commit: 4ab737502cffb1b426a36655f669f06ba4cb1c6c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 21 Oct 2020 13:15:06 +0200
AppArmor 3.0
Diffstat:
222 files changed, 6706 insertions(+), 0 deletions(-)
diff --git a/abi/3.0 b/abi/3.0
@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/abi/kernel-5.4-outoftree-network b/abi/kernel-5.4-outoftree-network
@@ -0,0 +1,76 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/abi/kernel-5.4-vanilla b/abi/kernel-5.4-vanilla
@@ -0,0 +1,68 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/abstractions/X b/abstractions/X
@@ -0,0 +1,63 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ include <abstractions/dri-common>
+
+
+ # .ICEauthority files required for X authentication, per user
+ owner @{HOME}/.ICEauthority r,
+
+ # .Xauthority files required for X connections, per user
+ owner @{HOME}/.Xauthority r,
+ owner @{HOME}/.local/share/sddm/.Xauthority r,
+ owner @{run}/gdm{,3}/*/database r,
+ owner @{run}/lightdm/authority/[0-9]* r,
+ owner @{run}/lightdm/*/xauthority r,
+ owner @{run}/user/*/gdm/Xauthority r,
+ owner @{run}/user/*/X11/Xauthority r,
+ owner @{run}/user/*/xauth_* r,
+
+ # the unix socket to use to connect to the display
+ /tmp/.X11-unix/* r,
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+
+ /usr/include/X11/ r,
+ /usr/include/X11/** r,
+
+ # The X tree changes and is large -- grant read access to the whole thing
+ /usr/X11R6/** r,
+ /usr/share/X11/ r,
+ /usr/share/X11/** r,
+ /usr/X11R6/**.so* mr,
+
+ # EGL
+ /usr/lib/@{multiarch}/egl/*.so* mr,
+
+ # Xcompose
+ owner @{HOME}/.XCompose r,
+
+ # mouse themes
+ /etc/X11/cursors/ r,
+ /etc/X11/cursors/** r,
+
+ # Xwayland
+ owner @{run}/user/*/.mutter-Xwaylandauth.* r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/X.d>
diff --git a/abstractions/apache2-common b/abstractions/apache2-common
@@ -0,0 +1,39 @@
+# vim:syntax=apparmor
+
+# This file contains basic permissions for Apache and every vHost
+
+ abi <abi/3.0>,
+
+ include <abstractions/nameservice>
+
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
+ # Allow apache to send us signals by default
+ signal (receive) peer=apache2,
+ # Allow other hats to signal by default
+ signal peer=apache2//*,
+ # Allow us to signal ourselves
+ signal peer=@{profile_name},
+
+ # Apache
+ network inet stream,
+ network inet6 stream,
+ # apache manual, error pages and icons
+ /usr/share/apache2/** r,
+
+ # changehat itself
+ @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+
+ # htaccess files - for what ever it is worth
+ /**/.htaccess r,
+
+ /dev/urandom r,
+
+ # sasl-auth
+ @{run}/saslauthd/mux rw,
+
+ # OCSP stapling
+ @{run}/lock/apache2/stapling-cache* rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/apache2-common.d>
diff --git a/abstractions/apparmor_api/change_profile b/abstractions/apparmor_api/change_profile
@@ -0,0 +1,13 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <abstractions/apparmor_api/introspect>
+
+@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,
diff --git a/abstractions/apparmor_api/examine b/abstractions/apparmor_api/examine
@@ -0,0 +1,14 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+abi <abi/3.0>,
+
+@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/abstractions/apparmor_api/find_mountpoint b/abstractions/apparmor_api/find_mountpoint
@@ -0,0 +1,16 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+#permissions needed for aa_find_mountpoint
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+@{PROC}/@{pids}/mounts r,
diff --git a/abstractions/apparmor_api/introspect b/abstractions/apparmor_api/introspect
@@ -0,0 +1,14 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+# Make sure to include at least tunables/proc and tunables/kernelvars
+# when using this abstraction, if not tunables/global.
+
+@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/abstractions/apparmor_api/is_enabled b/abstractions/apparmor_api/is_enabled
@@ -0,0 +1,19 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+# permissions needed for aa_is_enabled
+
+# Make sure to include tunables/apparmorfs and tunables/global
+# when using this abstraction
+
+include <abstractions/apparmor_api/find_mountpoint>
+@{sys}/module/apparmor/parameters/enabled r,
+
+# TODO: add alternate apparmorfs interface for enabled
diff --git a/abstractions/aspell b/abstractions/aspell
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# aspell permissions
+
+ abi <abi/3.0>,
+
+ # per-user settings and dictionaries
+ owner @{HOME}/.aspell.*.{pws,prepl} rwk,
+
+ # system libraries and dictionaries
+ /usr/lib/aspell/ r,
+ /usr/lib/aspell/* r,
+ /usr/lib/aspell/*.so m,
+ /usr/share/aspell/ r,
+ /usr/share/aspell/* r,
+ /var/lib/aspell/* r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/aspell.d>
diff --git a/abstractions/audio b/abstractions/audio
@@ -0,0 +1,89 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+
+/dev/admmidi* rw,
+/dev/adsp* rw,
+/dev/aload* rw,
+/dev/amidi* rw,
+/dev/audio* rw,
+/dev/dmfm* rw,
+/dev/dmmidi* rw,
+/dev/dsp* rw,
+/dev/midi* rw,
+/dev/mixer* rw,
+/dev/mpu401data rw,
+/dev/mpu401stat rw,
+/dev/patmgr* rw,
+/dev/phone* rw,
+/dev/radio* rw,
+/dev/rmidi* rw,
+/dev/sequencer rw,
+/dev/sequencer2 rw,
+/dev/smpte* rw,
+
+/dev/snd/* rw,
+/dev/sound/* rw,
+
+@{PROC}/asound/** rw,
+
+/usr/share/alsa/** r,
+/usr/share/sounds/** r,
+
+owner @{HOME}/.esd_auth r,
+/etc/asound.conf r,
+owner @{HOME}/.asoundrc r,
+/etc/esound/esd.conf r,
+
+# libao
+/etc/libao.conf r,
+owner @{HOME}/.libao r,
+
+# libcanberra
+owner @{HOME}/.cache/event-sound-cache.* rwk,
+
+# pulse
+/etc/pulse/ r,
+/etc/pulse/** r,
+/dev/shm/ r,
+@{run}/shm/ r,
+owner /dev/shm/pulse-shm* rwk,
+owner @{run}/shm/pulse-shm* rwk,
+owner @{HOME}/.pulse-cookie rwk,
+owner @{HOME}/.pulse/ rw,
+owner @{HOME}/.pulse/* rwk,
+owner @{run}/user/*/pulse/ rw,
+owner @{run}/user/*/pulse/{native,pid} rwk,
+owner @{HOME}/.config/pulse/*.conf r,
+owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
+owner @{HOME}/.config/pulse/cookie rwk,
+owner /tmp/pulse-*/ rw,
+owner /tmp/pulse-*/* rw,
+
+# libgnome2
+/etc/sound/ r,
+/etc/sound/** r,
+
+# openal
+/etc/alsa/conf.d/{,*} r,
+/etc/openal/alsoft.conf r,
+owner @{HOME}/.alsoftrc r,
+/usr/{,local/}share/openal/hrtf/{,**} r,
+owner @{HOME}/.local/share/openal/hrtf/{,**} r,
+
+# wildmidi
+/etc/wildmidi/wildmidi.cfg r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/audio.d>
diff --git a/abstractions/authentication b/abstractions/authentication
@@ -0,0 +1,56 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2012 Canonical Ltd
+# Copyright (C) 2019 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+
+ # Some services need to perform authentication of users
+ # Such authentication almost certainly needs access to the local users
+ # databases containing passwords, PAM configuration files, PAM libraries
+ @{etc_ro}/nologin r,
+ @{etc_ro}/pam.d/* r,
+ @{etc_ro}/securetty r,
+ @{etc_ro}/security/* r,
+ @{etc_ro}/shadow r,
+ @{etc_ro}/gshadow r,
+ @{etc_ro}/pwdb.conf r,
+
+ /{usr/,}lib{,32,64}/security/pam_filter/* mr,
+ /{usr/,}lib{,32,64}/security/pam_*.so mr,
+ /{usr/,}lib{,32,64}/security/ r,
+ /{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
+ /{usr/,}lib/@{multiarch}/security/pam_*.so mr,
+ /{usr/,}lib/@{multiarch}/security/ r,
+
+ # kerberos
+ include <abstractions/kerberosclient>
+ # SuSE's pwdutils are different:
+ @{etc_ro}/default/passwd r,
+ @{etc_ro}/login.defs r,
+
+ # nis
+ include <abstractions/nis>
+
+ # winbind
+ include <abstractions/winbind>
+
+ # likewise
+ include <abstractions/likewise>
+
+ # smbpass
+ include <abstractions/smbpass>
+
+ # p11-kit (PKCS#11 modules configuration)
+ include <abstractions/p11-kit>
+
+ # Include additions to the abstraction
+ include if exists <abstractions/authentication.d>
diff --git a/abstractions/base b/abstractions/base
@@ -0,0 +1,176 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+
+ # (Note that the ldd profile has inlined this file; if you make
+ # modifications here, please consider including them in the ldd
+ # profile as well.)
+
+ # The __canary_death_handler function writes a time-stamped log
+ # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
+ # and localisations of date should be available EVERYWHERE, so
+ # StackGuard, FormatGuard, etc., alerts can be properly logged.
+ /dev/log w,
+ /dev/random r,
+ /dev/urandom r,
+ # Allow access to the uuidd daemon (this daemon is a thin wrapper around
+ # time and getrandom()/{,u}random and, when available, runs under an
+ # unprivilged, dedicated user).
+ @{run}/uuidd/request r,
+ @{etc_ro}/locale/** r,
+ @{etc_ro}/locale.alias r,
+ @{etc_ro}/localtime r,
+ /usr/share/locale-bundle/** r,
+ /usr/share/locale-langpack/** r,
+ /usr/share/locale/** r,
+ /usr/share/**/locale/** r,
+ /usr/share/zoneinfo/ r,
+ /usr/share/zoneinfo/** r,
+ /usr/share/X11/locale/** r,
+ @{run}/systemd/journal/dev-log w,
+ # systemd native journal API (see sd_journal_print(4))
+ @{run}/systemd/journal/socket w,
+ # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+ # be required but applications fail without it. journald doesn't leak
+ # anything when reading so this is ok.
+ @{run}/systemd/journal/stdout rw,
+
+ /usr/lib{,32,64}/locale/** mr,
+ /usr/lib{,32,64}/gconv/*.so mr,
+ /usr/lib{,32,64}/gconv/gconv-modules* mr,
+ /usr/lib/@{multiarch}/gconv/*.so mr,
+ /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
+
+ # used by glibc when binding to ephemeral ports
+ @{etc_ro}/bindresvport.blacklist r,
+
+ # ld.so.cache and ld are used to load shared libraries; they are best
+ # available everywhere
+ @{etc_ro}/ld.so.cache mr,
+ @{etc_ro}/ld.so.conf r,
+ @{etc_ro}/ld.so.conf.d/{,*.conf} r,
+ @{etc_ro}/ld.so.preload r,
+ /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
+
+ # we might as well allow everything to use common libraries
+ /{usr/,}lib{,32,64}/** r,
+ /{usr/,}lib{,32,64}/**.so* mr,
+ /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib/@{multiarch}/**.so* mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
+
+ # FIPS-140-2 versions of some crypto libraries need to access their
+ # associated integrity verification file, or they will abort.
+ /{usr/,}lib{,32,64}/.lib*.so*.hmac r,
+ /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+
+ # /dev/null is pretty harmless and frequently used
+ /dev/null rw,
+ # as is /dev/zero
+ /dev/zero rw,
+ # recent glibc uses /dev/full in preference to /dev/null for programs
+ # that don't have open fds at exec()
+ /dev/full rw,
+
+ # Sometimes used to determine kernel/user interfaces to use
+ @{PROC}/sys/kernel/version r,
+ # Depending on which glibc routine uses this file, base may not be the
+ # best place -- but many profiles require it, and it is quite harmless.
+ @{PROC}/sys/kernel/ngroups_max r,
+
+ # glibc's sysconf(3) routine to determine free memory, etc
+ @{PROC}/meminfo r,
+ @{PROC}/stat r,
+ @{PROC}/cpuinfo r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/online r,
+
+ # glibc's *printf protections read the maps file
+ @{PROC}/@{pid}/{maps,auxv,status} r,
+
+ # libgcrypt reads some flags from /proc
+ @{PROC}/sys/crypto/* r,
+
+ # some applications will display license information
+ /usr/share/common-licenses/** r,
+
+ # glibc statvfs
+ @{PROC}/filesystems r,
+
+ # glibc malloc (man 5 proc)
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # Allow determining the highest valid capability of the running kernel
+ @{PROC}/sys/kernel/cap_last_cap r,
+
+ # Allow other processes to read our /proc entries, futexes, perf tracing and
+ # kcmp for now (they will need 'read' in the first place). Administrators can
+ # override with:
+ # deny ptrace (readby) ...
+ ptrace (readby),
+
+ # Allow other processes to trace us by default (they will need 'trace' in
+ # the first place). Administrators can override with:
+ # deny ptrace (tracedby) ...
+ ptrace (tracedby),
+
+ # Allow us to ptrace read ourselves
+ ptrace (read) peer=@{profile_name},
+
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
+
+ # Allow us to signal ourselves
+ signal peer=@{profile_name},
+
+ # Checking for PID existence is quite common so add it by default for now
+ signal (receive, send) set=("exists"),
+
+ # Allow us to create and use abstract and anonymous sockets
+ unix peer=(label=@{profile_name}),
+
+ # Allow unconfined processes to us via unix sockets
+ unix (receive) peer=(label=unconfined),
+
+ # Allow us to create abstract and anonymous sockets
+ unix (create),
+
+ # Allow us to getattr, getopt, setop and shutdown on unix sockets
+ unix (getattr, getopt, setopt, shutdown),
+
+ # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
+ # filesystems generally. This does not appreciably decrease security with
+ # Ubuntu profiles because the user is expected to have access to files owned
+ # by him/her. Exceptions to this are explicit in the profiles. While this rule
+ # grants access to those exceptions, the intended privacy is maintained due to
+ # the encrypted contents of the files in this directory. Files in this
+ # directory will also use filename encryption by default, so the files are
+ # further protected. Also, with the use of 'owner', this rule properly
+ # prevents access to the files from processes running under a different uid.
+
+ # encrypted ~/.Private and old-style encrypted $HOME
+ owner @{HOME}/.Private/ r,
+ owner @{HOME}/.Private/** mrixwlk,
+ # new-style encrypted $HOME
+ owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
+ owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/base.d>
diff --git a/abstractions/bash b/abstractions/bash
@@ -0,0 +1,49 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # user-specific bash files
+ @{HOMEDIRS} r,
+ @{HOME}/.bashrc r,
+ @{HOME}/.profile r,
+ @{HOME}/.bash_profile r,
+ @{HOME}/.bash_history rw,
+
+ # system-wide bash configuration
+ /etc/profile.dos r,
+ /etc/profile r,
+ /etc/profile.d/ r,
+ /etc/profile.d/* r,
+ /etc/bashrc r,
+ /etc/bash.bashrc r,
+ /etc/bash.bashrc.local r,
+ /etc/bash_completion r,
+ /etc/bash_completion.d/ r,
+ /etc/bash_completion.d/* r,
+
+ # bash relies on system-wide readline configuration
+ /etc/inputrc r,
+
+ # bash inspects filesystems at startup
+ /etc/mtab r,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/filesystems r,
+
+ # probably readline wants to know terminal capabilities
+ /usr/share/terminfo/** r,
+
+ # run out of /etc/bash.bashrc
+ /etc/DIR_COLORS r,
+ /{usr/,}bin/ls mix,
+ /usr/bin/dircolors mix,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/bash.d>
diff --git a/abstractions/consoles b/abstractions/consoles
@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+
+ # there are three common ways to refer to consoles
+ /dev/console rw,
+ /dev/tty rw,
+ # this next entry is a tad unfortunate; /dev/tty will always be
+ # associated with the controlling terminal by the kernel, but if a
+ # program uses the /dev/pts/ interface, it actually has access to
+ # -all- xterm, sshd, etc, terminals on the system.
+ /dev/pts/[0-9]* rw,
+ /dev/pts/ r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/consoles.d>
diff --git a/abstractions/cups-client b/abstractions/cups-client
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # discoverable system configuration for non-local cupsd
+ /etc/cups/client.conf r,
+ # client should be able to talk the local cupsd
+ @{run}/cups/cups.sock rw,
+ # client should be able to read user-specified cups configuration
+ owner @{HOME}/.cups/client.conf r,
+ owner @{HOME}/.cups/lpoptions r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/cups-client.d>
diff --git a/abstractions/dbus b/abstractions/dbus
@@ -0,0 +1,21 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # This abstraction grants full system bus access. Consider using the
+ # dbus-strict abstraction for fine-grained bus mediation.
+
+ include <abstractions/dbus-strict>
+ dbus bus=system,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus.d>
diff --git a/abstractions/dbus-accessibility b/abstractions/dbus-accessibility
@@ -0,0 +1,21 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # This abstraction grants full accessibility bus access. Consider using the
+ # dbus-accessibility-strict abstraction for fine-grained bus mediation.
+
+ include <abstractions/dbus-accessibility-strict>
+ dbus bus=accessibility,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus-accessibility.d>
diff --git a/abstractions/dbus-accessibility-strict b/abstractions/dbus-accessibility-strict
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ dbus send
+ bus=accessibility
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus-accessibility-strict.d>
diff --git a/abstractions/dbus-network-manager-strict b/abstractions/dbus-network-manager-strict
@@ -0,0 +1,47 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.NetworkManager
+ member=GetDevices
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings
+ interface=org.freedesktop.NetworkManager.Settings
+ member={GetDevices,ListConnections}
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+ interface=org.freedesktop.NetworkManager.Settings.Connection
+ member=GetSettings
+ peer=(name=org.freedesktop.NetworkManager),
+
+ include if exists <abstractions/dbus-network-manager-strict.d>
diff --git a/abstractions/dbus-session b/abstractions/dbus-session
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # This abstraction grants full session bus access. Consider using the
+ # dbus-session-strict abstraction for fine-grained bus mediation.
+
+ include <abstractions/dbus-session-strict>
+ /usr/bin/dbus-launch ix,
+ dbus bus=session,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus-session.d>
diff --git a/abstractions/dbus-session-strict b/abstractions/dbus-session-strict
@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # unique per-machine identifier
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/tmp/dbus-*"),
+
+ # dbus with systemd and --enable-user-session
+ owner @{run}/user/[0-9]*/bus rw,
+
+ dbus send
+ bus=session
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus-session-strict.d>
diff --git a/abstractions/dbus-strict b/abstractions/dbus-strict
@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ @{run}/dbus/system_bus_socket rw,
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dbus-strict.d>
diff --git a/abstractions/dconf b/abstractions/dconf
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# permissions for querying dconf settings; granting write access should
+# be specified in a specific application's profile.
+
+ /etc/dconf/** r,
+ owner @{run}/user/*/dconf/user r,
+ owner @{HOME}/.config/dconf/user r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dconf.d>
diff --git a/abstractions/dovecot-common b/abstractions/dovecot-common
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# used with dovecot/*
+
+ abi <abi/3.0>,
+
+ capability setgid,
+
+ deny capability block_suspend,
+
+ # dovecot's master can send us signals
+ signal receive peer=dovecot,
+
+ owner @{run}/dovecot/config rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dovecot-common.d>
diff --git a/abstractions/dri-common b/abstractions/dri-common
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This file contains common DRI-specific rules useful for GUI applications
+# (needed by libdrm and similar).
+
+ /usr/lib{,32,64}/dri/** mr,
+ /usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib/fglrx/dri/** mr,
+ /dev/dri/ r,
+ /dev/dri/** rw,
+ /etc/drirc r,
+ /usr/share/drirc.d/{,*.conf} r,
+ owner @{HOME}/.drirc r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dri-common.d>
diff --git a/abstractions/dri-enumerate b/abstractions/dri-enumerate
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This file contains common DRI-specific rules useful for GUI applications that
+# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
+# libdrm).
+
+ @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/dri-enumerate.d>
diff --git a/abstractions/enchant b/abstractions/enchant
@@ -0,0 +1,64 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # abstraction for Enchant spellchecking frontend
+
+ /usr/share/enchant/ r,
+ /usr/share/enchant/enchant.ordering r,
+
+ /usr/share/enchant-2/ r,
+ /usr/share/enchant-2/enchant.ordering r,
+
+ # aspell
+ include <abstractions/aspell>
+ /var/lib/dictionaries-common/aspell/ r,
+ /var/lib/dictionaries-common/aspell/* r,
+
+ # hspell
+ /usr/share/hspell/ r,
+ /usr/share/hspell/*.wgz.* r,
+
+ # hunspell
+ /usr/share/hunspell/ r,
+ /usr/share/hunspell/* r,
+
+ # ispell
+ /usr/lib/ispell/ r,
+ /usr/lib/ispell/*.hash r,
+ /usr/share/dict/ r,
+ /usr/share/dict/* r,
+ /var/lib/dictionaries-common/ r,
+ /var/lib/dictionaries-common/{ispell,wordlist}/ r,
+ /var/lib/dictionaries-common/{ispell,wordlist}/* r,
+
+ # myspell
+ /usr/share/myspell/ r,
+ /usr/share/myspell/** r,
+
+ # voikko
+ /usr/lib/voikko/ r,
+ /usr/lib/voikko/2/ r,
+ /usr/lib/voikko/2/mor-standard/ r,
+ /usr/lib/voikko/2/mor-standard/voikko* r,
+
+ # zemberek
+ /usr/share/java/ r,
+ /usr/share/java/zemberek-[0-9]*.jar r,
+ /usr/share/java/zemberek-tr-[0-9]*.jar r,
+
+ # per-user dictionaries
+ owner @{HOME}/.config/enchant/ rw,
+ owner @{HOME}/.config/enchant/* rwk,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/enchant.d>
diff --git a/abstractions/exo-open b/abstractions/exo-open
@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via exo-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/exo-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/exo-open rPx -> foo//exo-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//exo-open {
+# include <abstractions/exo-open>
+#
+# # needed for ubuntu-* abstractions
+# include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# include <abstractions/ubuntu-browsers>
+# include <abstractions/ubuntu-email>
+#
+# # Add if accesibility access is considered as required
+# # (for message boxe in case exo-open fails)
+# include <abstractions/dbus-accessibility>
+#
+# # < add additional allowed applications here >
+# }
+
+ include <abstractions/X>
+ include <abstractions/audio> # for alert messages
+ include <abstractions/base>
+ include <abstractions/dbus-session-strict>
+ include <abstractions/gnome>
+
+ # Main executables
+
+ /usr/bin/exo-open rix,
+ /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
+
+ # Other executables
+
+ /{,usr/}bin/which rix,
+
+ # Deny DBus
+
+ # for GTK error message dialog, not required exo-open to work.
+ deny dbus send
+ bus=session
+ path=/org/gtk/vfs/mounttracker,
+
+ # System files
+
+ /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
+ /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
+ /usr/share/sounds/freedesktop/** r, # for message box alert sound
+ /usr/share/xfce4/helpers/*.desktop r,
+ /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
+
+ # User files
+
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{HOME}/.config/xfce4/helpers.rc r,
+ owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/exo-open.d>
diff --git a/abstractions/fcitx b/abstractions/fcitx
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ include <abstractions/fcitx-strict>
+ dbus bus=fcitx,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/fcitx.d>
diff --git a/abstractions/fcitx-strict b/abstractions/fcitx-strict
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ include <abstractions/dbus-session-strict>
+
+ dbus send
+ bus=fcitx
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+ peer=(name=org.freedesktop.DBus),
+
+ owner @{HOME}/.config/fcitx/dbus/* r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/fcitx-strict.d>
diff --git a/abstractions/fonts b/abstractions/fonts
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /usr/share/AbiSuite/fonts/** r,
+
+ /usr/lib/xorg/modules/fonts/**.so* mr,
+
+ /usr/share/fonts/{,**} r,
+ /usr/share/fonts-*/{,**} r,
+
+ /etc/fonts/** r,
+ # Debian, openSUSE paths are different
+ /usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
+ /usr/share/ghostscript/fonts/{,**} r,
+
+ /opt/kde3/share/fonts/** r,
+
+ /usr/lib{,32,64}/openoffice/share/fonts/** r,
+
+ /var/cache/fonts/** r,
+ /var/cache/fontconfig/** mr,
+ /var/lib/defoma/** mr,
+
+ /usr/share/a2ps/fonts/** r,
+ /usr/share/xfce/fonts/** r,
+ /usr/share/ghostscript/fonts/** r,
+ /usr/share/javascript/*/fonts/** r,
+ /usr/share/texmf/{,*/}fonts/** r,
+ /usr/share/texlive/texmf-dist/fonts/** r,
+ /var/lib/ghostscript/** r,
+
+ owner @{HOME}/.fonts.conf r,
+ owner @{HOME}/.fonts/ r,
+ owner @{HOME}/.fonts/** r,
+ owner @{HOME}/.local/share/fonts/ r,
+ owner @{HOME}/.local/share/fonts/** r,
+ owner @{HOME}/.fonts.cache-2 mr,
+ owner @{HOME}/.{,cache/}fontconfig/ rw,
+ owner @{HOME}/.{,cache/}fontconfig/** mrl,
+ owner @{HOME}/.fonts.conf.d/ r,
+ owner @{HOME}/.fonts.conf.d/** r,
+ owner @{HOME}/.config/fontconfig/ r,
+ owner @{HOME}/.config/fontconfig/** r,
+
+ /usr/local/share/fonts/ r,
+ /usr/local/share/fonts/** r,
+
+ # poppler CMap tables
+ /usr/share/poppler/cMap/** r,
+
+ # data files for LibThai
+ /usr/share/libthai/thbrk.tri r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/fonts.d>
diff --git a/abstractions/freedesktop.org b/abstractions/freedesktop.org
@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # system configuration
+ @{system_share_dirs}/applications/{**,} r,
+ @{system_share_dirs}/icons/{**,} r,
+ @{system_share_dirs}/pixmaps/{**,} r,
+
+ # this should probably go elsewhere
+ @{system_share_dirs}/mime/** r,
+
+ # per-user configurations
+ owner @{HOME}/.icons/ r,
+ owner @{HOME}/.recently-used.xbel* rw,
+ owner @{HOME}/.local/share/recently-used.xbel* rw,
+ owner @{HOME}/.config/user-dirs.dirs r,
+ owner @{HOME}/.config/mimeapps.list r,
+ owner @{user_share_dirs}/applications/{**,} r,
+ owner @{user_share_dirs}/icons/{**,} r,
+ owner @{user_share_dirs}/mime/{**,} r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/freedesktop.org.d>
diff --git a/abstractions/gio-open b/abstractions/gio-open
@@ -0,0 +1,59 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gio helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gio directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gio rPx -> foo//gio-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gio-open {
+# include <abstractions/gio-open>
+#
+# # needed for ubuntu-* abstractions
+# include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# include <abstractions/ubuntu-browsers>
+# include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+
+ include <abstractions/base>
+ include <abstractions/dbus-session-strict>
+
+ # Main executables
+
+ /usr/bin/gio rix,
+ /usr/bin/gio-launch-desktop ix, # for OpenSUSE
+ /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+
+ # System files
+
+ /etc/gnome/defaults.list r,
+ /usr/share/mime/* r,
+ /usr/share/{,*/}applications/{,**} r,
+ /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
+ /var/lib/snapd/desktop/applications/{,**} r,
+
+ # User files
+
+ owner @{HOME}/.config/mimeapps.list r,
+ owner @{HOME}/.local/share/applications/{,*.desktop} r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/gio-open.d>
diff --git a/abstractions/gnome b/abstractions/gnome
@@ -0,0 +1,117 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ include <abstractions/base>
+ include <abstractions/fonts>
+ include <abstractions/X>
+ include <abstractions/freedesktop.org>
+ include <abstractions/xdg-desktop>
+ include <abstractions/user-tmp>
+ include <abstractions/wayland>
+
+ # systemwide gtk defaults
+ /etc/gnome/gtkrc* r,
+ /etc/gtk/* r,
+ /usr/lib{,32,64}/gtk/** mr,
+ /usr/lib/@{multiarch}/gtk/** mr,
+ /usr/lib{,32,64}/gtk-[0-9]*/** mr,
+ /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
+ /usr/share/themes/ r,
+ /usr/share/themes/** r,
+ /usr/share/gtk-3.0/settings.ini r,
+
+ # for gnome 1 applications
+ /etc/orbitrc r,
+
+ # gtk-2 needed some new rights
+ /etc/fonts/* r,
+ /etc/gtk-*/* r,
+ /etc/pango/* r,
+ /usr/lib{,32,64}/pango/** mr,
+ /usr/lib{,32,64}/gtk-*/** mr,
+ /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
+ /usr/lib/@{multiarch}/pango/** mr,
+ /usr/lib/@{multiarch}/gtk-*/** mr,
+ /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
+
+ # per-user gtk configuration
+ owner @{HOME}/.config/gtk-3.0/ w,
+ owner @{HOME}/.config/gtk-3.0/* r,
+ owner @{HOME}/.gnome/Gnome r,
+ owner @{HOME}/.gtk r,
+ owner @{HOME}/.gtkrc r,
+ owner @{HOME}/.gtkrc-2.0 r,
+ owner @{HOME}/.gtk-bookmarks r,
+ owner @{HOME}/.themes/ r,
+ owner @{HOME}/.themes/** r,
+ owner @{user_share_dirs}/themes/ r,
+ owner @{user_share_dirs}/themes/** r,
+
+ # for gtk file dialog
+ owner @{HOME}/.config/gtk-2.0/ w,
+ owner @{HOME}/.config/gtk-2.0/** r,
+ owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
+
+ # from evolution-mail
+ owner @{HOME}/.gconfd/lock/* r,
+ owner @{HOME}/.gnome/application-info r,
+
+ # per-user font business
+ owner @{HOME}/.fonts.cache-* rwl,
+
+ # GtkComposeTable
+ owner @{HOME}/.cache/gtk-3.0/** r,
+
+ # icon caches
+ /var/cache/**/icon-theme.cache r,
+ /usr/share/**/icon-theme.cache r,
+
+ # GLib schemas
+ /usr/{local/,}share/glib-[0-9]*/schemas/ r,
+ /usr/{local/,}share/glib-[0-9]*/schemas/** r,
+
+ # gnome VFS modules
+ /etc/gnome-vfs-2.0/modules/ r,
+ /etc/gnome-vfs-2.0/modules/* r,
+ /usr/lib/gnome-vfs-2.0/modules/*.so mr,
+ /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
+
+ # gvfs
+ /usr/share/gvfs/remote-volume-monitors/ r,
+ /usr/share/gvfs/remote-volume-monitors/* r,
+ @{PROC}/@{pid}/mounts r,
+ @{run}/mount/utab r,
+
+ # printing
+ /etc/papersize r,
+ /etc/cups/lpoptions r,
+ /usr/share/cups/charmaps/** r,
+
+ # holds MIT-MAGIC-COOKIE for gnome
+ owner @{run}/gdm/auth*/database r,
+
+ # mime-types
+ /etc/gnome/defaults.list r,
+ /etc/xdg/{,*-}mimeapps.list r,
+ /usr/share/gnome/applications/ r,
+ /usr/share/gnome/applications/mimeinfo.cache r,
+
+ # Allow connecting to the GNOME vfs socket (still need corresponding DBus
+ # rules)
+ unix (send, receive, connect)
+ type=stream
+ peer=(addr="@/dbus-vfs-daemon/socket-*"),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/gnome.d>
diff --git a/abstractions/gnupg b/abstractions/gnupg
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# gnupg sub-process running permissions
+
+ abi <abi/3.0>,
+
+ # user configurations
+ owner @{HOME}/.gnupg/options r,
+ owner @{HOME}/.gnupg/pubring.gpg r,
+ owner @{HOME}/.gnupg/pubring.kbx r,
+ owner @{HOME}/.gnupg/random_seed rw,
+ owner @{HOME}/.gnupg/secring.gpg r,
+ owner @{HOME}/.gnupg/so/*.x86_64 mr,
+ owner @{HOME}/.gnupg/trustdb.gpg rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/gnupg.d>
diff --git a/abstractions/gvfs-open b/abstractions/gvfs-open
@@ -0,0 +1,47 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gvfs-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gvfs-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gvfs-open {
+# include <abstractions/gvfs-open>
+#
+# # needed for ubuntu-* abstractions
+# include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# include <abstractions/ubuntu-browsers>
+# include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ include <abstractions/base>
+
+ # gvfs-open is deprecated, it launches gio open <uri>
+ include <abstractions/gio-open>
+
+ # Main executables
+
+ /usr/bin/gvfs-open r,
+ /{,usr/}bin/dash mr,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/gvfs-open.d>
diff --git a/abstractions/hosts_access b/abstractions/hosts_access
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /etc/hosts.deny r,
+ /etc/hosts.allow r,
+
+ include if exists <abstractions/hosts_access.d>
diff --git a/abstractions/ibus b/abstractions/ibus
@@ -0,0 +1,20 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # abstraction for ibus input methods
+ owner @{HOME}/.config/ibus/ r,
+ owner @{HOME}/.config/ibus/bus/ rw,
+ owner @{HOME}/.config/ibus/bus/* rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ibus.d>
diff --git a/abstractions/kde b/abstractions/kde
@@ -0,0 +1,82 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <abstractions/base>
+include <abstractions/fonts>
+include <abstractions/X>
+include <abstractions/freedesktop.org>
+include <abstractions/xdg-desktop>
+include <abstractions/user-tmp>
+include <abstractions/qt5>
+
+/etc/qt3/kstylerc r,
+/etc/qt3/qt_plugins_3.3rc r,
+/etc/qt3/qtrc r,
+/etc/kderc r,
+/etc/kde3/* r,
+/etc/kde4rc r,
+/etc/xdg/kdeglobals r,
+/etc/xdg/Trolltech.conf r,
+/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
+/usr/share/kubuntu-default-settings/kf5-settings/* r,
+
+owner @{HOME}/.DCOPserver_* r,
+owner @{HOME}/.ICEauthority r,
+owner @{HOME}/.fonts.* lrw,
+owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
+owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
+owner @{HOME}/.qt/** rw,
+owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
+owner @{HOME}/.config/Trolltech.conf rwk,
+owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
+owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/trashrc r, # Used by KFileWidget
+
+/usr/share/X11/XKeysymDB r,
+
+# kde3
+/usr/lib*/kde3/plugins/styles/ r,
+/usr/lib*/kde3/plugins/styles/* mr,
+/usr/lib*/kde3/lib*so* mr,
+/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
+/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
+/usr/lib/@{multiarch}/kde3/lib*so* mr,
+/usr/lib*/qt3/lib*/lib*so* mr,
+/usr/lib*/qt3/plugins/** mr,
+/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt3/plugins/** mr,
+/usr/lib*/libqt-mt*so* mr,
+/usr/lib*/libqui*so* mr,
+/usr/lib/@{multiarch}/libqt-mt*so* mr,
+/usr/lib/@{multiarch}/libqui*so* mr,
+/usr/share/qt3/lib*/libqt-mt*so* mr,
+/usr/share/qt3/lib*/libqui*so* mr,
+
+# kde4
+/usr/lib*/kde4/plugins/*/*.so mr,
+/usr/lib*/kde4/plugins/*/ r,
+/usr/lib*/kde4/lib*so* mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/ r,
+/usr/lib/@{multiarch}/kde4/lib*so* mr,
+/usr/lib*/qt4/lib*/lib*so* mr,
+/usr/lib*/qt4/plugins/** mr,
+/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt4/plugins/** mr,
+/usr/share/qt4/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kde.d>
diff --git a/abstractions/kde-globals-write b/abstractions/kde-globals-write
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Rules for changing KDE settings (for KFileDialog and other).
+
+ abi <abi/3.0>,
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]* rw,
+ owner @{HOME}/.config/kdeglobals rw,
+ owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
+ owner @{HOME}/.config/kdeglobals.lock rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kde-globals-write.d>
diff --git a/abstractions/kde-icon-cache-write b/abstractions/kde-icon-cache-write
@@ -0,0 +1,12 @@
+# vim:syntax=apparmor
+# Rules for writing KDE icon cache
+
+ abi <abi/3.0>,
+
+ # User files
+
+ owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kde-icon-cache-write.d>
diff --git a/abstractions/kde-language-write b/abstractions/kde-language-write
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# Rules for changing per-application language settings on KDE. Some KDE
+# applications have "Help -> Switch Application Language..." option, that needs
+# write access to language settings file.
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]* rw,
+ owner @{HOME}/.config/klanguageoverridesrc rw,
+ owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
+ owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kde-language-write.d>
diff --git a/abstractions/kde-open5 b/abstractions/kde-open5
@@ -0,0 +1,106 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via kde-open5 helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/kde-open5 directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/kde-open5 rPx -> foo//kde-open5,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//kde-open5 {
+# include <abstractions/kde-open5>
+#
+# # needed for ubuntu-* abstractions
+# include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# include <abstractions/ubuntu-browsers>
+# include <abstractions/ubuntu-email>
+#
+# # Add if accesibility access is considered as required
+# # (for message boxe in case exo-open fails)
+# include <abstractions/dbus-accessibility>
+#
+# # Add if audio support for message box is
+# # considered as required.
+# include if exists <abstractions/gstreamer>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ include <abstractions/audio> # for alert messages
+ include <abstractions/base>
+ include <abstractions/dbus-accessibility-strict>
+ include <abstractions/dbus-network-manager-strict>
+ include <abstractions/dbus-session-strict>
+ include <abstractions/dbus-strict>
+ include <abstractions/kde-icon-cache-write>
+ include <abstractions/kde>
+ include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+ include <abstractions/openssl>
+ include <abstractions/qt5>
+ include <abstractions/recent-documents-write>
+ include <abstractions/X>
+
+ # Main executables
+
+ /usr/bin/kde-open5 rix,
+ /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
+
+ # DBus
+
+ dbus
+ bus=session
+ interface=org.kde.KLauncher
+ member=start_service_by_desktop_path
+ peer=(name=org.kde.klauncher5),
+
+ # Denied system files
+
+ deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
+
+ # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+ # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+ # AppArmor does not allow to distinguish "real" file vs shared memory one,
+ # so we deny this path to protect from loading exploits from /tmp.
+ deny /tmp/#[0-9]*[0-9] m,
+
+ # System files
+
+ /dev/tty r,
+ /etc/xdg/accept-languages.codes r,
+ /etc/xdg/menus/{,*/} r,
+ /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
+ /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
+ /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
+ /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
+ /usr/share/mime/ r,
+ /usr/share/mime/generic-icons r,
+ /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+ /usr/share/sounds/ r,
+ @{PROC}/sys/kernel/core_pattern r,
+ @{PROC}/sys/kernel/random/boot_id r,
+
+ # User files
+
+ owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
+ owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+ owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+ owner @{HOME}/.cache/kio_http/ rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kde-open5.d>
diff --git a/abstractions/kerberosclient b/abstractions/kerberosclient
@@ -0,0 +1,39 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # files required by kerberos client programs
+ /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
+ /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
+ /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
+ /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
+
+ /usr/lib{,32,64}/krb5/plugins/preauth/ r,
+ /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
+ /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
+ /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
+
+ /etc/krb5.keytab rk,
+ /etc/krb5.conf r,
+ /etc/krb5.conf.d/ r,
+ /etc/krb5.conf.d/* r,
+
+ # config files found via strings on libs
+ /etc/krb.conf r,
+ /etc/krb.realms r,
+ /etc/srvtab r,
+
+ # credential caches
+ /tmp/krb5cc* r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/kerberosclient.d>
diff --git a/abstractions/ldapclient b/abstractions/ldapclient
@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+ /etc/ldap.conf r,
+ /etc/ldap.secret r,
+ /etc/openldap/* r,
+ /etc/openldap/cacerts/* r,
+
+ # SASL plugins and config
+ /etc/sasl2/* r,
+ /usr/lib{,32,64}/sasl2/* r,
+
+ # local LDAP name service daemon
+ @{run}/nslcd/socket rw,
+
+ include <abstractions/ssl_certs>
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ldapclient.d>
diff --git a/abstractions/libpam-systemd b/abstractions/libpam-systemd
@@ -0,0 +1,24 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015-2016 Simon Deziel
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+include <abstractions/dbus-strict>
+
+ # libpam-systemd notifies systemd-logind about session logins/logouts
+ dbus send
+ bus=system
+ path=/org/freedesktop/login1
+ interface=org.freedesktop.login1.Manager
+ member={CreateSession,ReleaseSession},
+
+ # Include additions to the abstraction
+ include if exists <abstractions/libpam-systemd.d>
diff --git a/abstractions/likewise b/abstractions/likewise
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /tmp/.lwidentity/pipe rw,
+ /var/lib/likewise-open/lwidentity_privileged/pipe rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/likewise.d>
diff --git a/abstractions/mdns b/abstractions/mdns
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # mdnsd
+ /etc/mdns.allow r,
+ /etc/nss_mdns.conf r,
+ @{run}/mdnsd w,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/mdns.d>
diff --git a/abstractions/mesa b/abstractions/mesa
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# Rules for Mesa implementation of the OpenGL API
+
+ abi <abi/3.0>,
+
+ # System files
+ /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
+
+ # Needed to check if the kernel supports the i915 perf interface
+ # (src/intel/perf/gen_perf.c, load_oa_metrics())
+ @{PROC}/sys/dev/i915/perf_stream_paranoid r,
+
+ # User files
+ owner @{HOME}/.cache/ w, # if user clears all caches
+ owner @{HOME}/.cache/mesa_shader_cache/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/index rw,
+ owner @{HOME}/.cache/mesa_shader_cache/??/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/mesa.d>
diff --git a/abstractions/mir b/abstractions/mir
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # mir libraries sometimes do not have a lib prefix
+ # see LP: #1422521
+ /usr/lib/@{multiarch}/mir/*.so* mr,
+ /usr/lib/@{multiarch}/mir/**/*.so* mr,
+
+ # unprivileged mir socket for clients
+
+ # Include additions to the abstraction
+ include if exists <abstractions/mir.d>
diff --git a/abstractions/mozc b/abstractions/mozc
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/mozc.d>
diff --git a/abstractions/mysql b/abstractions/mysql
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /var/lib/mysql{,d}/mysql{,d}.sock rw,
+ @{run}/mysql{,d}/mysql{,d}.sock rw,
+ /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
+ /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/mysql.d>
diff --git a/abstractions/nameservice b/abstractions/nameservice
@@ -0,0 +1,118 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # Many programs wish to perform nameservice-like operations, such as
+ # looking up users by name or id, groups by name or id, hosts by name
+ # or IP, etc. These operations may be performed through files, dns,
+ # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
+ @{etc_ro}/group r,
+ @{etc_ro}/host.conf r,
+ @{etc_ro}/hosts r,
+ @{etc_ro}/nsswitch.conf r,
+ @{etc_ro}/gai.conf r,
+ @{etc_ro}/passwd r,
+ @{etc_ro}/protocols r,
+
+ # libtirpc (used for NIS/YP login) needs this
+ @{etc_ro}/netconfig r,
+
+ # When using libnss-extrausers, the passwd and group files are merged from
+ # an alternate path
+ /var/lib/extrausers/group r,
+ /var/lib/extrausers/passwd r,
+
+ # When using sssd, the passwd and group files are stored in an alternate path
+ # and the nss plugin also needs to talk to a pipe
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/initgroups r,
+ /var/lib/sss/mc/passwd r,
+ /var/lib/sss/pipes/nss rw,
+
+ @{etc_ro}/resolv.conf r,
+ # On systems where /etc/resolv.conf is managed programmatically, it is
+ # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
+ @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+ @{etc_ro}/resolvconf/run/resolv.conf r,
+ @{run}/systemd/resolve/stub-resolv.conf r,
+
+ @{etc_ro}/samba/lmhosts r,
+ @{etc_ro}/services r,
+ # db backend
+ /var/lib/misc/*.db r,
+ # The Name Service Cache Daemon can cache lookups, sometimes leading
+ # to vast speed increases when working with network-based lookups.
+ @{run}/.nscd_socket rw,
+ @{run}/nscd/socket rw,
+ /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
+ # nscd renames and unlinks files in it's operation that clients will
+ # have open
+ @{run}/nscd/db* rmix,
+
+ # The nss libraries are sometimes used in addition to PAM; make sure
+ # they are available
+ /{usr/,}lib{,32,64}/libnss_*.so* mr,
+ /{usr/,}lib/@{multiarch}/libnss_*.so* mr,
+ @{etc_ro}/default/nss r,
+
+ # avahi-daemon is used for mdns4 resolution
+ @{run}/avahi-daemon/socket rw,
+
+ # libnl-3-200 via libnss-gw-name
+ @{PROC}/@{pid}/net/psched r,
+ @{etc_ro}/libnl-*/classid r,
+
+ # nis
+ include <abstractions/nis>
+
+ # ldap
+ include <abstractions/ldapclient>
+
+ # winbind
+ include <abstractions/winbind>
+
+ # likewise
+ include <abstractions/likewise>
+
+ # mdnsd
+ include <abstractions/mdns>
+
+ # kerberos
+ include <abstractions/kerberosclient>
+
+ #libnss-systemd
+ include <abstractions/nss-systemd>
+
+ # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
+ # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+ dbus send
+ bus=system
+ path="/org/freedesktop/systemd1"
+ interface="org.freedesktop.systemd1.Manager"
+ member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
+ peer=(name="org.freedesktop.systemd1"),
+
+ # TCP/UDP network access
+ network inet stream,
+ network inet6 stream,
+ network inet dgram,
+ network inet6 dgram,
+
+ # TODO: adjust when support finer-grained netlink rules
+ # Netlink raw needed for nscd
+ network netlink raw,
+
+ # interface details
+ @{PROC}/@{pid}/net/route r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/nameservice.d>
diff --git a/abstractions/nis b/abstractions/nis
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # NIS rules
+ /var/yp/binding/* r,
+ # portmapper may ask root processes to do nis/ldap at low ports
+ capability net_bind_service,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/nis.d>
diff --git a/abstractions/nss-systemd b/abstractions/nss-systemd
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+# libnss-systemd
+ #
+ # https://systemd.io/USER_GROUP_API/
+ # https://systemd.io/USER_RECORD/
+ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html
+ #
+ # Allow User/Group lookups via common VarLink socket APIs. Applications need
+ # to either consult all of them or the io.systemd.Multiplexer frontend.
+ @{run}/systemd/userdb/ r,
+ @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+ @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
+ @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
+ @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
+
+ @{PROC}/sys/kernel/random/boot_id r,
+
+ include if exists <abstractions/nss-systemd.d>
diff --git a/abstractions/nvidia b/abstractions/nvidia
@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# nvidia access requirements
+
+ abi <abi/3.0>,
+
+ # configuration queries
+ capability ipc_lock,
+
+ /usr/share/nvidia/nvidia-application-profiles* r,
+
+ # libvdpau config file for nvidia workarounds
+ /etc/vdpau_wrapper.cfg r,
+
+ # device files
+ /dev/nvidiactl rw,
+ /dev/nvidia-modeset rw,
+ /dev/nvidia[0-9]* rw,
+
+ @{PROC}/interrupts r,
+ @{PROC}/sys/vm/max_map_count r,
+ @{PROC}/driver/nvidia/params r,
+ @{PROC}/modules r,
+
+ @{sys}/devices/system/memory/block_size_bytes r,
+
+ owner @{HOME}/.nv/ w,
+ owner @{HOME}/.nv/GLCache/ rw,
+ owner @{HOME}/.nv/GLCache/** rwk,
+
+ unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
+
+ # Include additions to the abstraction
+ include if exists <abstractions/nvidia.d>
diff --git a/abstractions/opencl b/abstractions/opencl
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# OpenCL access requirements
+
+ # TODO: use conditionals to select allowed implementations
+ include <abstractions/opencl-intel>
+ include <abstractions/opencl-mesa>
+ include <abstractions/opencl-nvidia>
+ include <abstractions/opencl-pocl>
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl.d>
diff --git a/abstractions/opencl-common b/abstractions/opencl-common
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# implementation-independent OpenCL access requirements
+
+ # System files
+
+ /etc/OpenCL/** r,
+ @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+ @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+ @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl-common.d>
diff --git a/abstractions/opencl-intel b/abstractions/opencl-intel
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# OpenCL access requirements for Intel implementation
+
+ include <abstractions/opencl-common>
+
+ # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
+ include <abstractions/X>
+
+ # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
+ include <abstractions/dri-enumerate>
+
+ # System files
+
+ /dev/dri/card[0-9]* rw, # beignet/libcl.so
+ @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+ /usr/lib/@{multiarch}/beignet/** r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl-intel.d>
diff --git a/abstractions/opencl-mesa b/abstractions/opencl-mesa
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# OpenCL access requirements for Mesa implementation
+
+ include <abstractions/opencl-common>
+
+ # Additional libraries
+
+ /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
+ /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
+
+ # System files
+
+ /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
+ /dev/dri/render* rw, # libMesaOpenCL.so
+ /etc/drirc r, # libMesaOpenCL.so
+
+ # User files
+
+ owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl-mesa.d>
diff --git a/abstractions/opencl-nvidia b/abstractions/opencl-nvidia
@@ -0,0 +1,36 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# OpenCL access requirements for NVIDIA implementation
+
+ include <abstractions/nvidia>
+ include <abstractions/opencl-common>
+
+ # Executables
+
+ # https://github.com/NVIDIA/nvidia-modprobe
+ # This setuid executable is used to create various device files and load the
+ # the nvidia kernel module.
+ /usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
+
+ # System files
+
+ # libnvidia-opencl.so rules:
+ /dev/nvidia-uvm rw,
+ /dev/nvidia-uvm-tools rw,
+ @{sys}/devices/pci[0-9]*/**/config r,
+ @{sys}/devices/system/memory/block_size_bytes r,
+ /usr/share/nvidia/** r,
+ @{PROC}/devices r,
+ @{PROC}/sys/vm/mmap_min_addr r,
+
+ # User files
+
+ owner @{HOME}/.nv/ComputeCache/ w,
+ owner @{HOME}/.nv/ComputeCache/** rw,
+ owner @{HOME}/.nv/ComputeCache/index rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl-nvidia.d>
diff --git a/abstractions/opencl-pocl b/abstractions/opencl-pocl
@@ -0,0 +1,81 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for POCL implementation
+
+ abi <abi/3.0>,
+
+ include <abstractions/opencl-common>
+
+ # Executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
+ /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
+
+ # System files
+
+ / r, # libpocl.so -> libhwloc.so
+ @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+ @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+ @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+ @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+ @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+ @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+ @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+ @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+ @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+ @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+ @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+ @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+ /usr/share/pocl/** r,
+ @{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/ w,
+ owner @{HOME}/.cache/pocl/kcache/ w,
+ owner @{HOME}/.cache/pocl/kcache/** rw,
+ owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
+ owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
+
+ # Child profiles
+
+ profile opencl_pocl_ld {
+ include <abstractions/base>
+
+ # Main executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd mr,
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
+ owner @{HOME}/.cache/pocl/kcache/**.so.o r,
+ }
+
+ profile opencl_pocl_clang {
+ include <abstractions/base>
+
+ # Main executables
+
+ /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
+
+ # Additional executables
+
+ /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
+
+ # System files
+
+ /etc/debian-version r,
+ /etc/lsb-release r,
+
+ # User files
+
+ owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
+ }
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/opencl-pocl.d>
diff --git a/abstractions/openssl b/abstractions/openssl
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /etc/ssl/openssl.cnf r,
+ /usr/share/ssl/openssl.cnf r,
+ @{PROC}/sys/crypto/fips_enabled r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/openssl.d>
diff --git a/abstractions/orbit2 b/abstractions/orbit2
@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# orbit2 permissions
+
+ abi <abi/3.0>,
+
+ # system library
+ /usr/lib/orbit-2.0/*.so mr,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/orbit2.d>
diff --git a/abstractions/p11-kit b/abstractions/p11-kit
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /etc/pkcs11/ r,
+ /etc/pkcs11/pkcs11.conf r,
+ /etc/pkcs11/modules/ r,
+ /etc/pkcs11/modules/* r,
+
+ /usr/lib{,32,64}/pkcs11/*.so mr,
+ /usr/lib/@{multiarch}/pkcs11/*.so mr,
+
+ /usr/share/p11-kit/modules/ r,
+ /usr/share/p11-kit/modules/* r,
+
+ # gnome-keyring pkcs11 module
+ owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
+
+ # p11-kit also supports reading user configuration from ~/.pkcs11 depending
+ # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
+ # included in this abstraction.
+
+ # Include additions to the abstraction
+ include if exists <abstractions/p11-kit.d>
diff --git a/abstractions/perl b/abstractions/perl
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # a few files typically required for perl scripts
+ /usr/bin/perl rmix,
+ /usr/bin/perl[0-9].[0-9].[0-9] rmix,
+
+ /usr/lib{,32,64}/perl5/** r,
+ /usr/lib{,32,64}/perl{,5}/**.so* mr,
+ /usr/lib/@{multiarch}/perl{,5,-base}/** r,
+ /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
+
+ /usr/share/perl/** r,
+ /usr/share/perl5/** r,
+ /etc/perl/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/perl.d>
diff --git a/abstractions/php b/abstractions/php
@@ -0,0 +1,44 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # shared snippets for config files
+ /etc/php{,5,7}/**/ r,
+ /etc/php{,5,7}/**.ini r,
+
+ # Xlibs
+ /usr/X11R6/lib{,32,64}/lib*.so* mr,
+ # php extensions
+ /usr/lib{64,}/php{,5,7}/*/*.so mr,
+
+ # ICU (unicode support) data tables
+ /usr/share/icu/*/*.dat r,
+
+ # php session mmap socket
+ /var/lib/php{,5,7}/session_mm_* rwlk,
+ # file based session handler
+ /var/lib/php{,5,7}/sess_* rwlk,
+ /var/lib/php{,5,7}/sessions/* rwlk,
+
+ # php libraries
+ /usr/share/php{,5,7}/ r,
+ /usr/share/php{,5,7}/** mr,
+
+ # MySQL extension
+ /usr/share/mysql/** r,
+
+ # Zend opcache
+ /tmp/.ZendSem.* rwlk,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/php.d>
diff --git a/abstractions/php-worker b/abstractions/php-worker
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+
+# This file contains basic permissions for php-fpm workers
+
+ abi <abi/3.0>,
+
+ # load common libraries and their support files
+ include <abstractions/base>
+ # common php files and support files that php needs
+ include <abstractions/php>
+
+ signal (receive) peer=php-fpm,
+
+ # This is some php opcaching file
+ /tmp/.ZendSem.* rwk,
+
+ # I think this is adaptive memory management
+ /sys/devices/system/node/* r,
+ /sys/devices/system/node/*/meminfo r,
+ /sys/devices/system/node/ r,
+
+ include if exists <abstractions/php-worker.d>
diff --git a/abstractions/php5 b/abstractions/php5
@@ -0,0 +1,8 @@
+#backwards compatibility include, actual abstraction moved from php5 to php
+
+ abi <abi/3.0>,
+
+ include <abstractions/php>
+
+ # Include additions to the abstraction
+ include if exists <abstractions/php5.d>
diff --git a/abstractions/postfix-common b/abstractions/postfix-common
@@ -0,0 +1,44 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2015-2018 Canonical, Ltd.
+# Copyright (C) 2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# used with postfix/*
+
+ abi <abi/3.0>,
+
+
+ capability setuid,
+ capability setgid,
+ capability sys_chroot,
+
+ # postfix's master can send us signals
+ signal receive peer=postfix-master,
+
+ unix (send, receive) peer=(label=postfix-master),
+
+ /etc/mailname r,
+ /etc/postfix/*.cf r,
+ /etc/postfix/*.db rk,
+ @{PROC}/net/if_inet6 r,
+ /usr/lib/postfix/*.so mr,
+ /usr/lib{,32,64}/sasl2/* mr,
+ /usr/lib{,32,64}/sasl2/ r,
+ /usr/lib/@{multiarch}/sasl2/* mr,
+ /usr/lib/@{multiarch}/sasl2/ r,
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
+
+ /var/spool/postfix/etc/* r,
+ /var/spool/postfix/lib/lib*.so* mr,
+ /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
+
+ /etc/postfix/dynamicmaps.cf.d/ r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/postfix-common.d>
diff --git a/abstractions/private-files b/abstractions/private-files
@@ -0,0 +1,52 @@
+# vim:syntax=apparmor
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
+
+ abi <abi/3.0>,
+
+ # privacy violations (don't audit files under $HOME otherwise get a
+ # lot of false positives when reading contents of directories)
+ deny @{HOME}/.*history mrwkl,
+ deny @{HOME}/.fetchmail* mrwkl,
+ deny @{HOME}/.mutt** mrwkl,
+ deny @{HOME}/.viminfo* mrwkl,
+ deny @{HOME}/.*~ mrwkl,
+ deny @{HOME}/.*.swp mrwkl,
+ deny @{HOME}/.*~1~ mrwkl,
+ deny @{HOME}/.*.bak mrwkl,
+
+ # special attention to (potentially) executable files
+ audit deny @{HOME}/bin/{,**} wl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/autostart/{,**} wl,
+ audit deny @{HOME}/.config/upstart/{,**} wl,
+ audit deny @{HOME}/.init/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/ w,
+ audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+ audit deny @{HOME}/.local/{,share/} w,
+ audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+ audit deny @{HOME}/.pki/ w,
+ audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
+
+ # don't allow reading/updating of run control files
+ deny @{HOME}/.*rc mrk,
+ audit deny @{HOME}/.*rc wl,
+
+ # bash
+ deny @{HOME}/.bash* mrk,
+ audit deny @{HOME}/.bash* wl,
+ deny @{HOME}/.inputrc mrk,
+ audit deny @{HOME}/.inputrc wl,
+
+ # sh/dash/csh/tcsh/pdksh/zsh
+ deny @{HOME}/.{,z}profile* mrk,
+ audit deny @{HOME}/.{,z}profile* wl,
+ deny @{HOME}/.{,z}log{in,out} mrk,
+ audit deny @{HOME}/.{,z}log{in,out} wl,
+
+ deny @{HOME}/.zshenv mrk,
+ audit deny @{HOME}/.zshenv wl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/private-files.d>
diff --git a/abstractions/private-files-strict b/abstractions/private-files-strict
@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# privacy-violations-strict contains additional rules for sensitive
+# files that you want to explicitly deny access
+
+ abi <abi/3.0>,
+
+ include <abstractions/private-files>
+
+ # potentially extremely sensitive files
+ audit deny @{HOME}/.aws/{,**} mrwkl,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2/ w,
+ audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+ # don't allow access to any gnome-keyring modules
+ audit deny @{run}/user/[0-9]*/keyring** mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+ audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+ audit deny @{HOME}/.evolution/{,**} mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/private-files-strict.d>
diff --git a/abstractions/python b/abstractions/python
@@ -0,0 +1,42 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
+ /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+
+ # Site-wide configuration
+ /etc/python{2.[4-7],3.[0-9]}/** r,
+
+ # shared python paths
+ /usr/share/{pyshared,pycentral,python-support}/** r,
+ /{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
+ /usr/lib/{pyshared,pycentral,python-support}/**.so mr,
+ /var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
+ /usr/lib/python3/dist-packages/**.so mr,
+
+ # wx paths
+ /usr/lib/wx/python/*.pth r,
+
+ # python build configuration and headers
+ /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/python.d>
diff --git a/abstractions/qt5 b/abstractions/qt5
@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# Common rules for Qt5-based applications
+
+ abi <abi/3.0>,
+
+ # Additional libraries
+
+ /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
+
+ # System files
+
+ /etc/xdg/QtProject/qtlogging.ini r,
+ /usr/share/qt5/translations/*.qm r,
+ /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
+ /usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
+
+ # User files
+
+ owner @{HOME}/.config/QtProject/qtlogging.ini r,
+ owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
+ owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/qt5.d>
diff --git a/abstractions/qt5-compose-cache-write b/abstractions/qt5-compose-cache-write
@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# Allow writing cache for Qt5 "platforminputcontexts" plugins
+
+ abi <abi/3.0>,
+
+ # User files
+
+ owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+ owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/qt5-compose-cache-write.d>
diff --git a/abstractions/qt5-settings-write b/abstractions/qt5-settings-write
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# Allow writing shared settings for Qt-based applications
+
+ abi <abi/3.0>,
+
+ # User files
+
+ owner @{HOME}/.config/#[0-9]*[0-9] rw,
+ owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
+ # for temporary files like QtProject.conf.Aqrgeb
+ owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
+ owner @{HOME}/.config/QtProject.conf.lock rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/qt5-settings-write.d>
diff --git a/abstractions/recent-documents-write b/abstractions/recent-documents-write
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Allow updating recent documents
+
+ abi <abi/3.0>,
+
+ # User files
+
+ owner @{HOME}/.local/share/RecentDocuments/ rw,
+ owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
+ owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
+ owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/recent-documents-write.d>
diff --git a/abstractions/ruby b/abstractions/ruby
@@ -0,0 +1,26 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
+ /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
+
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
+ /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
+
+ /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
+ /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ruby.d>
diff --git a/abstractions/samba b/abstractions/samba
@@ -0,0 +1,36 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /etc/samba/* r,
+ /usr/lib*/ldb/*.so mr,
+ /usr/lib*/samba/ldb/*.so mr,
+ /usr/share/samba/*.dat r,
+ /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+ /var/cache/samba/ w,
+ /var/cache/samba/lck/* rwk,
+ /var/lib/samba/** rwk,
+ /var/log/samba/cores/ rw,
+ /var/log/samba/cores/** rw,
+ /var/log/samba/* w,
+ @{run}/samba/ w,
+ @{run}/samba/*.tdb rw,
+ @{run}/samba/msg.lock/ rwk,
+ @{run}/samba/msg.lock/[0-9]* rwk,
+ /var/cache/samba/msg.lock/ rwk,
+ /var/cache/samba/msg.lock/[0-9]* rwk,
+
+ # required for clustering
+ /var/lib/ctdb/** rwk,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/samba.d>
diff --git a/abstractions/smbpass b/abstractions/smbpass
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # libpam-smbpass/pam_smbpass.so permissions
+ /var/lib/samba/*.[lt]db rwk,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/smbpass.d>
diff --git a/abstractions/ssl_certs b/abstractions/ssl_certs
@@ -0,0 +1,49 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /etc/ssl/ r,
+ /etc/ssl/certs/ r,
+ /etc/ssl/certs/* r,
+ /etc/pki/trust/ r,
+ /etc/pki/trust/* r,
+ /etc/pki/trust/anchors/ r,
+ /etc/pki/trust/anchors/** r,
+ /usr/share/ca-certificates/ r,
+ /usr/share/ca-certificates/** r,
+ /usr/share/ssl/certs/ca-bundle.crt r,
+ /usr/local/share/ca-certificates/ r,
+ /usr/local/share/ca-certificates/** r,
+ /var/lib/ca-certificates/ r,
+ /var/lib/ca-certificates/** r,
+
+ # acmetool
+ /var/lib/acme/certs/*/chain r,
+ /var/lib/acme/certs/*/cert r,
+
+ # dehydrated
+ /{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
+ /{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
+
+ # certbot
+ /etc/letsencrypt/archive/*/cert*.pem r,
+ /etc/letsencrypt/archive/*/chain*.pem r,
+ /etc/letsencrypt/archive/*/fullchain*.pem r,
+
+ /etc/certbot/archive/*/cert*.pem r,
+ /etc/certbot/archive/*/chain*.pem r,
+ /etc/certbot/archive/*/fullchain*.pem r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ssl_certs.d>
diff --git a/abstractions/ssl_keys b/abstractions/ssl_keys
@@ -0,0 +1,35 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # private ssl permissions
+
+ # Just include the whole /etc/ssl directory if we should have access to
+ # private keys too
+ /etc/ssl/ r,
+ /etc/ssl/** r,
+
+ # acmetool
+ /var/lib/acme/live/* r,
+ /var/lib/acme/certs/** r,
+ /var/lib/acme/keys/** r,
+
+ # dehydrated
+ /{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
+
+ # certbot / letsencrypt
+ /etc/letsencrypt/archive/*/privkey*.pem r,
+
+ /etc/certbot/archive/*/privkey*.pem r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ssl_keys.d>
diff --git a/abstractions/svn-repositories b/abstractions/svn-repositories
@@ -0,0 +1,57 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # This little snippet should abstract the read/write access to a repository.
+ # it is intended to be included in profiles for svnserve/apache2 and maybe
+ # some repository viewers like trac/viewvc
+
+ # no hooks exec by default; please define whatever you need explicitely.
+
+ /srv/svn/**/conf/* r,
+ /srv/svn/**/format r,
+ /srv/svn/**/db/fs-type r,
+ /srv/svn/**/db/format r,
+
+ # FSFS
+ /srv/svn/**/db/ r,
+ /srv/svn/**/db/uuid r,
+ /srv/svn/**/db/write-lock rwl,
+ /srv/svn/**/db/current rwl,
+ /srv/svn/**/db/current*.tmp rwl,
+ /srv/svn/**/db/revs/ r,
+ /srv/svn/**/db/revs/* rw,
+ /srv/svn/**/db/revprops/ r,
+ /srv/svn/**/db/revprops/* rw,
+ /srv/svn/**/db/transactions/** rw,
+
+ # BDB
+ /srv/svn/**/db/DB_CONFIG r,
+ /srv/svn/**/db/__db.[0-9]* rwl,
+ /srv/svn/**/db/log.[0-9]* rwl,
+ /srv/svn/**/db/nodes rwl,
+ /srv/svn/**/db/revisions rwl,
+ /srv/svn/**/db/transactions rwl,
+ /srv/svn/**/db/copies rwl,
+ /srv/svn/**/db/changes rwl,
+ /srv/svn/**/db/representations rwl,
+ /srv/svn/**/db/strings rwl,
+ /srv/svn/**/db/uuids rwl,
+ /srv/svn/**/db/locks rwl,
+ /srv/svn/**/db/lock-tokens rwl,
+
+ # temp files
+ /tmp/apr* rwl,
+ /var/tmp/apr* rwl,
+ /tmp/report*.tmp rwl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/svn-repositories.d>
diff --git a/abstractions/ubuntu-bittorrent-clients b/abstractions/ubuntu-bittorrent-clients
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical bittorrent clients in Ubuntu
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/azureus Cxr -> sanitized_helper,
+ /usr/bin/bitstormlite Cxr -> sanitized_helper,
+ /usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
+ /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
+ /usr/bin/gnome-btdownload Cxr -> sanitized_helper,
+ /usr/bin/kget Cxr -> sanitized_helper,
+ /usr/bin/ktorrent Cxr -> sanitized_helper,
+ /usr/bin/qbittorrent Cxr -> sanitized_helper,
+ /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-bittorrent-clients.d>
diff --git a/abstractions/ubuntu-browsers b/abstractions/ubuntu-browsers
@@ -0,0 +1,40 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to graphical browsers in Ubuntu
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/arora Cx -> sanitized_helper,
+ /usr/bin/dillo Cx -> sanitized_helper,
+ /usr/bin/Dooble Cx -> sanitized_helper,
+ /usr/bin/epiphany Cx -> sanitized_helper,
+ /usr/bin/epiphany-browser Cx -> sanitized_helper,
+ /usr/bin/epiphany-webkit Cx -> sanitized_helper,
+ /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
+ /usr/bin/kazehakase Cx -> sanitized_helper,
+ /usr/bin/konqueror Cx -> sanitized_helper,
+ /usr/bin/midori Cx -> sanitized_helper,
+ /usr/bin/netsurf Cx -> sanitized_helper,
+ /usr/bin/seamonkey Cx -> sanitized_helper,
+ /usr/bin/sensible-browser Pixr,
+
+ /usr/bin/chromium{,-browser} Cx -> sanitized_helper,
+ /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
+
+ # this should cover all firefox browsers and versions (including shiretoko
+ # and abrowser)
+ /usr/bin/firefox Cxr -> sanitized_helper,
+ /usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
+
+ # Iceweasel
+ /usr/bin/iceweasel Cxr -> sanitized_helper,
+ /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
+
+ # some unpackaged, but popular browsers
+ /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
+ /usr/bin/opera Cx -> sanitized_helper,
+ /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/chromium-browser b/abstractions/ubuntu-browsers.d/chromium-browser
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# Author: Jamie Strandboge <jamie@canonical.com>
+
+# For site-specific adjustments, please see:
+# /etc/apparmor.d/local/chromium-browser
+
+abi <abi/3.0>,
+
+include <abstractions/ubuntu-browsers.d/plugins-common>
+include <abstractions/ubuntu-browsers.d/mailto>
+include <abstractions/ubuntu-browsers.d/multimedia>
+include <abstractions/ubuntu-browsers.d/productivity>
+include <abstractions/ubuntu-browsers.d/java>
+include <abstractions/ubuntu-browsers.d/kde>
+include <abstractions/ubuntu-browsers.d/text-editors>
+include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+include <abstractions/ubuntu-browsers.d/user-files>
diff --git a/abstractions/ubuntu-browsers.d/java b/abstractions/ubuntu-browsers.d/java
@@ -0,0 +1,118 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ # Java plugin
+ owner @{HOME}/.java/deployment/deployment.properties k,
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
+ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
+ /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
+ /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
+ owner /{,var/}run/user/*/icedteaplugin-*/ rw,
+ owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
+
+ # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
+ # unfortunate workarounds of the proprietary Javas, so have a separate
+ # profile.
+ profile browser_openjdk {
+ include <abstractions/base>
+ include <abstractions/fonts>
+ include <abstractions/gnome>
+ include <abstractions/kde>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+ include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/@{pid}/net/if_inet6 r,
+ @{PROC}/@{pid}/net/ipv6_route r,
+
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /etc/lsb-release r,
+ /etc/ssl/certs/java/* r,
+ /etc/timezone r,
+
+ @{PROC}/@{pid}/ r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/filesystems r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/** r,
+ /usr/share/** r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/bin/env ix,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
+ /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
+ /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
+
+ # Why would java need this?
+ deny /usr/bin/gconftool-2 x,
+
+ owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
+ owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
+ owner @{HOME}/ r,
+ owner @{HOME}/** rwk,
+ }
+
+ # Profile for commercial Javas. These need workarounds to work right (eg
+ # Sun's forcing of an executable stack (LP: #535247)).
+ profile browser_java {
+ include <abstractions/base>
+ include <abstractions/fonts>
+ include <abstractions/gnome>
+ include <abstractions/kde>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+ include <abstractions/private-files-strict>
+
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/@{pid}/net/if_inet6 r,
+ @{PROC}/@{pid}/net/ipv6_route r,
+ @{PROC}/loadavg r,
+
+ /etc/debian_version r,
+ /etc/java-*/ r,
+ /etc/java-*/** r,
+ /etc/lsb-release r,
+ /etc/ssl/certs/java/* r,
+ /etc/timezone r,
+
+ @{PROC}/@{pid}/ r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/filesystems r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/** r,
+ /usr/share/** r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/bin/env ix,
+ /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
+ /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
+ /usr/lib/j2*-ibm/jre/bin/java ix,
+
+ # noisy, can't write here anyway
+ deny /etc/.java/ w,
+ deny /etc/.java/** w,
+
+ deny /usr/bin/gconftool-2 x,
+
+ owner @{HOME}/ r,
+ owner @{HOME}/** rwk,
+
+ # These are seriously unfortunate, but required due to LP: #535247
+ /etc/passwd m,
+ owner @{HOME}/.java/**/cache/** m,
+ owner /tmp/** m,
+ /usr/lib{,32,64}/jvm/**/*.jar mr,
+ /usr/share/fonts/** m,
+ }
diff --git a/abstractions/ubuntu-browsers.d/kde b/abstractions/ubuntu-browsers.d/kde
@@ -0,0 +1,9 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ include <abstractions/kde>
+ /usr/bin/kde4-config Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/mailto b/abstractions/ubuntu-browsers.d/mailto
@@ -0,0 +1,11 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ # for mailto:
+ include <abstractions/ubuntu-email>
+ include <abstractions/ubuntu-console-email>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrct access to what only firefox is allowed to do
+ include <abstractions/ubuntu-gnome-terminal>
diff --git a/abstractions/ubuntu-browsers.d/multimedia b/abstractions/ubuntu-browsers.d/multimedia
@@ -0,0 +1,51 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ include <abstractions/X>
+
+ # Pulseaudio
+ /usr/bin/pulseaudio Pixr,
+
+ # Image viewers
+ /usr/bin/eog Cxr -> sanitized_helper,
+ /usr/bin/gimp* Cxr -> sanitized_helper,
+ /usr/bin/shotwell Cxr -> sanitized_helper,
+ /usr/bin/digikam Cxr -> sanitized_helper,
+ /usr/bin/gwenview Cxr -> sanitized_helper,
+
+ include <abstractions/ubuntu-media-players>
+ owner @{HOME}/.adobe/ w,
+ owner @{HOME}/.adobe/** rw,
+ owner @{HOME}/.macromedia/ w,
+ owner @{HOME}/.macromedia/** rw,
+ /opt/real/RealPlayer/mozilla/nphelix.so rm,
+ /usr/bin/lpstat Cxr -> sanitized_helper,
+ /usr/bin/lpr Cxr -> sanitized_helper,
+
+ # Bittorrent clients
+ include <abstractions/ubuntu-bittorrent-clients>
+
+ # Archivers
+ /usr/bin/ark Cxr -> sanitized_helper,
+ /usr/bin/file-roller Cxr -> sanitized_helper,
+ /usr/bin/xarchiver Cxr -> sanitized_helper,
+ /usr/local/lib{,32,64}/*.so* mr,
+
+ # News feed readers
+ include <abstractions/ubuntu-feed-readers>
+
+ # If we allow the above, nvidia based systems will also need this
+ include <abstractions/nvidia>
+
+ # Virus scanners
+ /usr/bin/clamscan Cx -> sanitized_helper,
+
+ # gxine (LP: #1057642)
+ /var/lib/xine/gxine.desktop r,
+
+ # For WebRTC camera access (LP: #1665535)
+ /dev/video[0-9]* rw,
diff --git a/abstractions/ubuntu-browsers.d/plugins-common b/abstractions/ubuntu-browsers.d/plugins-common
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ #
+ # Plugins/helpers
+ #
+ @{PROC}/@{pid}/fd/ r,
+ /usr/lib/** rm,
+ /{,usr/}bin/bash ixr,
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/grep ixr,
+ /{,usr/}bin/sed ixr,
+ /usr/bin/m4 ixr,
+
+ # Since all the ubuntu-browsers.d abstractions need this, just include it
+ # here
+ include <abstractions/ubuntu-helpers>
diff --git a/abstractions/ubuntu-browsers.d/productivity b/abstractions/ubuntu-browsers.d/productivity
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ # Openoffice.org
+ /usr/bin/ooffice Cxr -> sanitized_helper,
+ /usr/bin/oocalc Cxr -> sanitized_helper,
+ /usr/bin/oodraw Cxr -> sanitized_helper,
+ /usr/bin/ooimpress Cxr -> sanitized_helper,
+ /usr/bin/oowriter Cxr -> sanitized_helper,
+ /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
+
+ # LibreOffice
+ /usr/bin/libreoffice Cxr -> sanitized_helper,
+ /usr/bin/localc Cxr -> sanitized_helper,
+ /usr/bin/lodraw Cxr -> sanitized_helper,
+ /usr/bin/loimpress Cxr -> sanitized_helper,
+ /usr/bin/lowriter Cxr -> sanitized_helper,
+ /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
+
+ # PDFs
+ /usr/bin/evince Cxr -> sanitized_helper,
+ /usr/bin/okular Cxr -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/text-editors b/abstractions/ubuntu-browsers.d/text-editors
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
+ /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
+ /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
+ /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
+ /usr/bin/gedit Cxr -> sanitized_helper,
+ /usr/bin/vim.gnome Cxr -> sanitized_helper,
+ /usr/bin/leafpad Cxr -> sanitized_helper,
+ /usr/bin/mousepad Cxr -> sanitized_helper,
+ /usr/bin/kate Cxr -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration b/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -0,0 +1,40 @@
+# vim:syntax=apparmor
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ # Apport
+ /usr/bin/apport-bug Cx -> sanitized_helper,
+
+ # Package installation
+ /usr/bin/apturl Cxr -> sanitized_helper,
+ /usr/share/software-center/software-center Cxr -> sanitized_helper,
+
+ # Input Methods
+ /usr/bin/scim Cx -> sanitized_helper,
+ /usr/bin/scim-bridge Cx -> sanitized_helper,
+
+ # File managers
+ /usr/bin/nautilus Cxr -> sanitized_helper,
+ /usr/bin/{t,T}hunar Cxr -> sanitized_helper,
+ /usr/bin/dolphin Cxr -> sanitized_helper,
+
+ # Themes
+ /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
+
+ # Kubuntu
+ /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
+
+ # Exo-aware applications
+ /usr/bin/exo-open ixr,
+ /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
+ /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
+ /etc/xdg/xfce4/helpers.rc r,
+
+ # unity webapps integration. Could go in its own abstraction
+ owner /run/user/*/dconf/user rw,
+ owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
+ /usr/bin/debconf-communicate Cxr -> sanitized_helper,
+ owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ # firefox-notify
+ include <abstractions/python>
+ /usr/bin/python2.[4567] ix,
+ /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
diff --git a/abstractions/ubuntu-browsers.d/user-files b/abstractions/ubuntu-browsers.d/user-files
@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+ # Allow read to all files user has DAC access to and write access to all
+ # files owned by the user in $HOME.
+ @{HOME}/ r,
+ @{HOME}/** r,
+ owner @{HOME}/** w,
+
+ # Do not allow read and/or write to particularly sensitive/problematic files
+ include <abstractions/private-files>
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+
+ # Comment this out if using gpg plugin/addons
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+
+ # Allow read to all files user has DAC access to and write for files the user
+ # owns on removable media and filesystems.
+ /media/** r,
+ /mnt/** r,
+ /srv/** r,
+ /net/** r,
+ owner /media/** w,
+ owner /mnt/** w,
+ owner /srv/** w,
+ owner /net/** w,
diff --git a/abstractions/ubuntu-console-browsers b/abstractions/ubuntu-console-browsers
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to text-only browsers in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# include <abstractions/ubuntu-gnome-terminal>
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/elinks Cx -> sanitized_helper,
+ /usr/bin/links Cx -> sanitized_helper,
+ /usr/bin/lynx.cur Cx -> sanitized_helper,
+ /usr/bin/netrik Cx -> sanitized_helper,
+ /usr/bin/w3m Cx -> sanitized_helper,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-console-browsers.d>
diff --git a/abstractions/ubuntu-console-email b/abstractions/ubuntu-console-email
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing console email clients in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# include <abstractions/ubuntu-gnome-terminal>
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/alpine Cx -> sanitized_helper,
+ /usr/bin/citadel Cx -> sanitized_helper,
+ /usr/bin/cone Cx -> sanitized_helper,
+ /usr/bin/elmo Cx -> sanitized_helper,
+ /usr/bin/mutt Cx -> sanitized_helper,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-console-email.d>
diff --git a/abstractions/ubuntu-email b/abstractions/ubuntu-email
@@ -0,0 +1,29 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical email clients in Ubuntu
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/anjal Cx -> sanitized_helper,
+ /usr/bin/balsa Cx -> sanitized_helper,
+ /usr/bin/claws-mail Cx -> sanitized_helper,
+ /usr/bin/evolution Cx -> sanitized_helper,
+ /usr/bin/geary Cx -> sanitized_helper,
+ /usr/bin/gnome-gmail Cx -> sanitized_helper,
+ /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
+ /usr/bin/kmail Cx -> sanitized_helper,
+ /usr/bin/mailody Cx -> sanitized_helper,
+ /usr/bin/modest Cx -> sanitized_helper,
+ /usr/bin/seamonkey Cx -> sanitized_helper,
+ /usr/bin/sylpheed Cx -> sanitized_helper,
+ /usr/bin/tkrat Cx -> sanitized_helper,
+
+ /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
+ /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-email.d>
diff --git a/abstractions/ubuntu-feed-readers b/abstractions/ubuntu-feed-readers
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing graphical news feed readers in Ubuntu
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/akregator Cxr -> sanitized_helper,
+ /usr/bin/liferea-add-feed Cxr -> sanitized_helper,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-feed-readers.d>
diff --git a/abstractions/ubuntu-gnome-terminal b/abstractions/ubuntu-gnome-terminal
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+#
+# for allowing access to gnome-terminal
+#
+
+ abi <abi/3.0>,
+
+ include <abstractions/gnome>
+
+ # do not use ux or PUx here. Use at a minimum ix
+ /usr/bin/gnome-terminal ix,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-gnome-terminal.d>
diff --git a/abstractions/ubuntu-helpers b/abstractions/ubuntu-helpers
@@ -0,0 +1,85 @@
+# Lenient profile that is intended to be used when 'Ux' is desired but
+# does not provide enough environment sanitizing. This effectively is an
+# open profile that blacklists certain known dangerous files and also
+# does not allow any capabilities. For example, it will not allow 'm' on files
+# owned be the user invoking the program. While this provides some additional
+# protection, please use with care as applications running under this profile
+# are effectively running without any AppArmor protection. Use this profile
+# only if the process absolutely must be run (effectively) unconfined.
+#
+# Usage:
+# Because this abstraction defines the sanitized_helper profile, it must only
+# be included once. Therefore this abstraction should typically not be
+# included in other abstractions so as to avoid parser errors regarding
+# multiple definitions.
+#
+# Limitations:
+# 1. This does not work for root owned processes, because of the way we use
+# owner matching in the sanitized helper. We could do a better job with
+# this to support root, but it would make the policy harder to understand
+# and going unconfined as root is not desirable any way.
+#
+# 2. For this sanitized_helper to work, the program running in the sanitized
+# environment must open symlinks directly in order for AppArmor to mediate
+# it. This is confirmed to work with:
+# - compiled code which can load shared libraries
+# - python imports
+# It is known not to work with:
+# - perl includes
+# 3. Sanitizing ruby and java
+#
+# Use at your own risk. This profile was developed as an interim workaround for
+# LP: #851986 until AppArmor utilizes proper environment filtering.
+
+ abi <abi/3.0>,
+
+profile sanitized_helper {
+ include <abstractions/base>
+ include <abstractions/X>
+
+ # Allow all networking
+ network inet,
+ network inet6,
+
+ # Allow all DBus communications
+ include <abstractions/dbus-session-strict>
+ include <abstractions/dbus-strict>
+ dbus,
+
+ # Needed for Google Chrome
+ ptrace (trace) peer=**//sanitized_helper,
+
+ # Allow exec of anything, but under this profile. Allow transition
+ # to other profiles if they exist.
+ /{usr/,usr/local/,}{bin,sbin}/* Pixr,
+
+ # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
+ /usr/{,local/}lib*/{,**/}* Pixr,
+
+ # Allow exec of software-center scripts. We may need to allow wider
+ # permissions for /usr/share, but for now just do this. (LP: #972367)
+ /usr/share/software-center/* Pixr,
+
+ # Allow exec of texlive font build scripts (LP: #1010909)
+ /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
+ # While the chromium and chrome sandboxes are setuid root, they only link
+ # in limited libraries so glibc's secure execution should be enough to not
+ # require the santized_helper (ie, LD_PRELOAD will only use standard system
+ # paths (man ld.so)).
+ /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
+ /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+
+ # Full access
+ / r,
+ /** rwkl,
+ /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+
+ # Dangerous files
+ audit deny owner /**/* m, # compiled libraries
+ audit deny owner /**/*.py* r, # python imports
+}
diff --git a/abstractions/ubuntu-konsole b/abstractions/ubuntu-konsole
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+#
+# for allowing access to konsole
+#
+
+ abi <abi/3.0>,
+
+ include <abstractions/consoles>
+ include <abstractions/kde>
+ capability sys_ptrace,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/@{pid}/cmdline r,
+ /{,var/}run/utmp r,
+ /dev/ptmx rw,
+
+ # do not use ux or Ux here. Use at a minimum ix
+ /usr/bin/konsole ix,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-konsole.d>
diff --git a/abstractions/ubuntu-media-players b/abstractions/ubuntu-media-players
@@ -0,0 +1,65 @@
+# vim:syntax=apparmor
+#
+# abstraction for allowing access to media players in Ubuntu
+#
+# Users of this abstraction need to include the ubuntu-helpers abstraction
+# in the toplevel profile. Eg:
+# include <abstractions/ubuntu-helpers>
+
+ abi <abi/3.0>,
+
+ /usr/bin/amarok Cxr -> sanitized_helper,
+ /usr/bin/audacious2 Cxr -> sanitized_helper,
+ /usr/bin/audacity Cxr -> sanitized_helper,
+ /usr/bin/bangarang Cxr -> sanitized_helper,
+ /usr/bin/banshee Cxr -> sanitized_helper,
+ /usr/bin/banshee-1 Cxr -> sanitized_helper,
+ /usr/bin/decibel Cxr -> sanitized_helper,
+ /usr/bin/dragon Cxr -> sanitized_helper,
+ /usr/bin/esperanza Cxr -> sanitized_helper,
+ /usr/bin/exaile Cxr -> sanitized_helper,
+ /usr/bin/freevo Cxr -> sanitized_helper,
+ /usr/bin/gmerlin Cxr -> sanitized_helper,
+ /usr/bin/gxmms Cxr -> sanitized_helper,
+ /usr/bin/gxmms2 Cxr -> sanitized_helper,
+ /usr/bin/hornsey Cxr -> sanitized_helper,
+ /usr/bin/jlgui Cxr -> sanitized_helper,
+ /usr/bin/juk Cxr -> sanitized_helper,
+ /usr/bin/kaffeine Cxr -> sanitized_helper,
+ /usr/bin/listen Cxr -> sanitized_helper,
+ /usr/share/minirok/minirok.py Cxr -> sanitized_helper,
+
+ # mplayer
+ /etc/mplayerplug-in.conf r,
+ /usr/bin/gmplayer Cxr -> sanitized_helper,
+ /usr/bin/gnome-mplayer Cxr -> sanitized_helper,
+ /usr/bin/kmplayer Cxr -> sanitized_helper,
+ /usr/bin/mplayer Cxr -> sanitized_helper,
+ /usr/bin/smplayer Cxr -> sanitized_helper,
+
+ /usr/bin/muine Cxr -> sanitized_helper,
+ /usr/bin/potamus Cxr -> sanitized_helper,
+ /usr/bin/promoe Cxr -> sanitized_helper,
+ /usr/bin/qmmp Cxr -> sanitized_helper,
+ /usr/bin/quodlibet Cxr -> sanitized_helper,
+ /usr/bin/rhythmbox Cxr -> sanitized_helper,
+ /usr/bin/strange-quark Cxr -> sanitized_helper,
+ /usr/bin/swfdec-player Cxr -> sanitized_helper,
+ /usr/bin/timidity Cxr -> sanitized_helper,
+ /usr/lib/totem/** ixr,
+ /usr/bin/totem-gstreamer Cxr -> sanitized_helper,
+ /usr/bin/totem-xine Cxr -> sanitized_helper,
+ /usr/bin/totem Cxr -> sanitized_helper,
+ /usr/bin/vlc Cxr -> sanitized_helper,
+ /usr/bin/xfmedia Cxr -> sanitized_helper,
+ /usr/bin/xmms Cxr -> sanitized_helper,
+
+ # gnash
+ /usr/bin/gtk-gnash ixr,
+ /etc/gnashrc r,
+ /etc/gnashpluginrc r,
+ owner @{HOME}/.gnash/ rw,
+ owner @{HOME}/.gnash/** rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-media-players.d>
diff --git a/abstractions/ubuntu-unity7-base b/abstractions/ubuntu-unity7-base
@@ -0,0 +1,105 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+#
+# Rules common to applications running under Unity 7
+#
+
+include <abstractions/gnome>
+
+include <abstractions/dbus-session-strict>
+include <abstractions/dbus-strict>
+
+ #
+ # Access required for connecting to/communication with Unity HUD
+ #
+ dbus (send)
+ bus=session
+ path="/com/canonical/hud",
+ dbus (send)
+ bus=session
+ interface="com.canonical.hud.*",
+ dbus (send)
+ bus=session
+ path="/com/canonical/hud/applications/*",
+ dbus (receive)
+ bus=session
+ path="/com/canonical/hud",
+ dbus (receive)
+ bus=session
+ interface="com.canonical.hud.*",
+
+ #
+ # Allow access for connecting to/communication with the appmenu
+ #
+ # dbusmenu
+ dbus (send)
+ bus=session
+ interface="com.canonical.AppMenu.*",
+ dbus (receive, send)
+ bus=session
+ path=/com/canonical/menu/**,
+
+ # gmenu
+ dbus (receive, send)
+ bus=session
+ interface=org.gtk.Actions,
+ dbus (receive, send)
+ bus=session
+ interface=org.gtk.Menus,
+
+ #
+ # Access required for using freedesktop notifications
+ #
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=GetCapabilities,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=GetServerInformation,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=Notify,
+ dbus (receive)
+ bus=session
+ member="Notify"
+ peer=(name="org.freedesktop.DBus"),
+ dbus (receive)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=NotificationClosed,
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/Notifications
+ member=CloseNotification,
+
+ # accessibility
+ dbus (send)
+ bus=session
+ peer=(name=org.a11y.Bus),
+ dbus (receive)
+ bus=session
+ interface=org.a11y.atspi*,
+ dbus (receive, send)
+ bus=accessibility,
+
+ #
+ # Deny potentially dangerous access
+ #
+ deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-unity7-base.d>
diff --git a/abstractions/ubuntu-unity7-launcher b/abstractions/ubuntu-unity7-launcher
@@ -0,0 +1,12 @@
+ abi <abi/3.0>,
+
+ #
+ # Access required for connecting to/communicating with the Unity Launcher
+ #
+ dbus (send)
+ bus=session
+ interface="com.canonical.Unity.LauncherEntry"
+ member="Update",
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-unity7-launcher.d>
diff --git a/abstractions/ubuntu-unity7-messaging b/abstractions/ubuntu-unity7-messaging
@@ -0,0 +1,12 @@
+ abi <abi/3.0>,
+
+ #
+ # Access required for connecting to/communicating with the Unity messaging
+ # indicator
+ #
+ dbus (receive, send)
+ bus=session
+ path="/com/canonical/indicator/messages/*",
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-unity7-messaging.d>
diff --git a/abstractions/ubuntu-xterm b/abstractions/ubuntu-xterm
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+#
+# for allowing access to xterm
+#
+
+ abi <abi/3.0>,
+
+ include <abstractions/consoles>
+ /dev/ptmx rw,
+ /{,var/}run/utmp r,
+ /etc/X11/app-defaults/XTerm r,
+
+ # do not use ux or Ux here. Use at a minimum ix
+ /usr/bin/xterm ix,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/ubuntu-xterm.d>
diff --git a/abstractions/user-download b/abstractions/user-download
@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+# Description: Where common programs should allow users to download
+# files
+
+ owner @{HOME}/tmp/** rwl,
+ owner @{HOME}/[dD]ownload{,s}/ r,
+ owner @{HOME}/[dD]ownload{,s}/** rwl,
+ owner @{HOME}/[^.]* rwl,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/* rwl,
+ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
+ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/* rwl,
+ owner "@{HOME}/My Downloads/" r,
+ owner "@{HOME}/My Downloads/**" rwl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/user-download.d>
diff --git a/abstractions/user-mail b/abstractions/user-mail
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # location of user mail, spool and mboxes
+ owner @{HOME}/[mM]ail/ r,
+ owner @{HOME}/[mM]ail/** rwl,
+ owner @{HOME}/postponed* rwl,
+ /var/{,spool/}mail/ r,
+ owner /var/{,spool/}mail/* rwl,
+ owner @{HOME}/mbox.lock* rwl,
+ owner @{HOME}/mbox rw,
+ owner @{HOME}/inbox rw,
+ owner @{HOME}/.forward r,
+ owner @{HOME}/Maildir/ r,
+ owner @{HOME}/Maildir/** rwl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/user-mail.d>
diff --git a/abstractions/user-manpages b/abstractions/user-manpages
@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # perhaps your configuration has users elsewhere, or you don't wish
+ # them to read their own manpages
+ owner @{HOME}/man/ r,
+ owner @{HOME}/man/** r,
+ owner @{HOME}/tmp/groff* rwl,
+
+ # kindof required
+ owner /tmp/groff* rwl,
+
+ # standard system manpages
+ /usr/local/share/man/man?/ r,
+ /usr/local/share/man/man?/** r,
+ /usr/{share,X11R6,local,kerberos}/man/** r,
+ /usr/man/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/user-manpages.d>
diff --git a/abstractions/user-tmp b/abstractions/user-tmp
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # per-user tmp directories
+ owner @{HOME}/tmp/** rwkl,
+ owner @{HOME}/tmp/ rw,
+
+ # global tmp directories
+ owner /var/tmp/** rwkl,
+ /var/tmp/ rw,
+ owner /tmp/** rwkl,
+ /tmp/ rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/user-tmp.d>
diff --git a/abstractions/user-write b/abstractions/user-write
@@ -0,0 +1,26 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # per-user write directories
+ owner @{HOME}/ r,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+ owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ r,
+ owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ r,
+ owner @{HOME}/[^.]*/ rw,
+ owner @{HOME}/[^.]* rwl,
+ owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwl,
+ owner @{HOME}/@{XDG_DOCUMENTS_DIR}/** rwl,
+ owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/user-write.d>
diff --git a/abstractions/video b/abstractions/video
@@ -0,0 +1,11 @@
+# vim:syntax=apparmor
+# video device access
+
+ abi <abi/3.0>,
+
+ # System devices
+ @{sys}/class/video4linux r,
+ @{sys}/class/video4linux/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/video.d>
diff --git a/abstractions/vulkan b/abstractions/vulkan
@@ -0,0 +1,25 @@
+# vim:syntax=apparmor
+# Vulkan access requirements
+
+ abi <abi/3.0>,
+
+ # System files
+ /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
+ /etc/glvnd/egl_vendor.d/{*,.json} r,
+ /etc/vulkan/icd.d/{,*.json} r,
+ /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
+ # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
+ @{sys}/devices/pci[0-9]*/*/drm/ r,
+ @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+ @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+ @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+ /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+ /usr/share/vulkan/icd.d/{,*.json} r,
+ /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
+
+ # User files
+ owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,*.json} r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/vulkan.d>
diff --git a/abstractions/wayland b/abstractions/wayland
@@ -0,0 +1,18 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 intrigeri <intrigeri@boum.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ owner @{run}/user/*/wayland-[0-9]* rw,
+ owner @{run}/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/wayland.d>
diff --git a/abstractions/web-data b/abstractions/web-data
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /srv/www/htdocs/ r,
+ /srv/www/htdocs/** r,
+ # virtual hosting
+ /srv/www/vhosts/ r,
+ /srv/www/vhosts/** r,
+ # mod_userdir
+ @{HOME}/public_html/ r,
+ @{HOME}/public_html/** r,
+
+ /srv/www/rails/*/public/ r,
+ /srv/www/rails/*/public/** r,
+
+ /var/www/html/ r,
+ /var/www/html/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/web-data.d>
diff --git a/abstractions/winbind b/abstractions/winbind
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # pam_winbindd
+ /tmp/.winbindd/pipe rw,
+ /var/lib/samba/winbindd_privileged/pipe rw,
+ @{run}/samba/winbindd_privileged/pipe rw,
+ /etc/samba/smb.conf r,
+ /etc/samba/dhcp.conf r,
+ /usr/lib*/samba/valid.dat r,
+ /usr/lib*/samba/upcase.dat r,
+ /usr/lib*/samba/lowcase.dat r,
+ /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/winbind.d>
diff --git a/abstractions/wutmp b/abstractions/wutmp
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # some services update wtmp, utmp, and lastlog with per-user
+ # connection information
+ /var/log/lastlog rwk,
+ /var/log/wtmp wk,
+ @{run}/utmp rwk,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/wutmp.d>
diff --git a/abstractions/xad b/abstractions/xad
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2007 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /opt/novell/xad/lib/ r,
+ /opt/novell/xad/lib/lib*.so* mr,
+ /opt/novell/xad/lib/gss/*.so* mr,
+ /opt/novell/lib/libpthread_ext*.so* mr,
+ /opt/novell/lib/libccs2.so* mr,
+ /opt/novell/xad/lib64/ r,
+ /opt/novell/xad/lib64/lib*.so* mr,
+ /opt/novell/xad/lib64/gss/*.so* mr,
+ /opt/novell/lib64/libpthread_ext*.so* mr,
+ /opt/novell/lib64/libccs2.so* mr,
+ /etc/opt/novell/xad/krb5.conf r,
+ /etc/opt/novell/nici.cfg r,
+ /var/opt/novell/nici/* r,
+ /var/opt/novell/nici/*/ r,
+ /var/opt/novell/nici/*/* rw,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/xad.d>
diff --git a/abstractions/xdg-desktop b/abstractions/xdg-desktop
@@ -0,0 +1,29 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ # Entries based on:
+ # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
+
+ owner @{HOME}/.cache/ rw,
+
+ owner @{HOME}/.config/ rw,
+
+ owner @{HOME}/.local/ rw,
+ owner @{HOME}/.local/share/ rw,
+
+ # fallbacks
+ /usr/share/ r,
+ /usr/local/share/ r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/xdg-desktop.d>
diff --git a/abstractions/xdg-open b/abstractions/xdg-open
@@ -0,0 +1,86 @@
+# vim:syntax=apparmor
+
+ abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via xdg-open helper. xdg-open abstraction
+# will allow to use gio-open, kde-open5 and other helpers of the different
+# desktop environments.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/xdg-open rPx -> foo//xdg-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//xdg-open {
+# include <abstractions/xdg-open>
+#
+# # Enable a11y support if considered required by
+# # profile author for (rare) error message boxes.
+# include <abstractions/dbus-accessibility>
+#
+# # Enable gstreamer support if considered required by
+# # profile author for (rare) error message boxes.
+# include if exists <abstractions/gstreamer>
+#
+# # needed for ubuntu-* abstractions
+# include <abstractions/ubuntu-helpers>
+#
+# # Only allow to handle http[s]: and mailto: links
+# include <abstractions/ubuntu-browsers>
+# include <abstractions/ubuntu-email>
+#
+# # < add additional allowed applications here >
+# }
+# ```
+
+ include <abstractions/base>
+
+ # for openin with `exo-open`
+ include <abstractions/exo-open>
+
+ # for opening with `gio open <uri>`
+ include <abstractions/gio-open>
+
+ # for opening with gvfs-open (deprecated)
+ include <abstractions/gvfs-open>
+
+ # for opening with kde-open5
+ include <abstractions/kde-open5>
+
+ # Main executables
+
+ /{,usr/}bin/{b,d}ash mr,
+ /usr/bin/xdg-open r,
+
+ # Additional executables
+
+ /usr/bin/xdg-mime rix,
+ /{,usr/}bin/cut rix, # for xdg-mime
+ /{,usr/}bin/head rix, # for xdg-mime
+ /{,usr/}bin/sed rix, # for xdg-open
+ /{,usr/}bin/tr rix, # for xdg-mime
+ /{,usr/}bin/which rix, # for xdg-open
+ /{,usr/}bin/{grep,egrep} rix, # for xdg-open
+
+ # System files
+
+ /dev/pts/[0-9]* rw,
+ /dev/tty w,
+ /etc/gnome/defaults.list r, # for grep
+ /usr/share/applications/mimeinfo.cache r, # for grep
+ /usr/share/terminfo/s/screen r, # for bash on openSUSE
+ /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
+ /var/lib/menu-xdg/applications/ r, # for xdg-mime
+
+ # Usr files
+
+ owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/xdg-open.d>
diff --git a/apache2.d/phpsysinfo b/apache2.d/phpsysinfo
@@ -0,0 +1,50 @@
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+ abi <abi/3.0>,
+
+ ^phpsysinfo {
+ include <abstractions/apache2-common>
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/php5>
+ include <abstractions/python>
+
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/df ixr,
+ /{,usr/}bin/mount ixr,
+ /{,usr/}bin/uname ixr,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+ /etc/debian_version r,
+ /etc/lsb-release r,
+ /etc/mtab r,
+ /etc/phpsysinfo/config.php r,
+ /etc/udev/udev.conf r,
+ @{PROC}/** r,
+ @{sys}/bus/ r,
+ @{sys}/bus/pci/devices/ r,
+ @{sys}/bus/pci/slots/ r,
+ @{sys}/bus/pci/slots/** r,
+ @{sys}/bus/usb/devices/ r,
+ @{sys}/class/ r,
+ @{sys}/devices/** r,
+ /usr/bin/ r,
+ /usr/bin/apt-cache ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/bin/lsb_release ixr,
+ /usr/bin/lspci ixr,
+ /usr/bin/who ixr,
+ /usr/{,s}bin/lsusb ixr,
+ /usr/share/phpsysinfo/** r,
+ /var/lib/dpkg/arch r,
+ /var/lib/dpkg/available r,
+ /var/lib/dpkg/status r,
+ /var/lib/dpkg/triggers/* r,
+ /var/lib/dpkg/updates/ r,
+ /var/lib/{misc,usbutils}/usb.ids r,
+ /var/log/apache2/access.log w,
+ /var/log/apache2/error.log w,
+ @{run}/utmp rk,
+ /usr/share/misc/pci.ids r,
+ }
diff --git a/bin.ping b/bin.ping
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+profile ping /{usr/,}bin/{,iputils-}ping {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+
+ capability net_raw,
+ capability setuid,
+ network inet raw,
+ network inet6 raw,
+
+ /{,usr/}bin/{,iputils-}ping mixr,
+ /etc/modules.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/bin.ping>
+}
diff --git a/local/README b/local/README
@@ -0,0 +1,24 @@
+# This directory is intended to contain profile additions and overrides for
+# inclusion by distributed profiles to aid in packaging AppArmor for
+# distributions.
+#
+# The shipped profiles in /etc/apparmor.d can still be modified by an
+# administrator and people should modify the shipped profile when making
+# large policy changes, rather than trying to make those adjustments here.
+#
+# For simple access additions or the occasional deny override, adjusting them
+# here can prevent the package manager of the distribution from interfering
+# with local modifications. As always, new policy should be reviewed to ensure
+# it is appropriate for your site.
+#
+# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
+# include <local/usr.sbin.smbd>
+#
+# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
+# contain any additional paths to be allowed, such as:
+#
+# /var/exports/** lrwk,
+#
+# Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
+# be able to allow access to files that are explicitly denied by the shipped
+# profile using this mechanism.
diff --git a/local/bin.ping b/local/bin.ping
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'bin.ping'
diff --git a/local/lsb_release b/local/lsb_release
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'lsb_release'
diff --git a/local/nvidia_modprobe b/local/nvidia_modprobe
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'nvidia_modprobe'
diff --git a/local/php-fpm b/local/php-fpm
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'php-fpm'
diff --git a/local/sbin.klogd b/local/sbin.klogd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.klogd'
diff --git a/local/sbin.syslog-ng b/local/sbin.syslog-ng
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.syslog-ng'
diff --git a/local/sbin.syslogd b/local/sbin.syslogd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'sbin.syslogd'
diff --git a/local/usr.lib.apache2.mpm-prefork.apache2 b/local/usr.lib.apache2.mpm-prefork.apache2
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.apache2.mpm-prefork.apache2'
diff --git a/local/usr.lib.dovecot.anvil b/local/usr.lib.dovecot.anvil
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.anvil'
diff --git a/local/usr.lib.dovecot.auth b/local/usr.lib.dovecot.auth
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.auth'
diff --git a/local/usr.lib.dovecot.config b/local/usr.lib.dovecot.config
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.config'
diff --git a/local/usr.lib.dovecot.deliver b/local/usr.lib.dovecot.deliver
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.deliver'
diff --git a/local/usr.lib.dovecot.dict b/local/usr.lib.dovecot.dict
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dict'
diff --git a/local/usr.lib.dovecot.dovecot-auth b/local/usr.lib.dovecot.dovecot-auth
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-auth'
diff --git a/local/usr.lib.dovecot.dovecot-lda b/local/usr.lib.dovecot.dovecot-lda
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.dovecot-lda'
diff --git a/local/usr.lib.dovecot.imap b/local/usr.lib.dovecot.imap
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.imap'
diff --git a/local/usr.lib.dovecot.imap-login b/local/usr.lib.dovecot.imap-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.imap-login'
diff --git a/local/usr.lib.dovecot.lmtp b/local/usr.lib.dovecot.lmtp
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.lmtp'
diff --git a/local/usr.lib.dovecot.log b/local/usr.lib.dovecot.log
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.log'
diff --git a/local/usr.lib.dovecot.managesieve b/local/usr.lib.dovecot.managesieve
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.managesieve'
diff --git a/local/usr.lib.dovecot.managesieve-login b/local/usr.lib.dovecot.managesieve-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.managesieve-login'
diff --git a/local/usr.lib.dovecot.pop3 b/local/usr.lib.dovecot.pop3
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.pop3'
diff --git a/local/usr.lib.dovecot.pop3-login b/local/usr.lib.dovecot.pop3-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.pop3-login'
diff --git a/local/usr.lib.dovecot.script-login b/local/usr.lib.dovecot.script-login
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.script-login'
diff --git a/local/usr.lib.dovecot.ssl-params b/local/usr.lib.dovecot.ssl-params
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.ssl-params'
diff --git a/local/usr.lib.dovecot.stats b/local/usr.lib.dovecot.stats
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.stats'
diff --git a/local/usr.sbin.apache2 b/local/usr.sbin.apache2
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.apache2'
diff --git a/local/usr.sbin.avahi-daemon b/local/usr.sbin.avahi-daemon
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.avahi-daemon'
diff --git a/local/usr.sbin.dnsmasq b/local/usr.sbin.dnsmasq
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.dnsmasq'
diff --git a/local/usr.sbin.dovecot b/local/usr.sbin.dovecot
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.dovecot'
diff --git a/local/usr.sbin.identd b/local/usr.sbin.identd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.identd'
diff --git a/local/usr.sbin.mdnsd b/local/usr.sbin.mdnsd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.mdnsd'
diff --git a/local/usr.sbin.nmbd b/local/usr.sbin.nmbd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.nmbd'
diff --git a/local/usr.sbin.nscd b/local/usr.sbin.nscd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.nscd'
diff --git a/local/usr.sbin.ntpd b/local/usr.sbin.ntpd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.ntpd'
diff --git a/local/usr.sbin.smbd b/local/usr.sbin.smbd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.smbd'
diff --git a/local/usr.sbin.smbldap-useradd b/local/usr.sbin.smbldap-useradd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.smbldap-useradd'
diff --git a/local/usr.sbin.traceroute b/local/usr.sbin.traceroute
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.traceroute'
diff --git a/local/usr.sbin.winbindd b/local/usr.sbin.winbindd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.winbindd'
diff --git a/lsb_release b/lsb_release
@@ -0,0 +1,52 @@
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> lsb_release" exec transitions from
+# other profiles. We want to confine the lsb_release(1) utility when it
+# is invoked from other confined applications, but not when it is used
+# in regular (unconfined) shell scripts or run directly by the user.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# Do not attach to /usr/bin/lsb_release by default
+profile lsb_release {
+ include <abstractions/base>
+ include <abstractions/python>
+
+ owner @{PROC}/@{pid}/fd/ r,
+
+ /dev/tty rw,
+
+ /usr/bin/lsb_release r,
+ /usr/bin/python3.[0-9] mr,
+
+ /etc/debian_version r,
+ /etc/default/apport r,
+ /etc/dpkg/origins/** r,
+ /etc/lsb-release r,
+ /etc/lsb-release.d/ r,
+
+ /{usr/,}bin/bash ixr,
+ /{usr/,}bin/dash ixr,
+ /usr/bin/basename ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/bin/getopt ixr,
+ /usr/bin/sed ixr,
+ /usr/bin/tr ixr,
+
+ # TODO - many more permissions needed for this to work
+ deny /usr/bin/apt-cache x,
+
+ /usr/bin/ r,
+ /usr/include/python*/pyconfig.h r,
+ /usr/share/distro-info/** r,
+ /usr/share/dpkg/** r,
+ /usr/share/terminfo/** r,
+ /var/lib/dpkg/** r,
+
+ # file_inherit
+ deny /tmp/gtalkplugin.log w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/lsb_release>
+}
diff --git a/nvidia_modprobe b/nvidia_modprobe
@@ -0,0 +1,67 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile nvidia_modprobe {
+ include <abstractions/base>
+
+ # Capabilities
+
+ capability chown,
+ capability mknod,
+ capability setuid,
+ capability sys_admin,
+
+ # Main executable
+
+ /usr/bin/nvidia-modprobe mr,
+
+ # Other executables
+
+ /usr/bin/kmod Cx -> kmod,
+
+ # System files
+
+ /dev/nvidia-modeset w,
+ /dev/nvidia-uvm w,
+ /dev/nvidia-uvm-tools w,
+ @{sys}/bus/pci/devices/ r,
+ @{sys}/devices/pci[0-9]*/**/config r,
+ @{PROC}/devices r,
+ @{PROC}/driver/nvidia/params r,
+ @{PROC}/modules r,
+ @{PROC}/sys/kernel/modprobe r,
+
+ # Child profiles
+
+ profile kmod {
+ include <abstractions/base>
+
+ # Capabilities
+
+ capability sys_module,
+
+ # Main executable
+
+ /usr/bin/kmod mrix,
+
+ # Other executables
+
+ /{,usr/}bin/{,ba,da}sh ix,
+
+ # System files
+
+ /etc/modprobe.d/{,*.conf} r,
+ /etc/nvidia/current/*.conf r,
+ @{sys}/module/ipmi_devintf/initstate r,
+ @{sys}/module/ipmi_msghandler/initstate r,
+ @{sys}/module/nvidia/initstate r,
+ @{PROC}/cmdline r,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/nvidia_modprobe>
+}
+
diff --git a/php-fpm b/php-fpm
@@ -0,0 +1,60 @@
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
+ # load common libraries and their support files
+ include <abstractions/base>
+ # resolve hostnames/usernames
+ include <abstractions/nameservice>
+ # common php files and support files that php needs
+ include <abstractions/php>
+ # read openssl configuration
+ include <abstractions/openssl>
+ # read the system certificates
+ include <abstractions/ssl_certs>
+
+ /etc/php{,5,7}/** r,
+
+ capability net_admin,
+ # change user/group of a pool
+ capability setuid,
+ capability setgid,
+ # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
+ capability chown,
+ # we want to be able to kill our child processes
+ capability kill,
+ # to provide sockets with acls different than root
+ capability dac_override,
+
+ # we need write access here to move it into a different apparmor sub profile
+ @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+
+ # the main log file
+ /var/log/php*-fpm.log rw,
+
+ # we need to be able to create all sockets
+ @{run}/php{,-fpm}/php*-fpm.pid rw,
+ @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+
+ # to reload
+ /usr/sbin/php-fpm* rix,
+
+ # no idea why php tries to open / read/write
+ deny / rw,
+
+ # allow sending signals to our subprocesses
+ signal (send) peer=php-fpm//*,
+
+ # allow switching processes to those subprofiles
+ change_profile -> php-fpm//*,
+
+ # load all files from this directory
+ # store your configurations per pool in this dir
+ include if exists <php-fpm.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/php-fpm>
+}
diff --git a/sbin.klogd b/sbin.klogd
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile klogd /{usr/,}{bin,sbin}/klogd {
+ include <abstractions/base>
+
+ capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /{usr/,}{bin,sbin}/klogd rmix,
+ /var/log/boot.msg rwl,
+ @{run}/klogd.pid krwl,
+ @{run}/klogd/klogd.pid krwl,
+ @{run}/klogd/kmsg r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/sbin.klogd>
+}
diff --git a/sbin.syslog-ng b/sbin.syslog-ng
@@ -0,0 +1,69 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2006 Christian Boltz
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+#define this to be where syslog-ng is chrooted
+@{CHROOT_BASE}=""
+
+profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+ include <abstractions/mysql>
+ include <abstractions/openssl>
+ include <abstractions/python>
+ include <abstractions/hosts_access>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability fowner,
+ capability sys_tty_config,
+ capability sys_resource,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log w,
+ /dev/syslog w,
+ /dev/tty10 rw,
+ /dev/xconsole rw,
+ /dev/kmsg r,
+ /etc/machine-id r,
+ /etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
+ @{PROC}/kmsg r,
+ /{usr/,}{bin,sbin}/syslog-ng mr,
+ @{sys}/devices/system/cpu/online r,
+ /usr/share/syslog-ng/** r,
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
+ # chrooted applications
+ @{CHROOT_BASE}/var/lib/*/dev/log w,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
+ @{CHROOT_BASE}/var/log/** w,
+ @{CHROOT_BASE}/@{run}/syslog-ng.pid krw,
+ @{CHROOT_BASE}/@{run}/syslog-ng.ctl rw,
+ /{var,var/run,run}/log/journal/ r,
+ /{var,var/run,run}/log/journal/*/ r,
+ /{var,var/run,run}/log/journal/*/*.journal r,
+ @{run}/syslog-ng.ctl a,
+ @{run}/syslog-ng/additional-log-sockets.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/sbin.syslog-ng>
+}
diff --git a/sbin.syslogd b/sbin.syslogd
@@ -0,0 +1,45 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile syslogd /{usr/,}{bin,sbin}/syslogd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/consoles>
+
+ capability sys_tty_config,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+ capability setgid,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log wl,
+ /var/lib/*/dev/log wl,
+
+ /dev/tty* w,
+ /dev/xconsole rw,
+ /etc/syslog.conf r,
+ /{usr/,}{bin,sbin}/syslogd rmix,
+ /var/log/** rw,
+ @{run}/syslogd.pid krwl,
+ @{run}/utmp rw,
+ /var/spool/compaq/nic/messages_fifo rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/sbin.syslogd>
+}
diff --git a/tunables/alias b/tunables/alias
@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Alias rules can be used to rewrite paths and are done after variable
+# resolution. For example, if '/usr' is on removable media:
+# alias /usr/ -> /mnt/usr/,
+#
+# Or if mysql databases are stored in /home:
+# alias /var/lib/mysql/ -> /home/mysql/,
diff --git a/tunables/apparmorfs b/tunables/apparmorfs
@@ -0,0 +1,11 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/securityfs>
+
+@{apparmorfs}=@{securityfs}/apparmor/
diff --git a/tunables/dovecot b/tunables/dovecot
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:ft=apparmor
+
+# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
+# where dovecot is allowed to store and read mails
+#
+# The default value is quite broad to avoid breaking existing setups.
+# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
+# you use, and remove everything else.
+
+@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
+
diff --git a/tunables/etc b/tunables/etc
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{etc_ro} contains a space-separated list of the system configuration directories.
+# Traditionally this means /etc/, but when using a read-only / filesystem and/or
+# with the goal of having only user-modified config files in /etc/, directories
+# like /usr/etc/ get introduced for storing the default config.
+
+# @{etc_ro} contains read-only directories with configuration files.
+# Do not use @{etc_ro} in rules that allow write access.
+@{etc_ro}=/etc/ /usr/etc/
+
+# @{etc_rw} contains directories where writing to configuration files is allowed.
+@{etc_rw}=/etc/
+
+# Also, include files in tunables/etc.d/ for site-specific adjustments to
+# @{etc_ro} and @{etc_rw}.
+include if exists <tunables/etc.d>
diff --git a/tunables/global b/tunables/global
@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2010-2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# All the tunables definitions that should be available to every profile
+# should be included here
+
+include <tunables/home>
+include <tunables/multiarch>
+include <tunables/proc>
+include <tunables/alias>
+include <tunables/kernelvars>
+include <tunables/xdg-user-dirs>
+include <tunables/share>
+include <tunables/etc>
+include <tunables/run>
diff --git a/tunables/home b/tunables/home
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{HOME} is a space-separated list of all user home directories. While
+# it doesn't refer to a specific home directory (AppArmor doesn't
+# enforce discretionary access controls) it can be used as if it did
+# refer to a specific home directory
+@{HOME}=@{HOMEDIRS}/*/ /root/
+
+# @{HOMEDIRS} is a space-separated list of where user home directories
+# are stored, for programs that must enumerate all home directories on a
+# system.
+@{HOMEDIRS}=/home/
+
+# Also, include files in tunables/home.d for site-specific adjustments to
+# @{HOMEDIRS}.
+include <tunables/home.d>
diff --git a/tunables/home.d/site.local b/tunables/home.d/site.local
@@ -0,0 +1,13 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional user home
+# directories are stored, each must have a trailing '/'. Directories added
+# here are appended to @{HOMEDIRS}. See tunables/home for details. Eg:
+#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/
diff --git a/tunables/kernelvars b/tunables/kernelvars
@@ -0,0 +1,33 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# This file should contain declarations to kernel vars or variables
+# that will become kernel vars at some point
+
+# until kernel vars are implemented
+# and until the parser supports nested groupings like
+# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# use
+@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{pid} for now
+@{tid}=@{pid}
+
+#A pattern for pids that can appear
+@{pids}=@{pid}
+
+# Placeholder for user id until kernel var is implemented to match
+# current user of the confined application.
+# Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).
+@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{uid} for now
+@{uids}=@{uid}
+
+# until kernel var is implemented
+@{sys}=/sys/
diff --git a/tunables/multiarch b/tunables/multiarch
@@ -0,0 +1,17 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{multiarch} is the set of patterns matching multi-arch library
+# install prefixes.
+@{multiarch}=*-linux-gnu*
+
+# Also, include files in tunables/multiarch.d for site and packaging
+# specific adjustments to @{multiarch}.
+include <tunables/multiarch.d>
diff --git a/tunables/multiarch.d/site.local b/tunables/multiarch.d/site.local
@@ -0,0 +1,14 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional multipath
+# prefixes are stored, each should not have a trailing '/'. Directories
+# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
+#@{multiarch}+=*-freebsd* s390-hurd-zomg
diff --git a/tunables/ntpd b/tunables/ntpd
@@ -0,0 +1,14 @@
+# Last Modified: Thu Aug 2 14:37:03 2007
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#Add your ntpd devices here eg. if you have a DCF clock
+# @{NTPD_DEVICE}=/dev/ttyS*
+@{NTPD_DEVICE}="/dev/tty10"
diff --git a/tunables/proc b/tunables/proc
@@ -0,0 +1,12 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{PROC} is the location where procfs is mounted.
+@{PROC}=/proc/
diff --git a/tunables/run b/tunables/run
@@ -0,0 +1 @@
+@{run}=/run/ /var/run/
diff --git a/tunables/securityfs b/tunables/securityfs
@@ -0,0 +1,10 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{securityfs} is the location where securityfs is mounted.
+@{securityfs}=@{sys}/kernel/security/
diff --git a/tunables/share b/tunables/share
@@ -0,0 +1,15 @@
+@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}
+
+# System-wide directories with behaviour analogous to /usr/share
+# in patterns like the freedesktop.org basedir spec. These are
+# owned by root or a system user, appear in XDG_DATA_DIRS, and
+# are the parent directory for `applications`, `themes`,
+# `dbus-1/services`, etc.
+@{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share
+
+# Per-user/personal directories with behaviour analogous to
+# ~/.local/share in patterns like the freedesktop.org basedir spec.
+# These are owned by the user running an application, appear in
+# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
+# for the same subdirectories as @{system_share_dirs}
+@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
diff --git a/tunables/sys b/tunables/sys
@@ -0,0 +1,9 @@
+# Copyright (C) 2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now.
diff --git a/tunables/xdg-user-dirs b/tunables/xdg-user-dirs
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Define the common set of XDG user directories (usually defined in
+# /etc/xdg/user-dirs.defaults)
+@{XDG_DESKTOP_DIR}="Desktop"
+@{XDG_DOWNLOAD_DIR}="Downloads"
+@{XDG_TEMPLATES_DIR}="Templates"
+@{XDG_PUBLICSHARE_DIR}="Public"
+@{XDG_DOCUMENTS_DIR}="Documents"
+@{XDG_MUSIC_DIR}="Music"
+@{XDG_PICTURES_DIR}="Pictures"
+@{XDG_VIDEOS_DIR}="Videos"
+
+# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
+# to the various XDG directories
+include <tunables/xdg-user-dirs.d>
diff --git a/tunables/xdg-user-dirs.d/site.local b/tunables/xdg-user-dirs.d/site.local
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical Ltd.
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following may be used to add additional entries such as for
+# translations. See tunables/xdg-user-dirs for details. Eg:
+#@{XDG_MUSIC_DIR}+="Musique"
+
+#@{XDG_DESKTOP_DIR}+=""
+#@{XDG_DOWNLOAD_DIR}+=""
+#@{XDG_TEMPLATES_DIR}+=""
+#@{XDG_PUBLICSHARE_DIR}+=""
+#@{XDG_DOCUMENTS_DIR}+=""
+#@{XDG_MUSIC_DIR}+=""
+#@{XDG_PICTURES_DIR}+=""
+#@{XDG_VIDEOS_DIR}+=""
diff --git a/usr.lib.apache2.mpm-prefork.apache2 b/usr.lib.apache2.mpm-prefork.apache2
@@ -0,0 +1,82 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+abi <abi/3.0>,
+
+include <tunables/global>
+/usr/lib/apache2/mpm-prefork/apache2 {
+
+ # This profile is completely permissive.
+ # It is designed to target specific applications using mod_apparmor,
+ # hats, and the apache2.d directory.
+ #
+ # In order to enable this profile, you must:
+ #
+ # 1- Enable it:
+ # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+ #
+ # 2- Load the mod_apparmor module:
+ # sudo a2enmod apparmor
+ #
+ # 3- Place an appropriate profile containing the desired hat in the
+ # /etc/apparmor.d/apache2.d directory. Such profiles should probably
+ # include the "apache2-common" abstraction.
+ #
+ # 4- Use the "AADefaultHatName" apache configuration option to specify a
+ # hat to be used for a given apache virtualhost or "AAHatName" for
+ # a given apache directory or location directive.
+ #
+ #
+ # There is an example profile for phpsysinfo included in the
+ # apparmor-profiles package. To try it:
+ #
+ # 1- Install the phpsysinfo and the apparmor-profiles packages:
+ # sudo apt-get install phpsysinfo apparmor-profiles
+ #
+ # 2- Enable the main apache2 profile
+ # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+ #
+ # 3- Configure apache with the following:
+ # <Directory /var/www/phpsysinfo/>
+ # AAHatName phpsysinfo
+ # </Directory>
+ #
+
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ capability chown,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+ / rw,
+ /** mrwlkix,
+
+
+ ^DEFAULT_URI {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ / rw,
+ /** mrwlkix,
+
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT {
+ include <abstractions/nameservice>
+
+ / rw,
+ /** mrwlkix,
+
+ }
+
+ # This directory contains web application
+ # package-specific apparmor files.
+
+ include <apache2.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.apache2.mpm-prefork.apache2>
+}
diff --git a/usr.lib.dovecot.anvil b/usr.lib.dovecot.anvil
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-anvil /usr/lib/dovecot/anvil {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ unix (receive, send) type=stream peer=(label=dovecot),
+
+ @{run}/dovecot/anvil rw,
+ @{run}/dovecot/anvil-auth-penalty rw,
+ /usr/lib/dovecot/anvil mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.anvil>
+}
diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth
@@ -0,0 +1,59 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-auth /usr/lib/dovecot/auth {
+ include <abstractions/authentication>
+ include <abstractions/base>
+ include <abstractions/mysql>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/wutmp>
+ include <abstractions/dovecot-common>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+ capability sys_chroot,
+
+ /etc/my.cnf r,
+ /etc/my.cnf.d/ r,
+ /etc/my.cnf.d/*.cnf r,
+
+ /etc/dovecot/* r,
+ /usr/lib/dovecot/auth mr,
+ /var/lib/dovecot/auth-chroot/* r,
+
+ # kerberos replay cache
+ /var/tmp/imap_* rw,
+ /var/tmp/pop_* rw,
+ /var/tmp/sieve_* rw,
+ /var/tmp/smtp_* rw,
+
+ @{run}/dovecot/auth-master rw,
+ @{run}/dovecot/auth-userdb rw,
+ @{run}/dovecot/auth-worker rw,
+ @{run}/dovecot/login/login rw,
+ @{run}/dovecot/auth-token-secret.dat{,.tmp} rw,
+ @{run}/dovecot/old-stats-user w,
+ @{run}/dovecot/stats-user rw,
+ @{run}/dovecot/anvil-auth-penalty rw,
+
+ /var/spool/postfix/private/auth rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.auth>
+}
diff --git a/usr.lib.dovecot.config b/usr.lib.dovecot.config
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-config /usr/lib/dovecot/config {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+ include <abstractions/ssl_keys>
+
+ capability dac_read_search,
+ capability dac_override,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/config mr,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/share/dovecot/** r,
+ /var/lib/dovecot/ssl-parameters.dat r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.config>
+}
diff --git a/usr.lib.dovecot.deliver b/usr.lib.dovecot.deliver
@@ -0,0 +1,39 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2014 Canonical Ltd.
+# Copyright (C) 2011-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-deliver /usr/lib/dovecot/deliver {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ # http://www.postfix.org/SASL_README.html#server_dovecot
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/{auth,conf}.d/*.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/deliver mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.deliver>
+}
diff --git a/usr.lib.dovecot.dict b/usr.lib.dovecot.dict
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-dict /usr/lib/dovecot/dict {
+ include <abstractions/base>
+ include <abstractions/mysql>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+
+ /etc/dovecot/dovecot-database.conf.ext r,
+ /etc/dovecot/dovecot-dict-sql.conf.ext r,
+ /etc/my.cnf r,
+ /usr/lib/dovecot/dict mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.dict>
+}
diff --git a/usr.lib.dovecot.dovecot-auth b/usr.lib.dovecot.dovecot-auth
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-dovecot-auth /usr/lib/dovecot/dovecot-auth {
+ include <abstractions/authentication>
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/wutmp>
+ include <abstractions/dovecot-common>
+
+ capability chown,
+ capability dac_override,
+
+ @{PROC}/@{pid}/mounts r,
+ /usr/lib/dovecot/dovecot-auth mr,
+ @{run}/dovecot/** rw,
+ # required for postfix+dovecot integration
+ /var/spool/postfix/private/dovecot-auth w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.dovecot-auth>
+}
diff --git a/usr.lib.dovecot.dovecot-lda b/usr.lib.dovecot.dovecot-lda
@@ -0,0 +1,92 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ @{PROC}/*/mounts r,
+ owner /tmp/dovecot.lda.* rw,
+ @{run}/dovecot/mounts r,
+ @{run}/dovecot/auth-userdb rw,
+ /usr/bin/doveconf mrix,
+ /usr/lib/dovecot/dovecot-lda mrix,
+ /usr/{bin,sbin}/sendmail Cx -> sendmail,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.dovecot-lda>
+
+
+ profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
+ # this profile is based on the usr.sbin.sendmail profile in extras
+ # and should support both postfix' and sendmail's sendmail binary
+
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+ include <abstractions/user-tmp>
+ include <abstractions/postfix-common>
+ include <abstractions/hosts_access>
+
+ capability sys_ptrace,
+
+ /etc/aliases rw, # newaliases is a symlink to sendmail, so it's
+ /etc/aliases.db rw, # actually the same binary
+ /etc/fstab r,
+ /etc/mail/* r,
+ /etc/mail/statistics rw,
+ /etc/mtab r,
+ /etc/postfix/aliases r,
+ /etc/postfix/aliases.db rw, # newaliases again
+ /etc/sendmail.cf r,
+ /etc/sendmail.cw r,
+ /etc/shells r,
+ @{PROC}/loadavg r,
+ @{PROC}/net/if_inet6 r,
+ /root/.forward r,
+ /root/dead.letter w,
+ /usr/bin/procmail Px,
+ /usr/lib/postfix/{bin/,sbin/,}master Px,
+ /usr/lib/postfix/{bin/,sbin/,}showq Px,
+ /usr/lib/postfix/{bin/,sbin/,}smtpd Px,
+ /usr/{bin,sbin}/postalias Px,
+ /usr/{bin,sbin}/postdrop Px,
+ /usr/{bin,sbin}/postfix Px,
+ /usr/{bin,sbin}/postqueue Px,
+ /usr/{bin,sbin}/sendmail mrix,
+ /usr/{bin,sbin}/sendmail.postfix mrix,
+ /usr/{bin,sbin}/sendmail.sendmail mrix,
+ @{run}/sendmail.pid rwl,
+ @{run}/sm-client.pid rwl,
+ @{run}/utmp rw,
+ /var/spool/clientmqueue/* rwl,
+ /var/spool/mail/* rwl,
+ /var/spool/mqueue/* rwl,
+ /var/spool/postfix/maildrop/* rwl,
+ /var/spool/postfix/public/pickup w,
+ /var/spool/postfix/public/qmgr w,
+ /var/spool/postfix/public/showq w,
+ }
+}
diff --git a/usr.lib.dovecot.imap b/usr.lib.dovecot.imap
@@ -0,0 +1,48 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-imap /usr/lib/dovecot/imap {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+ deny capability block_suspend,
+
+ network unix stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+
+ owner /tmp/dovecot.imap.* rw,
+ @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/imap mrix,
+ /usr/share/dovecot/** r,
+ @{run}/dovecot/login/imap rw,
+ @{run}/dovecot/auth-master rw,
+ @{run}/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.imap>
+}
diff --git a/usr.lib.dovecot.imap-login b/usr.lib.dovecot.imap-login
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-imap-login /usr/lib/dovecot/imap-login {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/openssl>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/imap-login mr,
+ @{run}/dovecot/anvil rw,
+ @{run}/dovecot/login-master-notify* rw,
+ @{run}/dovecot/login/ r,
+ @{run}/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.imap-login>
+}
diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp
@@ -0,0 +1,41 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-lmtp /usr/lib/dovecot/lmtp {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+ include <abstractions/openssl>
+ include <abstractions/ssl_certs>
+ include <abstractions/ssl_keys>
+
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME}/.dovecot.svbin r,
+ @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ @{PROC}/*/mounts r,
+ /tmp/dovecot.lmtp.* rw,
+ /usr/lib/dovecot/lmtp mr,
+ @{run}/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.lmtp>
+}
diff --git a/usr.lib.dovecot.log b/usr.lib.dovecot.log
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-log /usr/lib/dovecot/log flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ /usr/lib/dovecot/log mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.log>
+}
diff --git a/usr.lib.dovecot.managesieve b/usr.lib.dovecot.managesieve
@@ -0,0 +1,36 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-managesieve /usr/lib/dovecot/managesieve {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/managesieve mrix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.managesieve>
+}
diff --git a/usr.lib.dovecot.managesieve-login b/usr.lib.dovecot.managesieve-login
@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013-2020 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-managesieve-login /usr/lib/dovecot/managesieve-login {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/openssl>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/managesieve-login mr,
+ @{run}/dovecot/login-master-notify* rw,
+ @{run}/dovecot/login/ r,
+ @{run}/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.managesieve-login>
+}
diff --git a/usr.lib.dovecot.pop3 b/usr.lib.dovecot.pop3
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/dovecot>
+
+profile dovecot-pop3 /usr/lib/dovecot/pop3 {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/pop3 mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.pop3>
+}
diff --git a/usr.lib.dovecot.pop3-login b/usr.lib.dovecot.pop3-login
@@ -0,0 +1,37 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-pop3-login /usr/lib/dovecot/pop3-login {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/openssl>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/pop3-login mr,
+ @{run}/dovecot/anvil rw,
+ @{run}/dovecot/login-master-notify* rw,
+ @{run}/dovecot/login/ r,
+ @{run}/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.pop3-login>
+}
diff --git a/usr.lib.dovecot.script-login b/usr.lib.dovecot.script-login
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 Michael Hirmke
+# Copyright (C) 2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-script-login /usr/lib/dovecot/script-login {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/nameservice>
+
+ capability setuid,
+
+ /usr/lib/dovecot/script-login mrPx,
+
+ # NOTE: You'll need to allow execution of your actual login script.
+ # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login
+ # for example
+ # /home/vmail/bin/postlogin.sh Px,
+ # and then to create the profile for the script.
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.script-login>
+}
diff --git a/usr.lib.dovecot.ssl-params b/usr.lib.dovecot.ssl-params
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-ssl-params /usr/lib/dovecot/ssl-params {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ @{run}/dovecot/ssl-params rw,
+ @{run}/dovecot/login/ssl-params rw,
+ /usr/lib/dovecot/ssl-params mr,
+ /var/lib/dovecot/ssl-parameters.dat rw,
+ /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.ssl-params>
+}
diff --git a/usr.lib.dovecot.stats b/usr.lib.dovecot.stats
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2018-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot-stats /usr/lib/dovecot/stats {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/stats mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.stats>
+}
diff --git a/usr.sbin.apache2 b/usr.sbin.apache2
@@ -0,0 +1,111 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+abi <abi/3.0>,
+
+include <tunables/global>
+profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
+
+ # This profile is completely permissive.
+ # It is designed to target specific applications using mod_apparmor,
+ # hats, and the apache2.d directory.
+ #
+ # In order to enable this profile, you must:
+ #
+ # 0- Stop apache:
+ # sudo service apache2 stop
+ #
+ # 1- Enable the profile:
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 2- Load the mpm_prefork and mod_apparmor modules:
+ # sudo a2dismod <other non-prefork mpm>
+ # sudo a2enmod mpm_prefork
+ # sudo a2enmod apparmor
+ # sudo service apache2 restart
+ #
+ # 3- Place an appropriate profile containing the desired hat in the
+ # /etc/apparmor.d/apache2.d directory. Such profiles must include
+ # the "apache2-common" abstraction:
+ #
+ # ^example.com {
+ # include <abstractions/apache2-common>
+ # /var/www/html/ r,
+ # /var/www/html/** r,
+ # /var/log/apache2/*.log w,
+ # }
+ #
+ # 4- Use the "AADefaultHatName" apache configuration option to specify a
+ # hat to be used for a given apache virtualhost or "AAHatName" for
+ # a given apache directory or location directive:
+ #
+ # <VirtualHost example.com:80>
+ # <IfModule mod_apparmor.c>
+ # AADefaultHatName example.com
+ # </IfModule>
+ # ...
+ # </VirtualHost>
+ #
+ #
+ # There is an example profile for phpsysinfo included in the
+ # apparmor-profiles package. To try it:
+ #
+ # 1- Install the phpsysinfo and the apparmor-profiles packages:
+ # sudo apt-get install phpsysinfo apparmor-profiles
+ #
+ # 2- Enable the main apache2 profile
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 3- Configure apache with the following (or similar):
+ # Alias /phpsysinfo /usr/share/phpsysinfo
+ # <Location /phpsysinfo>
+ # <IfModule mod_apparmor.c>
+ # AAHatName phpsysinfo
+ # </IfModule>
+ #
+ # # adjust as necessary:
+ # Options None
+ # Require local
+ # Require ip 192.168.0.0/16
+ # </Location>
+ #
+
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ # Send signals to all hats.
+ signal (send) peer=@{profile_name}//*,
+
+ capability dac_override,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+ / rw,
+ /** mrwlkix,
+
+
+ ^DEFAULT_URI flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
+ include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ # This directory contains web application
+ # package-specific apparmor files.
+
+ include <apache2.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.apache2>
+}
diff --git a/usr.sbin.avahi-daemon b/usr.sbin.avahi-daemon
@@ -0,0 +1,35 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/dbus>
+ include <abstractions/nameservice>
+
+ capability chown,
+ capability dac_override,
+ capability kill,
+ capability setuid,
+ capability setgid,
+ capability sys_chroot,
+
+ network netlink dgram,
+
+ /etc/avahi/ r,
+ /etc/avahi/avahi-daemon.conf r,
+ /etc/avahi/hosts r,
+ /etc/avahi/services/ r,
+ /etc/avahi/services/*.service r,
+ @{PROC}/@{pid}/fd/ r,
+ /usr/{bin,sbin}/avahi-daemon mr,
+ /usr/share/avahi/introspection/*.introspect r,
+ /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
+ @{run}/avahi-daemon/ w,
+ @{run}/avahi-daemon/pid krw,
+ @{run}/avahi-daemon/socket w,
+ @{run}/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.avahi-daemon>
+}
diff --git a/usr.sbin.dnsmasq b/usr.sbin.dnsmasq
@@ -0,0 +1,136 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
+
+include <tunables/global>
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/dbus>
+ include <abstractions/nameservice>
+
+ capability chown,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
+ network inet6 raw,
+
+ signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+ signal (receive) peer=libvirtd,
+ ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+ ptrace (readby) peer=libvirtd,
+
+ owner /dev/tty rw,
+
+ @{PROC}/@{pid}/fd/ r,
+
+ /etc/dnsmasq.conf r,
+ /etc/dnsmasq.d/ r,
+ /etc/dnsmasq.d/* r,
+ /etc/dnsmasq.d-available/ r,
+ /etc/dnsmasq.d-available/* r,
+ /etc/ethers r,
+ /etc/NetworkManager/dnsmasq.d/ r,
+ /etc/NetworkManager/dnsmasq.d/* r,
+ /etc/NetworkManager/dnsmasq-shared.d/ r,
+ /etc/NetworkManager/dnsmasq-shared.d/* r,
+ /etc/dnsmasq-conf.conf r,
+ /etc/dnsmasq-resolv.conf r,
+
+ /usr/{bin,sbin}/dnsmasq mr,
+
+ /var/log/dnsmasq*.log w,
+
+ /usr/share/dnsmasq{-base,}/ r,
+ /usr/share/dnsmasq{-base,}/* r,
+
+ @{run}/*dnsmasq*.pid w,
+ @{run}/dnsmasq-forwarders.conf r,
+ @{run}/dnsmasq/ r,
+ @{run}/dnsmasq/* rw,
+
+ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+ /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+
+ # access to iface mtu needed for Router Advertisement messages in IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/*/mtu r,
+ # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
+ @{PROC}/@{pid}/fd/ r,
+
+ # for the read-only TFTP server
+ @{TFTP_DIR}/ r,
+ @{TFTP_DIR}/** r,
+
+ # libvirt config and hosts file for dnsmasq
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/* r,
+
+ # libvirt pid files for dnsmasq
+ @{run}/libvirt/network/ r,
+ @{run}/libvirt/network/*.pid rw,
+
+ # libvirt lease helper
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+ /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+
+ # lxc-net pid and lease files
+ @{run}/lxc/dnsmasq.pid rw,
+ /var/lib/misc/dnsmasq.*.leases rw,
+
+ # lxd-bridge pid and lease files
+ @{run}/lxd-bridge/dnsmasq.pid rw,
+ /var/lib/lxd-bridge/dnsmasq.*.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.* r,
+ /var/lib/lxd/networks/*/dnsmasq.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.pid rw,
+
+ # NetworkManager integration
+ /var/lib/NetworkManager/dnsmasq-*.leases rw,
+ @{run}/nm-dns-dnsmasq.conf r,
+ @{run}/nm-dnsmasq-*.pid rw,
+ @{run}/sendsigs.omit.d/*dnsmasq.pid w,
+ @{run}/NetworkManager/dnsmasq.conf r,
+ @{run}/NetworkManager/dnsmasq.pid w,
+ @{run}/NetworkManager/NetworkManager.pid w,
+
+ profile libvirt_leaseshelper {
+ include <abstractions/base>
+
+ /etc/libnl-3/classid r,
+
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+ /usr/libexec/libvirt_leaseshelper m,
+
+ owner @{PROC}/@{pid}/net/psched r,
+ owner @{PROC}/@{pid}/status r,
+
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/node/ r,
+ @{sys}/devices/system/node/*/meminfo r,
+
+ # libvirt lease and status files for dnsmasq
+ /var/lib/libvirt/dnsmasq/*.leases rw,
+ /var/lib/libvirt/dnsmasq/*.status* rw,
+
+ @{run}/leaseshelper.pid rwk,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.dnsmasq>
+}
diff --git a/usr.sbin.dovecot b/usr.sbin.dovecot
@@ -0,0 +1,79 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2020 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
+ include <abstractions/authentication>
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/mysql>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/ssl_keys>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability kill,
+ capability net_bind_service,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
+ signal send set=(int,quit,term) peer=dovecot-*,
+
+ unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+ unix (receive, send) type=stream peer=(label=dovecot-anvil),
+
+ /etc/dovecot/** r,
+ /etc/mtab r,
+ /etc/lsb-release r,
+ /etc/SuSE-release r,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/sys/fs/suid_dumpable r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil mrPx,
+ /usr/lib/dovecot/auth mrPx,
+ /usr/lib/dovecot/config mrPx,
+ /usr/lib/dovecot/dict mrPx,
+ /usr/lib/dovecot/dovecot-auth Pxmr,
+ /usr/lib/dovecot/imap Pxmr,
+ /usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp mrPx,
+ /usr/lib/dovecot/log mrPx,
+ /usr/lib/dovecot/managesieve mrPx,
+ /usr/lib/dovecot/managesieve-login Pxmr,
+ /usr/lib/dovecot/pop3 mrPx,
+ /usr/lib/dovecot/pop3-login Pxmr,
+ /usr/lib/dovecot/script-login Px,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params mrPx,
+ /usr/lib/dovecot/stats Px,
+ /usr/{bin,sbin}/dovecot mrix,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+ /var/lib/dovecot/ w,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
+ @{run}/dovecot/ rw,
+ @{run}/dovecot/** rw,
+ link @{run}/dovecot/** -> /var/lib/dovecot/**,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.dovecot>
+}
diff --git a/usr.sbin.identd b/usr.sbin.identd
@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile identd /usr/{bin,sbin}/identd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ network netlink dgram,
+ /etc/identd.conf r,
+ /etc/identd.key r,
+ /etc/identd.pid w,
+ /usr/{bin,sbin}/identd rmix,
+ @{PROC}/net/tcp r,
+ @{PROC}/net/tcp6 r,
+ @{run}/identd.pid w,
+ @{run}/identd/ w,
+ @{run}/identd/identd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.identd>
+}
diff --git a/usr.sbin.mdnsd b/usr.sbin.mdnsd
@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile mdnsd /usr/{bin,sbin}/mdnsd {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ network netlink dgram,
+
+ /usr/{bin,sbin}/mdnsd rmix,
+
+ @{PROC}/net/ r,
+ @{PROC}/net/unix r,
+ @{run}/mdnsd lw,
+ @{run}/mdnsd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.mdnsd>
+}
diff --git a/usr.sbin.nmbd b/usr.sbin.nmbd
@@ -0,0 +1,36 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile nmbd /usr/{bin,sbin}/nmbd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ capability net_bind_service,
+
+ @{PROC}/sys/kernel/core_pattern r,
+
+ /usr/{bin,sbin}/nmbd mr,
+
+ /var/cache/samba/gencache.tdb rwk,
+ /var/cache/samba/gencache_notrans.tdb rwk,
+ /var/cache/samba/names.tdb rwk,
+ /var/{cache,lib}/samba/browse.dat* rw,
+ /var/{cache,lib}/samba/gencache.dat rw,
+ /var/{cache,lib}/samba/wins.dat* rw,
+ /var/{cache,lib}/samba/smb_krb5/ rw,
+ /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
+ /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
+ /var/{cache,lib}/samba/sync.* rw,
+ /var/{cache,lib}/samba/unexpected rw,
+ /var/cache/samba/msg/ rw,
+ /var/cache/samba/msg/* w,
+
+ @{run}/nmbd.pid rwk,
+ @{run}/samba/** rwk,
+ @{run}/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.nmbd>
+}
diff --git a/usr.sbin.nscd b/usr.sbin.nscd
@@ -0,0 +1,45 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+profile nscd /usr/{bin,sbin}/nscd {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+
+ deny capability block_suspend,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ /etc/netgroup r,
+ /etc/nscd.conf r,
+ /usr/{bin,sbin}/nscd rmix,
+ @{run}/.nscd_socket wl,
+ @{run}/nscd/ rw,
+ @{run}/nscd/db* rwl,
+ @{run}/nscd/socket wl,
+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ @{run}/{nscd/,}nscd.pid rwl,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.status r,
+ /var/log/nscd.log rw,
+ @{PROC}/@{pid}/cmdline r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/fd/* r,
+ @{PROC}/@{pid}/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.nscd>
+}
diff --git a/usr.sbin.ntpd b/usr.sbin.ntpd
@@ -0,0 +1,79 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+include <tunables/ntpd>
+profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/xad>
+
+ capability dac_override,
+ capability ipc_lock,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+ capability sys_time,
+ capability sys_nice,
+
+ network unspec dgram,
+
+ /drift/ntp.drift rwl,
+ /drift/ntp.drift.TEMP rwl,
+ /etc/ntp.conf r,
+ /etc/ntp/drift* rwl,
+ /etc/ntp.keys r,
+ /etc/ntp/step-tickers r,
+ /etc/ntpd.conf r,
+ /etc/ntpd.conf.tmp r,
+
+ /tmp/ntp* rwl,
+ /{usr/,usr/local/,}{s,}bin/ r,
+ /usr/{bin,sbin}/{,open}ntpd rmix,
+ /var/db/ r,
+ /var/db/ntpd.drift rwl,
+ /var/lib/ntp/drift rwl,
+ /var/lib/ntp/drift.TEMP rwl,
+ /var/lib/ntp/drift/driftfile rw,
+ /var/lib/ntp/drift/driftfile.TEMP rw,
+ /var/lib/ntp/drift/ntp.drift rw,
+ /var/lib/ntp/drift/ntp.drift.TEMP rw,
+ /var/lib/ntp/etc/* r,
+ /var/lib/ntp/ntp.drift rw,
+ /var/lib/ntp/ntp.drift.TEMP rw,
+ /var/lib/ntp@{run}/ntp/ntpd.pid w,
+ /var/log/ntp w,
+ /var/log/ntp.log w,
+ /var/log/ntpstats/clockstats* lrw,
+ /var/log/ntpstats/loopstats* lrw,
+ /var/log/ntpstats/peerstats* lrw,
+ /var/opt/novell/xad/rpc/xadsd rw,
+ @{run}/nscd/services r,
+ @{run}/ntpd.pid w,
+ @{run}/ntp/ntpd.pid w,
+ @{run}/ntpd.sock rwl,
+ /var/tmp/ntp* rwl,
+ @{PROC}/@{pid}/net/if_inet6 r,
+
+ # allow access for when chrooted
+ /var/lib/ntp/@{PROC}/@{pid}/net/if_inet6 r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
+
+ @{NTPD_DEVICE} rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.ntpd>
+}
diff --git a/usr.sbin.smbd b/usr.sbin.smbd
@@ -0,0 +1,61 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile smbd /usr/{bin,sbin}/smbd {
+ include <abstractions/authentication>
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/cups-client>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+ include <abstractions/user-tmp>
+ include <abstractions/wutmp>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability lease,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_admin,
+ capability sys_resource,
+ capability sys_tty_config,
+
+ /etc/mtab r,
+ /etc/netgroup r,
+ /etc/printcap r,
+ /etc/samba/* rwk,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/sys/kernel/core_pattern r,
+ /usr/lib*/samba/vfs/*.so mr,
+ /usr/lib*/samba/auth/*.so mr,
+ /usr/lib*/samba/charset/*.so mr,
+ /usr/lib*/samba/gensec/*.so mr,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
+ /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
+ /usr/lib/@{multiarch}/samba/**/ r,
+ /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
+ /usr/{bin,sbin}/smbd mr,
+ /usr/{bin,sbin}/smbldap-useradd Px,
+ /var/cache/samba/** rwk,
+ /var/{cache,lib}/samba/printing/printers.tdb mrw,
+ /var/lib/samba/** rwk,
+ /var/lib/sss/pubconf/kdcinfo.* r,
+ @{run}/dbus/system_bus_socket rw,
+ @{run}/smbd.pid rwk,
+ @{run}/samba/** rk,
+ @{run}/samba/ncalrpc/ rw,
+ @{run}/samba/ncalrpc/** rw,
+ @{run}/samba/smbd.pid rw,
+ /var/spool/samba/** rw,
+
+ @{HOMEDIRS}/** lrwk,
+ /var/lib/samba/usershares/{,**} lrwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.smbd>
+}
diff --git a/usr.sbin.smbldap-useradd b/usr.sbin.smbldap-useradd
@@ -0,0 +1,40 @@
+# Last Modified: Tue Jan 3 00:17:40 2012
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
+ include <abstractions/base>
+ include <abstractions/bash>
+ include <abstractions/nameservice>
+ include <abstractions/perl>
+
+ /dev/tty rw,
+ /{,usr/}bin/bash ix,
+ /etc/init.d/nscd Cx,
+ /etc/shadow r,
+ /etc/smbldap-tools/smbldap.conf r,
+ /etc/smbldap-tools/smbldap_bind.conf r,
+ /usr/{bin,sbin}/smbldap-useradd r,
+ /usr/{bin,sbin}/smbldap_tools.pm r,
+ /var/log/samba/log.smbd w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.smbldap-useradd>
+
+ profile /etc/init.d/nscd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ capability sys_ptrace,
+
+ /{,usr/}bin/bash r,
+ /{,usr/}bin/mountpoint rix,
+ /{,usr/}bin/systemctl rix,
+ /dev/tty rw,
+ /etc/init.d/nscd r,
+ /etc/rc.status r,
+
+ }
+}
diff --git a/usr.sbin.traceroute b/usr.sbin.traceroute
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
+ include <abstractions/base>
+ include <abstractions/consoles>
+ include <abstractions/nameservice>
+
+ deny capability net_admin, # noisy setsockopt() calls
+ capability net_raw,
+
+ network inet raw,
+ network inet6 raw,
+
+ /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
+ @{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.traceroute>
+}
diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd
@@ -0,0 +1,41 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile winbindd /usr/{bin,sbin}/winbindd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ deny capability block_suspend,
+
+ capability dac_override,
+ capability ipc_lock,
+ capability setuid,
+
+ /etc/samba/netlogon_creds_cli.tdb rwk,
+ /etc/samba/passdb.tdb{,.tmp} rwk,
+ /etc/samba/secrets.tdb rwk,
+ /etc/samba/smbd.tmp/ rw,
+ /etc/samba/smbd.tmp/msg/ rw,
+ /etc/samba/smbd.tmp/msg/* rwk,
+ @{PROC}/sys/kernel/core_pattern r,
+ /tmp/.winbindd/ w,
+ /tmp/krb5cc_* rwk,
+ /usr/lib*/samba/gensec/krb*.so mr,
+ /usr/lib*/samba/idmap/*.so mr,
+ /usr/lib*/samba/nss_info/*.so mr,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/{bin,sbin}/winbindd mr,
+ /var/cache/krb5rcache/* rwk,
+ /var/cache/samba/*.tdb rwk,
+ /var/log/samba/log.winbindd rw,
+ @{run}/{samba/,}winbindd.pid rwk,
+ @{run}/samba/winbindd/ rw,
+ @{run}/samba/winbindd/pipe w,
+ @{run}/user/*/krb5cc/* rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.winbindd>
+
+}
