ profile /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+
+ /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess mr,
+ /** r,
+ owner /** w,
+ }
+
+ profile /usr/libexec/webkit2gtk-4.0/WebKitWebProcess {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ # #include <abstractions/gstreamer>
+ #include <abstractions/audio>
+ #include <abstractions/mesa>
+ #include <abstractions/dri-common>
+ #include <abstractions/dri-enumerate>
+
+ /usr/libexec/webkit2gtk-4.0/WebKitWebProcess mr,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ /etc/passwd r,
+ /etc/group r,
+ /etc/nsswitch.conf r,
+ /dev/ r,
+
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/ r,
+ owner @{HOME}/.local/share/badwolf/webkit-web-extension/** mr,
+ }
+
+ profile /usr/bin/bwrap {
+ #include <abstractions/base>
+
+ deny capability sys_admin,
+
+ /usr/bin/bwrap mr,
+ @{PROC}/sys/kernel/overflowuid r,
+ @{PROC}/sys/kernel/overflowgid r,
+ owner @{PROC}/@{pid}/fd/ r,
+ }
+}
diff --git a/usr.bin.gpg b/usr.bin.gpg
@@ -0,0 +1,62 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/bin/gpg{,2} flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+
+ /{,**} rw,
+
+ /usr/bin/gpg{,2} mr,
+ /dev/tty rw,
+
+ /usr/bin/gpg-agent mrix,
+ /usr/libexec/scdaemon mrcx,
+ /usr/bin/pinentry-qt mrcx,
+
+ @{HOME}/.gnupg/{,**} mrwkl,
+
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/{,**} mrwkl,
+ audit deny @{HOME}/.mutt** mrwkl,
+ audit deny @{HOME}/.viminfo** mrwkl,
+
+ signal receive peer=/usr/bin/gpg{,2}///usr/libexec/scdaemon,
+
+ network,
+
+ profile /usr/libexec/scdaemon {
+ #include <abstractions/base>
+
+ /usr/libexec/scdaemon mr,
+
+ @{HOME}/.gnupg/S.scdaemon mrwk,
+ @{HOME}/.gnupg/reader_*.status mrwk,
+
+ signal send peer=/usr/bin/gpg{,2},
+
+ @{PROC}/@{pid}/task/** rw,
+ @{PROC}/@{pid}/mountinfo rw,
+
+ /dev/ r,
+ /dev/bus/usb/{,**} rw,
+ /sys/bus/ r,
+ /sys/bus/usb/{,**} rw,
+ /sys/devices/{,**} r,
+ /etc/udev/udev.conf r,
+ /run/udev/data/** r,
+ /sys/class/ r,
+ }
+
+ profile /usr/bin/pinentry-qt {
+ #include <abstractions/base>
+ #include <abstractions/X>
+ #include <abstractions/mesa>
+ #include <abstractions/qt5>
+
+ /usr/bin/pinentry-qt mr,
+ }
+}
diff --git a/usr.bin.redshift b/usr.bin.redshift
@@ -0,0 +1,30 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+/usr/bin/redshift {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/X>
+
+ owner @{HOME}/.config/redshift.conf r,
+}
diff --git a/usr.bin.ssh b/usr.bin.ssh
@@ -0,0 +1,19 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/bin/ssh {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/consoles>
+
+ /usr/bin/ssh mr,
+
+ @{HOME}/.ssh/{,**} mrl,
+ /etc/ssh/** mr,
+
+ @{PROC}/@{pid}/fd/ r,
+
+ network,
+}
diff --git a/usr.lib.apache2.mpm-prefork.apache2 b/usr.lib.apache2.mpm-prefork.apache2
@@ -0,0 +1,80 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+#include <tunables/global>
+/usr/lib/apache2/mpm-prefork/apache2 {
+
+ # This profile is completely permissive.
+ # It is designed to target specific applications using mod_apparmor,
+ # hats, and the apache2.d directory.
+ #
+ # In order to enable this profile, you must:
+ #
+ # 1- Enable it:
+ # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+ #
+ # 2- Load the mod_apparmor module:
+ # sudo a2enmod apparmor
+ #
+ # 3- Place an appropriate profile containing the desired hat in the
+ # /etc/apparmor.d/apache2.d directory. Such profiles should probably
+ # include the "apache2-common" abstraction.
+ #
+ # 4- Use the "AADefaultHatName" apache configuration option to specify a
+ # hat to be used for a given apache virtualhost or "AAHatName" for
+ # a given apache directory or location directive.
+ #
+ #
+ # There is an example profile for phpsysinfo included in the
+ # apparmor-profiles package. To try it:
+ #
+ # 1- Install the phpsysinfo and the apparmor-profiles packages:
+ # sudo apt-get install phpsysinfo apparmor-profiles
+ #
+ # 2- Enable the main apache2 profile
+ # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+ #
+ # 3- Configure apache with the following:
+ # <Directory /var/www/phpsysinfo/>
+ # AAHatName phpsysinfo
+ # </Directory>
+ #
+
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+ / rw,
+ /** mrwlkix,
+
+
+ ^DEFAULT_URI {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ / rw,
+ /** mrwlkix,
+
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT {
+ #include <abstractions/nameservice>
+
+ / rw,
+ /** mrwlkix,
+
+ }
+
+ # This directory contains web application
+ # package-specific apparmor files.
+
+ #include <apache2.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.apache2.mpm-prefork.apache2>
+}
diff --git a/usr.lib.dovecot.anvil b/usr.lib.dovecot.anvil
@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/anvil {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ unix (receive, send) type=stream peer=(label=dovecot),
+
+ /run/dovecot/anvil rw,
+ /run/dovecot/anvil-auth-penalty rw,
+ /usr/lib/dovecot/anvil mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.anvil>
+}
diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth
@@ -0,0 +1,57 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2018 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/auth {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/wutmp>
+ #include <abstractions/dovecot-common>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+ capability sys_chroot,
+
+ /etc/my.cnf r,
+ /etc/my.cnf.d/ r,
+ /etc/my.cnf.d/*.cnf r,
+
+ /etc/dovecot/* r,
+ /usr/lib/dovecot/auth mr,
+ /var/lib/dovecot/auth-chroot/* r,
+
+ # kerberos replay cache
+ /var/tmp/imap_* rw,
+ /var/tmp/pop_* rw,
+ /var/tmp/sieve_* rw,
+ /var/tmp/smtp_* rw,
+
+ /run/dovecot/auth-master rw,
+ /run/dovecot/auth-userdb rw,
+ /run/dovecot/auth-worker rw,
+ /run/dovecot/login/login rw,
+ /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+ /{var/,}run/dovecot/old-stats-user w,
+ /{var/,}run/dovecot/stats-user rw,
+ /{var/,}run/dovecot/anvil-auth-penalty rw,
+
+ /var/spool/postfix/private/auth rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.auth>
+}
diff --git a/usr.lib.dovecot.config b/usr.lib.dovecot.config
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2018 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/config {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/ssl_keys>
+
+ capability dac_read_search,
+ capability dac_override,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/config mr,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/share/dovecot/** r,
+ /var/lib/dovecot/ssl-parameters.dat r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.config>
+}
diff --git a/usr.lib.dovecot.deliver b/usr.lib.dovecot.deliver
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2014 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/deliver {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ # http://www.postfix.org/SASL_README.html#server_dovecot
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/{auth,conf}.d/*.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/deliver mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.deliver>
+}
diff --git a/usr.lib.dovecot.dict b/usr.lib.dovecot.dict
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dict {
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+
+ /etc/dovecot/dovecot-database.conf.ext r,
+ /etc/dovecot/dovecot-dict-sql.conf.ext r,
+ /usr/lib/dovecot/dict mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dict>
+}
diff --git a/usr.lib.dovecot.dovecot-auth b/usr.lib.dovecot.dovecot-auth
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dovecot-auth {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+ #include <abstractions/dovecot-common>
+
+ capability chown,
+ capability dac_override,
+
+ @{PROC}/@{pid}/mounts r,
+ /usr/lib/dovecot/dovecot-auth mr,
+ /{,var/}run/dovecot/** rw,
+ # required for postfix+dovecot integration
+ /var/spool/postfix/private/dovecot-auth w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dovecot-auth>
+}
diff --git a/usr.lib.dovecot.dovecot-lda b/usr.lib.dovecot.dovecot-lda
@@ -0,0 +1,91 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2016 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /proc/*/mounts r,
+ owner /tmp/dovecot.lda.* rw,
+ /{var/,}run/dovecot/mounts r,
+ /run/dovecot/auth-userdb rw,
+ /usr/bin/doveconf mrix,
+ /usr/lib/dovecot/dovecot-lda mrix,
+ /usr/{bin,sbin}/sendmail Cx -> sendmail,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dovecot-lda>
+
+
+ profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
+ # this profile is based on the usr.sbin.sendmail profile in extras
+ # and should support both postfix' and sendmail's sendmail binary
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/postfix-common>
+
+ capability sys_ptrace,
+
+ /etc/aliases rw, # newaliases is a symlink to sendmail, so it's
+ /etc/aliases.db rw, # actually the same binary
+ /etc/fstab r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/mail/* r,
+ /etc/mail/statistics rw,
+ /etc/mtab r,
+ /etc/postfix/aliases r,
+ /etc/postfix/aliases.db rw, # newaliases again
+ /etc/sendmail.cf r,
+ /etc/sendmail.cw r,
+ /etc/shells r,
+ /proc/loadavg r,
+ /proc/net/if_inet6 r,
+ /root/.forward r,
+ /root/dead.letter w,
+ /usr/bin/procmail Px,
+ /usr/lib/postfix/master Px,
+ /usr/lib/postfix/showq Px,
+ /usr/lib/postfix/smtpd Px,
+ /usr/{bin,sbin}/postalias Px,
+ /usr/{bin,sbin}/postdrop Px,
+ /usr/{bin,sbin}/postfix Px,
+ /usr/{bin,sbin}/postqueue Px,
+ /usr/{bin,sbin}/sendmail mrix,
+ /usr/{bin,sbin}/sendmail.postfix mrix,
+ /usr/{bin,sbin}/sendmail.sendmail mrix,
+ /{var/,}run/sendmail.pid rwl,
+ /{var/,}run/sm-client.pid rwl,
+ /{var/,}run/utmp rw,
+ /var/spool/clientmqueue/* rwl,
+ /var/spool/mail/* rwl,
+ /var/spool/mqueue/* rwl,
+ /var/spool/postfix/maildrop/* rwl,
+ /var/spool/postfix/public/pickup w,
+ /var/spool/postfix/public/qmgr w,
+ /var/spool/postfix/public/showq w,
+ }
+}
diff --git a/usr.lib.dovecot.imap b/usr.lib.dovecot.imap
@@ -0,0 +1,46 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/imap {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ deny capability block_suspend,
+
+ network unix stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+
+ owner /tmp/dovecot.imap.* rw,
+
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/imap mrix,
+ /usr/share/dovecot/** r,
+ /run/dovecot/login/imap rw,
+ /{,var/}run/dovecot/auth-master rw,
+ /{,var/}run/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.imap>
+}
diff --git a/usr.lib.dovecot.imap-login b/usr.lib.dovecot.imap-login
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+/usr/lib/dovecot/imap-login {
+ #include <abstractions/base>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/imap-login mr,
+ /{,var/}run/dovecot/anvil rw,
+ /{,var/}run/dovecot/login-master-notify* rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.imap-login>
+}
diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp
@@ -0,0 +1,39 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/lmtp {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/openssl>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME}/.dovecot.svbin r,
+
+ /proc/*/mounts r,
+ /tmp/dovecot.lmtp.* rw,
+ /usr/lib/dovecot/lmtp mr,
+ /{var/,}run/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.lmtp>
+}
diff --git a/usr.lib.dovecot.log b/usr.lib.dovecot.log
@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/log flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ /usr/lib/dovecot/log mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.log>
+}
diff --git a/usr.lib.dovecot.managesieve b/usr.lib.dovecot.managesieve
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/managesieve {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/managesieve mrix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.managesieve>
+}
diff --git a/usr.lib.dovecot.managesieve-login b/usr.lib.dovecot.managesieve-login
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/managesieve-login {
+ #include <abstractions/base>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/managesieve-login mr,
+ /{,var/}run/dovecot/login-master-notify* rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.managesieve-login>
+}
diff --git a/usr.lib.dovecot.pop3 b/usr.lib.dovecot.pop3
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/pop3 {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/pop3 mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.pop3>
+}
diff --git a/usr.lib.dovecot.pop3-login b/usr.lib.dovecot.pop3-login
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/pop3-login {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network unix stream,
+
+ /usr/lib/dovecot/pop3-login mr,
+ /{,var/}run/dovecot/anvil rw,
+ /{,var/}run/dovecot/login-master-notify* rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.pop3-login>
+}
diff --git a/usr.lib.dovecot.ssl-params b/usr.lib.dovecot.ssl-params
@@ -0,0 +1,26 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/ssl-params {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ /run/dovecot/ssl-params rw,
+ /run/dovecot/login/ssl-params rw,
+ /usr/lib/dovecot/ssl-params mr,
+ /var/lib/dovecot/ssl-parameters.dat rw,
+ /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.ssl-params>
+}
diff --git a/usr.lib.dovecot.stats b/usr.lib.dovecot.stats
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2018 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/stats mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.stats>
+}
diff --git a/usr.sbin.apache2 b/usr.sbin.apache2
@@ -0,0 +1,109 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+#include <tunables/global>
+profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
+
+ # This profile is completely permissive.
+ # It is designed to target specific applications using mod_apparmor,
+ # hats, and the apache2.d directory.
+ #
+ # In order to enable this profile, you must:
+ #
+ # 0- Stop apache:
+ # sudo service apache2 stop
+ #
+ # 1- Enable the profile:
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 2- Load the mpm_prefork and mod_apparmor modules:
+ # sudo a2dismod <other non-prefork mpm>
+ # sudo a2enmod mpm_prefork
+ # sudo a2enmod apparmor
+ # sudo service apache2 restart
+ #
+ # 3- Place an appropriate profile containing the desired hat in the
+ # /etc/apparmor.d/apache2.d directory. Such profiles must include
+ # the "apache2-common" abstraction:
+ #
+ # ^example.com {
+ # #include <abstractions/apache2-common>
+ # /var/www/html/ r,
+ # /var/www/html/** r,
+ # /var/log/apache2/*.log w,
+ # }
+ #
+ # 4- Use the "AADefaultHatName" apache configuration option to specify a
+ # hat to be used for a given apache virtualhost or "AAHatName" for
+ # a given apache directory or location directive:
+ #
+ # <VirtualHost example.com:80>
+ # <IfModule mod_apparmor.c>
+ # AADefaultHatName example.com
+ # </IfModule>
+ # ...
+ # </VirtualHost>
+ #
+ #
+ # There is an example profile for phpsysinfo included in the
+ # apparmor-profiles package. To try it:
+ #
+ # 1- Install the phpsysinfo and the apparmor-profiles packages:
+ # sudo apt-get install phpsysinfo apparmor-profiles
+ #
+ # 2- Enable the main apache2 profile
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 3- Configure apache with the following (or similar):
+ # Alias /phpsysinfo /usr/share/phpsysinfo
+ # <Location /phpsysinfo>
+ # <IfModule mod_apparmor.c>
+ # AAHatName phpsysinfo
+ # </IfModule>
+ #
+ # # adjust as necessary:
+ # Options None
+ # Require local
+ # Require ip 192.168.0.0/16
+ # </Location>
+ #
+
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ # Send signals to all hats.
+ signal (send) peer=@{profile_name}//*,
+
+ capability dac_override,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+ / rw,
+ /** mrwlkix,
+
+
+ ^DEFAULT_URI flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
+ #include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ # This directory contains web application
+ # package-specific apparmor files.
+
+ #include <apache2.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.apache2>
+}
diff --git a/usr.sbin.avahi-daemon b/usr.sbin.avahi-daemon
@@ -0,0 +1,33 @@
+#include <tunables/global>
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/dbus>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability dac_override,
+ capability kill,
+ capability setuid,
+ capability setgid,
+ capability sys_chroot,
+
+ network netlink dgram,
+
+ /etc/avahi/ r,
+ /etc/avahi/avahi-daemon.conf r,
+ /etc/avahi/hosts r,
+ /etc/avahi/services/ r,
+ /etc/avahi/services/*.service r,
+ @{PROC}/@{pid}/fd/ r,
+ /usr/{bin,sbin}/avahi-daemon mr,
+ /usr/share/avahi/introspection/*.introspect r,
+ /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
+ /{,var/}run/avahi-daemon/ w,
+ /{,var/}run/avahi-daemon/pid krw,
+ /{,var/}run/avahi-daemon/socket w,
+ /{,var/}run/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.avahi-daemon>
+}
diff --git a/usr.sbin.dnsmasq b/usr.sbin.dnsmasq
@@ -0,0 +1,134 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+@{TFTP_DIR}=/var/tftp /srv/tftpboot
+
+#include <tunables/global>
+
+# This profile has the name "/usr/sbin/dnsmasq", but attaches to both /usr/bin/dnsmasq and /usr/sbin/dnsmasq.
+# We are sorry for the confusion ;-) but this trick is needed to support distributions with merged bin and sbin
+# while not breaking the libvirtd profile that has rules with peer=/usr/sbin/dnsmasq
+# Future versions of AppArmor (> 2.13.x) will have "dnsmasq" as profile name.
+
+profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
+ network inet6 raw,
+
+ signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+ signal (receive) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=libvirtd,
+ ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+ ptrace (readby) peer=/usr/sbin/libvirtd,
+ ptrace (readby) peer=libvirtd,
+
+ owner /dev/tty rw,
+
+ /etc/dnsmasq.conf r,
+ /etc/dnsmasq.d/ r,
+ /etc/dnsmasq.d/* r,
+ /etc/dnsmasq.d-available/ r,
+ /etc/dnsmasq.d-available/* r,
+ /etc/ethers r,
+ /etc/NetworkManager/dnsmasq.d/ r,
+ /etc/NetworkManager/dnsmasq.d/* r,
+ /etc/NetworkManager/dnsmasq-shared.d/ r,
+ /etc/NetworkManager/dnsmasq-shared.d/* r,
+
+ /usr/{bin,sbin}/dnsmasq mr,
+
+ /var/log/dnsmasq*.log w,
+
+ /usr/share/dnsmasq/ r,
+ /usr/share/dnsmasq/* r,
+
+ /{,var/}run/*dnsmasq*.pid w,
+ /{,var/}run/dnsmasq-forwarders.conf r,
+ /{,var/}run/dnsmasq/ r,
+ /{,var/}run/dnsmasq/* rw,
+
+ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+ /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+
+ # access to iface mtu needed for Router Advertisement messages in IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
+ # for the read-only TFTP server
+ @{TFTP_DIR}/ r,
+ @{TFTP_DIR}/** r,
+
+ # libvirt config and hosts file for dnsmasq
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/* r,
+
+ # libvirt pid files for dnsmasq
+ /{,var/}run/libvirt/network/ r,
+ /{,var/}run/libvirt/network/*.pid rw,
+
+ # libvirt lease helper
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+
+ # lxc-net pid and lease files
+ /{,var/}run/lxc/dnsmasq.pid rw,
+ /var/lib/misc/dnsmasq.*.leases rw,
+
+ # lxd-bridge pid and lease files
+ /{,var/}run/lxd-bridge/dnsmasq.pid rw,
+ /var/lib/lxd-bridge/dnsmasq.*.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.* r,
+ /var/lib/lxd/networks/*/dnsmasq.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.pid rw,
+
+ # NetworkManager integration
+ /var/lib/NetworkManager/dnsmasq-*.leases rw,
+ /{,var/}run/nm-dns-dnsmasq.conf r,
+ /{,var/}run/nm-dnsmasq-*.pid rw,
+ /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
+ /{,var/}run/NetworkManager/dnsmasq.conf r,
+ /{,var/}run/NetworkManager/dnsmasq.pid w,
+ /{,var/}run/NetworkManager/NetworkManager.pid w,
+
+ profile libvirt_leaseshelper {
+ #include <abstractions/base>
+
+ /etc/libnl-3/classid r,
+
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+
+ owner @{PROC}/@{pid}/net/psched r,
+ owner @{PROC}/@{pid}/status r,
+
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/node/ r,
+ @{sys}/devices/system/node/*/meminfo r,
+
+ # libvirt lease and status files for dnsmasq
+ /var/lib/libvirt/dnsmasq/*.leases rw,
+ /var/lib/libvirt/dnsmasq/*.status* rw,
+
+ /{,var/}run/leaseshelper.pid rwk,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.dnsmasq>
+}
diff --git a/usr.sbin.dovecot b/usr.sbin.dovecot
@@ -0,0 +1,74 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability kill,
+ capability net_bind_service,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
+
+ unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
+ /etc/dovecot/** r,
+ /etc/mtab r,
+ /etc/lsb-release r,
+ /etc/SuSE-release r,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/sys/fs/suid_dumpable r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil mrPx,
+ /usr/lib/dovecot/auth mrPx,
+ /usr/lib/dovecot/config mrPx,
+ /usr/lib/dovecot/dict mrPx,
+ /usr/lib/dovecot/dovecot-auth Pxmr,
+ /usr/lib/dovecot/imap Pxmr,
+ /usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp mrPx,
+ /usr/lib/dovecot/log mrPx,
+ /usr/lib/dovecot/managesieve mrPx,
+ /usr/lib/dovecot/managesieve-login Pxmr,
+ /usr/lib/dovecot/pop3 mrPx,
+ /usr/lib/dovecot/pop3-login Pxmr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params mrPx,
+ /usr/lib/dovecot/stats Px,
+ /usr/{bin,sbin}/dovecot mrix,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+ /var/lib/dovecot/ w,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
+ /{,var/}run/dovecot/ rw,
+ /{,var/}run/dovecot/** rw,
+ link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.dovecot>
+}
diff --git a/usr.sbin.identd b/usr.sbin.identd
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile identd /usr/{bin,sbin}/identd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ network netlink dgram,
+ /etc/identd.conf r,
+ /etc/identd.key r,
+ /etc/identd.pid w,
+ /usr/{bin,sbin}/identd rmix,
+ @{PROC}/net/tcp r,
+ @{PROC}/net/tcp6 r,
+ /{,var/}run/identd.pid w,
+ /{,var/}run/identd/ w,
+ /{,var/}run/identd/identd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.identd>
+}
diff --git a/usr.sbin.mdnsd b/usr.sbin.mdnsd
@@ -0,0 +1,36 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile mdnsd /usr/{bin,sbin}/mdnsd {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ network netlink dgram,
+
+ /usr/{bin,sbin}/mdnsd rmix,
+
+ @{PROC}/net/ r,
+ @{PROC}/net/unix r,
+ /{,var/}run/mdnsd lw,
+ /{,var/}run/mdnsd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.mdnsd>
+}
diff --git a/usr.sbin.mtr b/usr.sbin.mtr
@@ -0,0 +1,15 @@
+# Copyright 2020 Haelwenn (lanodan) Monnier <contact+apparmor.d@hacktivis.me>
+# Distributed under the terms of the GNU General Public License v2
+
+#include <tunables/global>
+
+profile /usr/sbin/mtr {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_raw,
+ network inet raw,
+ network inet6 raw,
+
+ /etc/terminfo/** r,
+}
diff --git a/usr.sbin.nmbd b/usr.sbin.nmbd
@@ -0,0 +1,35 @@
+#include <tunables/global>
+
+profile nmbd /usr/{bin,sbin}/nmbd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/samba>
+
+ capability net_bind_service,
+
+ @{PROC}/sys/kernel/core_pattern r,
+
+ /usr/{bin,sbin}/nmbd mr,
+
+ /var/cache/samba/gencache.tdb rwk,
+ /var/cache/samba/gencache_notrans.tdb rwk,
+ /var/cache/samba/names.tdb rwk,
+ /var/{cache,lib}/samba/browse.dat* rw,
+ /var/{cache,lib}/samba/gencache.dat rw,
+ /var/{cache,lib}/samba/wins.dat* rw,
+ /var/{cache,lib}/samba/smb_krb5/ rw,
+ /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
+ /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
+ /var/{cache,lib}/samba/sync.* rw,
+ /var/{cache,lib}/samba/unexpected rw,
+ /var/cache/samba/msg/ rw,
+ /var/cache/samba/msg/* w,
+ /var/cache/samba/msg.lock/{,*} rwk,
+
+ /{,var/}run/nmbd.pid rwk,
+ /{,var/}run/samba/** rwk,
+ /{,var/}run/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.nmbd>
+}
diff --git a/usr.sbin.nscd b/usr.sbin.nscd
@@ -0,0 +1,43 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+profile nscd /usr/{bin,sbin}/nscd {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+
+ deny capability block_suspend,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ /etc/netgroup r,
+ /etc/nscd.conf r,
+ /usr/{bin,sbin}/nscd rmix,
+ /{,var/}run/.nscd_socket wl,
+ /{,var/}run/nscd/ rw,
+ /{,var/}run/nscd/db* rwl,
+ /{,var/}run/nscd/socket wl,
+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ /{,var/}run/{nscd/,}nscd.pid rwl,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.status r,
+ /var/log/nscd.log rw,
+ @{PROC}/@{pid}/cmdline r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/fd/* r,
+ @{PROC}/@{pid}/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.nscd>
+}
diff --git a/usr.sbin.ntpd b/usr.sbin.ntpd
@@ -0,0 +1,77 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+#include <tunables/ntpd>
+profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/xad>
+
+ capability dac_override,
+ capability ipc_lock,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+ capability sys_time,
+ capability sys_nice,
+
+ network unspec dgram,
+
+ /drift/ntp.drift rwl,
+ /drift/ntp.drift.TEMP rwl,
+ /etc/ntp.conf r,
+ /etc/ntp/drift* rwl,
+ /etc/ntp.keys r,
+ /etc/ntp/step-tickers r,
+ /etc/ntpd.conf r,
+ /etc/ntpd.conf.tmp r,
+
+ /tmp/ntp* rwl,
+ /{usr/,usr/local/,}{s,}bin/ r,
+ /usr/{bin,sbin}/{,open}ntpd rmix,
+ /var/db/ r,
+ /var/db/ntpd.drift rwl,
+ /var/lib/ntp/drift rwl,
+ /var/lib/ntp/drift.TEMP rwl,
+ /var/lib/ntp/drift/driftfile rw,
+ /var/lib/ntp/drift/driftfile.TEMP rw,
+ /var/lib/ntp/drift/ntp.drift rw,
+ /var/lib/ntp/drift/ntp.drift.TEMP rw,
+ /var/lib/ntp/etc/* r,
+ /var/lib/ntp/ntp.drift rw,
+ /var/lib/ntp/ntp.drift.TEMP rw,
+ /var/lib/ntp/{,var/}run/ntp/ntpd.pid w,
+ /var/log/ntp w,
+ /var/log/ntp.log w,
+ /var/log/ntpstats/clockstats* lrw,
+ /var/log/ntpstats/loopstats* lrw,
+ /var/log/ntpstats/peerstats* lrw,
+ /var/opt/novell/xad/rpc/xadsd rw,
+ /{,var/}run/nscd/services r,
+ /{,var/}run/ntpd.pid w,
+ /{,var/}run/ntp/ntpd.pid w,
+ /{,var/}run/ntpd.sock rwl,
+ /var/tmp/ntp* rwl,
+ @{PROC}/@{pid}/net/if_inet6 r,
+
+ # allow access for when chrooted
+ /var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
+
+ @{NTPD_DEVICE} rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.ntpd>
+}
diff --git a/usr.sbin.smbd b/usr.sbin.smbd
@@ -0,0 +1,60 @@
+#include <tunables/global>
+
+profile smbd /usr/{bin,sbin}/smbd {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/cups-client>
+ #include <abstractions/nameservice>
+ #include <abstractions/samba>
+ #include <abstractions/user-tmp>
+ #include <abstractions/wutmp>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability lease,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_admin,
+ capability sys_resource,
+ capability sys_tty_config,
+
+ /etc/mtab r,
+ /etc/netgroup r,
+ /etc/printcap r,
+ /etc/samba/* rwk,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/sys/kernel/core_pattern r,
+ /usr/lib*/samba/vfs/*.so mr,
+ /usr/lib*/samba/auth/*.so mr,
+ /usr/lib*/samba/charset/*.so mr,
+ /usr/lib*/samba/gensec/*.so mr,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
+ /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
+ /usr/lib/@{multiarch}/samba/**/ r,
+ /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
+ /usr/{bin,sbin}/smbd mr,
+ /usr/{bin,sbin}/smbldap-useradd Px,
+ /var/cache/samba/** rwk,
+ /var/{cache,lib}/samba/printing/printers.tdb mrw,
+ /var/lib/samba/** rwk,
+ /var/lib/sss/pubconf/kdcinfo.* r,
+ /{,var/}run/dbus/system_bus_socket rw,
+ /{,var/}run/smbd.pid rwk,
+ /{,var/}run/samba/** rk,
+ /{,var/}run/samba/ncalrpc/ rw,
+ /{,var/}run/samba/ncalrpc/** rw,
+ /{,var/}run/samba/smbd.pid rw,
+ /{,var/}run/samba/msg.lock/ rw,
+ /{,var/}run/samba/msg.lock/[0-9]* rwk,
+ /var/spool/samba/** rw,
+
+ @{HOMEDIRS}/** lrwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.smbd>
+}
diff --git a/usr.sbin.smbldap-useradd b/usr.sbin.smbldap-useradd
@@ -0,0 +1,37 @@
+# Last Modified: Tue Jan 3 00:17:40 2012
+#include <tunables/global>
+
+profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+
+ /dev/tty rw,
+ /{,usr/}bin/bash ix,
+ /etc/init.d/nscd Cx,
+ /etc/shadow r,
+ /etc/smbldap-tools/smbldap.conf r,
+ /etc/smbldap-tools/smbldap_bind.conf r,
+ /usr/{bin,sbin}/smbldap-useradd r,
+ /usr/{bin,sbin}/smbldap_tools.pm r,
+ /var/log/samba/log.smbd w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.smbldap-useradd>
+
+ profile /etc/init.d/nscd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_ptrace,
+
+ /{,usr/}bin/bash r,
+ /{,usr/}bin/mountpoint rix,
+ /{,usr/}bin/systemctl rix,
+ /dev/tty rw,
+ /etc/init.d/nscd r,
+ /etc/rc.status r,
+
+ }
+}
diff --git a/usr.sbin.traceroute b/usr.sbin.traceroute
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ deny capability net_admin, # noisy setsockopt() calls
+ capability net_raw,
+
+ network inet raw,
+ network inet6 raw,
+
+ /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
+ @{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.traceroute>
+}
diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd
@@ -0,0 +1,39 @@
+#include <tunables/global>
+
+profile winbindd /usr/{bin,sbin}/winbindd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/samba>
+
+ deny capability block_suspend,
+
+ capability dac_override,
+ capability ipc_lock,
+ capability setuid,
+
+ /etc/samba/netlogon_creds_cli.tdb rwk,
+ /etc/samba/passdb.tdb{,.tmp} rwk,
+ /etc/samba/secrets.tdb rwk,
+ /etc/samba/smbd.tmp/ rw,
+ /etc/samba/smbd.tmp/msg/ rw,
+ /etc/samba/smbd.tmp/msg/* rwk,
+ @{PROC}/sys/kernel/core_pattern r,
+ /tmp/.winbindd/ w,
+ /tmp/krb5cc_* rwk,
+ /usr/lib*/samba/gensec/krb*.so mr,
+ /usr/lib*/samba/idmap/*.so mr,
+ /usr/lib*/samba/nss_info/*.so mr,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/{bin,sbin}/winbindd mr,
+ /var/cache/krb5rcache/* rw,
+ /var/cache/samba/*.tdb rwk,
+ /var/log/samba/log.winbindd rw,
+ /{var/,}run/samba/winbindd.pid rwk,
+ /{var/,}run/samba/winbindd/ rw,
+ /{var/,}run/samba/winbindd/pipe w,
+ /{var/,}run/user/*/krb5cc/* rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.winbindd>
+
+}