logo

apparmor.d

Unnamed repository; edit this file 'description' to name the repository. git clone https://hacktivis.me/git/apparmor.d.git

base (6886B)

    

  1. # vim:syntax=apparmor
  2. # ------------------------------------------------------------------
  3. #
  4. #    Copyright (C) 2002-2009 Novell/SUSE
  5. #    Copyright (C) 2009-2011 Canonical Ltd.
  6. #
  7. #    This program is free software; you can redistribute it and/or
  8. #    modify it under the terms of version 2 of the GNU General Public
  9. #    License published by the Free Software Foundation.
  10. #
  11. # ------------------------------------------------------------------
  13.   abi <abi/3.0>,
  15.   include <abstractions/crypto>
  17.   # (Note that the ldd profile has inlined this file; if you make
  18.   # modifications here, please consider including them in the ldd
  19.   # profile as well.)
  21.   # The __canary_death_handler function writes a time-stamped log
  22.   # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  23.   # and localisations of date should be available EVERYWHERE, so
  24.   # StackGuard, FormatGuard, etc., alerts can be properly logged.
  25.   /dev/log                       w,
  26.   /dev/random                    r,
  27.   /dev/urandom                   r,
  28.   # Allow access to the uuidd daemon (this daemon is a thin wrapper around
  29.   # time and getrandom()/{,u}random and, when available, runs under an
  30.   # unprivilged, dedicated user).
  31.   @{run}/uuidd/request           r,
  32.   @{etc_ro}/locale/**          r,
  33.   @{etc_ro}/locale.alias       r,
  34.   @{etc_ro}/localtime          r,
  35.   /usr/share/locale-bundle/**    r,
  36.   /usr/share/locale-langpack/**  r,
  37.   /usr/share/locale/**           r,
  38.   /usr/share/**/locale/**        r,
  39.   /usr/share/zoneinfo{,-icu}/    r,
  40.   /usr/share/zoneinfo{,-icu}/**  r,
  41.   /usr/share/X11/locale/**       r,
  42.   @{run}/systemd/journal/dev-log w,
  43.   # systemd native journal API (see sd_journal_print(4))
  44.   @{run}/systemd/journal/socket  w,
  45.   # Nested containers and anything using systemd-cat need this. 'r' shouldn't
  46.   # be required but applications fail without it. journald doesn't leak
  47.   # anything when reading so this is ok.
  48.   @{run}/systemd/journal/stdout  rw,
  50.   /usr/lib{,32,64}/locale/**             mr,
  51.   /usr/lib{,32,64}/gconv/*.so            mr,
  52.   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
  53.   /usr/lib/@{multiarch}/gconv/*.so           mr,
  54.   /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
  56.   # used by glibc when binding to ephemeral ports
  57.   @{etc_ro}/bindresvport.blacklist    r,
  59.   # ld.so.cache and ld are used to load shared libraries; they are best
  60.   # available everywhere
  61.   @{etc_ro}/ld.so.cache               mr,
  62.   @{etc_ro}/ld.so.conf                r,
  63.   @{etc_ro}/ld.so.conf.d/{,*.conf}    r,
  64.   @{etc_ro}/ld.so.preload             r,
  65.   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
  66.   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
  67.   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  68.   /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  69.   /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
  71.   @{etc_ro}/ld-musl-*.path mr,
  73.   # we might as well allow everything to use common libraries
  74.   /{usr/,}lib{,32,64}/**                r,
  75.   /{usr/,}lib{,32,64}/**.so*       mr,
  76.   /{usr/,}lib/@{multiarch}/**            r,
  77.   /{usr/,}lib/@{multiarch}/**.so*   mr,
  78.   /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
  79.   /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,
  81.   # FIPS-140-2 versions of some crypto libraries need to access their
  82.   # associated integrity verification file, or they will abort.
  83.   /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
  84.   /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
  86.   # /dev/null is pretty harmless and frequently used
  87.   /dev/null                      rw,
  88.   # as is /dev/zero
  89.   /dev/zero                      rw,
  90.   # recent glibc uses /dev/full in preference to /dev/null for programs
  91.   # that don't have open fds at exec()
  92.   /dev/full                      rw,
  94.   # Sometimes used to determine kernel/user interfaces to use
  95.   @{PROC}/sys/kernel/version     r,
  96.   # Depending on which glibc routine uses this file, base may not be the
  97.   # best place -- but many profiles require it, and it is quite harmless.
  98.   @{PROC}/sys/kernel/ngroups_max r,
  100.   # glibc's sysconf(3) routine to determine free memory, etc
  101.   @{PROC}/meminfo                r,
  102.   @{PROC}/stat                   r,
  103.   @{PROC}/cpuinfo                r,
  104.   @{sys}/devices/system/cpu/       r,
  105.   @{sys}/devices/system/cpu/online r,
  106.   @{sys}/devices/system/cpu/possible r,
  108.   # glibc's *printf protections read the maps file
  109.   @{PROC}/@{pid}/{maps,auxv,status} r,
  111.   # some applications will display license information
  112.   /usr/share/common-licenses/**  r,
  114.   # glibc statvfs
  115.   @{PROC}/filesystems            r,
  117.   # glibc malloc (man 5 proc)
  118.   @{PROC}/sys/vm/overcommit_memory r,
  120.   # Allow determining the highest valid capability of the running kernel
  121.   @{PROC}/sys/kernel/cap_last_cap r,
  123.   # Allow other processes to read our /proc entries, futexes, perf tracing and
  124.   # kcmp for now (they will need 'read' in the first place). Administrators can
  125.   # override with:
  126.   #   deny ptrace (readby) ...
  127.   ptrace (readby),
  129.   # Allow other processes to trace us by default (they will need 'trace' in
  130.   # the first place). Administrators can override with:
  131.   #   deny ptrace (tracedby) ...
  132.   ptrace (tracedby),
  134.   # Allow us to ptrace read ourselves
  135.   ptrace (read) peer=@{profile_name},
  137.   # Allow unconfined processes to send us signals by default
  138.   signal (receive) peer=unconfined,
  140.   # Allow us to signal ourselves
  141.   signal peer=@{profile_name},
  143.   # Checking for PID existence is quite common so add it by default for now
  144.   signal (receive, send) set=("exists"),
  146.   # Allow us to create and use abstract and anonymous sockets
  147.   unix peer=(label=@{profile_name}),
  149.   # Allow unconfined processes to us via unix sockets
  150.   unix (receive) peer=(label=unconfined),
  152.   # Allow us to create abstract and anonymous sockets
  153.   unix (create),
  155.   # Allow us to getattr, getopt, setop and shutdown on unix sockets
  156.   unix (getattr, getopt, setopt, shutdown),
  158.   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  159.   # filesystems generally. This does not appreciably decrease security with
  160.   # Ubuntu profiles because the user is expected to have access to files owned
  161.   # by him/her. Exceptions to this are explicit in the profiles. While this rule
  162.   # grants access to those exceptions, the intended privacy is maintained due to
  163.   # the encrypted contents of the files in this directory. Files in this
  164.   # directory will also use filename encryption by default, so the files are
  165.   # further protected. Also, with the use of 'owner', this rule properly
  166.   # prevents access to the files from processes running under a different uid.
  168.   # encrypted ~/.Private and old-style encrypted $HOME
  169.   owner @{HOME}/.Private/ r,
  170.   owner @{HOME}/.Private/** mrixwlk,
  171.   # new-style encrypted $HOME
  172.   owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
  173.   owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
  176.   # Include additions to the abstraction
  177.   include if exists <abstractions/base.d>