/apparmor.d/abstractions/base

http://github.com/brinkman83/bashrc · #! · 102 lines · 85 code · 17 blank · 0 comment · 0 complexity · 0efe83056552382c9e26cee05107afab MD5 · raw file

  1. # vim:syntax=apparmor
  2. # ------------------------------------------------------------------
  3. #
  4. # Copyright (C) 2002-2009 Novell/SUSE
  5. # Copyright (C) 2009 Canonical Ltd.
  6. #
  7. # This program is free software; you can redistribute it and/or
  8. # modify it under the terms of version 2 of the GNU General Public
  9. # License published by the Free Software Foundation.
  10. #
  11. # ------------------------------------------------------------------
  12. # (Note that the ldd profile has inlined this file; if you make
  13. # modifications here, please consider including them in the ldd
  14. # profile as well.)
  15. # The __canary_death_handler function writes a time-stamped log
  16. # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  17. # and localisations of date should be available EVERYWHERE, so
  18. # StackGuard, FormatGuard, etc., alerts can be properly logged.
  19. /dev/log w,
  20. /dev/random r,
  21. /dev/urandom r,
  22. /etc/locale/** r,
  23. /etc/locale.alias r,
  24. /etc/localtime r,
  25. /usr/share/locale-langpack/** r,
  26. /usr/share/locale/** r,
  27. /usr/share/**/locale/** r,
  28. /usr/share/zoneinfo/ r,
  29. /usr/share/zoneinfo/** r,
  30. /usr/share/X11/locale/** r,
  31. /usr/lib{,32,64}/locale/** mr,
  32. /usr/lib{,32,64}/gconv/*.so mr,
  33. /usr/lib{,32,64}/gconv/gconv-modules* mr,
  34. # used by glibc when binding to ephemeral ports
  35. /etc/bindresvport.blacklist r,
  36. # ld.so.cache and ld are used to load shared libraries; they are best
  37. # available everywhere
  38. /etc/ld.so.cache mr,
  39. /lib{,32,64}/ld{,32,64}-*.so mrix,
  40. /lib{,32,64}/**/ld{,32,64}-*.so mrix,
  41. /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
  42. /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
  43. # we might as well allow everything to use common libraries
  44. /lib{,32,64}/** r,
  45. /lib{,32,64}/lib*.so* mr,
  46. /lib{,32,64}/**/lib*.so* mr,
  47. /usr/lib{,32,64}/** r,
  48. /usr/lib{,32,64}/*.so* mr,
  49. /usr/lib{,32,64}/**/lib*.so* mr,
  50. /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
  51. # /dev/null is pretty harmless and frequently used
  52. /dev/null rw,
  53. # as is /dev/zero
  54. /dev/zero rw,
  55. # recent glibc uses /dev/full in preference to /dev/null for programs
  56. # that don't have open fds at exec()
  57. /dev/full rw,
  58. # Sometimes used to determine kernel/user interfaces to use
  59. @{PROC}/sys/kernel/version r,
  60. # Depending on which glibc routine uses this file, base may not be the
  61. # best place -- but many profiles require it, and it is quite harmless.
  62. @{PROC}/sys/kernel/ngroups_max r,
  63. # glibc's sysconf(3) routine to determine free memory, etc
  64. @{PROC}/meminfo r,
  65. @{PROC}/stat r,
  66. @{PROC}/cpuinfo r,
  67. # glibc's *printf protections read the maps file
  68. @{PROC}/*/maps r,
  69. # libgcrypt reads some flags from /proc
  70. @{PROC}/sys/crypto/* r,
  71. # some applications will display license information
  72. /usr/share/common-licenses/** r,
  73. # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  74. # filesystems generally. This does not appreciably decrease security with
  75. # Ubuntu profiles because the user is expected to have access to files owned
  76. # by him/her. Exceptions to this are explicit in the profiles. While this rule
  77. # grants access to those exceptions, the intended privacy is maintained due to
  78. # the encrypted contents of the files in this directory. Files in this
  79. # directory will also use filename encryption by default, so the files are
  80. # further protected. Also, with the use of 'owner', this rule properly
  81. # prevents access to the files from processes running under a different uid.
  82. # encrypted ~/.Private and old-style encrypted $HOME
  83. owner @{HOME}/.Private/** mrixwlk,
  84. # new-style encrypted $HOME
  85. owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,