PageRenderTime 28ms CodeModel.GetById 26ms app.highlight 0ms RepoModel.GetById 1ms app.codeStats 0ms

/apparmor.d/abstractions/base

http://github.com/brinkman83/bashrc
#! | 102 lines | 85 code | 17 blank | 0 comment | 0 complexity | 0efe83056552382c9e26cee05107afab MD5 | raw file
  1# vim:syntax=apparmor
  2# ------------------------------------------------------------------
  3#
  4#    Copyright (C) 2002-2009 Novell/SUSE
  5#    Copyright (C) 2009 Canonical Ltd.
  6#
  7#    This program is free software; you can redistribute it and/or
  8#    modify it under the terms of version 2 of the GNU General Public
  9#    License published by the Free Software Foundation.
 10#
 11# ------------------------------------------------------------------
 12
 13
 14
 15  # (Note that the ldd profile has inlined this file; if you make
 16  # modifications here, please consider including them in the ldd
 17  # profile as well.)
 18
 19  # The __canary_death_handler function writes a time-stamped log
 20  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
 21  # and localisations of date should be available EVERYWHERE, so
 22  # StackGuard, FormatGuard, etc., alerts can be properly logged.
 23  /dev/log                       w,
 24  /dev/random                    r,
 25  /dev/urandom                   r,
 26  /etc/locale/**                 r,
 27  /etc/locale.alias              r,
 28  /etc/localtime                 r,
 29  /usr/share/locale-langpack/**  r,
 30  /usr/share/locale/**           r,
 31  /usr/share/**/locale/**        r,
 32  /usr/share/zoneinfo/           r,
 33  /usr/share/zoneinfo/**         r,
 34  /usr/share/X11/locale/**       r,
 35
 36  /usr/lib{,32,64}/locale/**             mr,
 37  /usr/lib{,32,64}/gconv/*.so            mr,
 38  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
 39
 40  # used by glibc when binding to ephemeral ports
 41  /etc/bindresvport.blacklist    r,
 42
 43  # ld.so.cache and ld are used to load shared libraries; they are best
 44  # available everywhere
 45  /etc/ld.so.cache               mr,
 46  /lib{,32,64}/ld{,32,64}-*.so   mrix,
 47  /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
 48  /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
 49  /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
 50
 51  # we might as well allow everything to use common libraries
 52  /lib{,32,64}/**                r,
 53  /lib{,32,64}/lib*.so*          mr,
 54  /lib{,32,64}/**/lib*.so*       mr,
 55  /usr/lib{,32,64}/**            r,
 56  /usr/lib{,32,64}/*.so*         mr,
 57  /usr/lib{,32,64}/**/lib*.so*   mr,
 58  /lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
 59
 60  # /dev/null is pretty harmless and frequently used
 61  /dev/null                      rw,
 62  # as is /dev/zero
 63  /dev/zero                      rw,
 64  # recent glibc uses /dev/full in preference to /dev/null for programs
 65  # that don't have open fds at exec()
 66  /dev/full                      rw,
 67
 68  # Sometimes used to determine kernel/user interfaces to use
 69  @{PROC}/sys/kernel/version     r,
 70  # Depending on which glibc routine uses this file, base may not be the
 71  # best place -- but many profiles require it, and it is quite harmless.
 72  @{PROC}/sys/kernel/ngroups_max r,
 73
 74  # glibc's sysconf(3) routine to determine free memory, etc
 75  @{PROC}/meminfo                r,
 76  @{PROC}/stat                   r,
 77  @{PROC}/cpuinfo                r,
 78
 79  # glibc's *printf protections read the maps file
 80  @{PROC}/*/maps                 r,
 81
 82  # libgcrypt reads some flags from /proc
 83  @{PROC}/sys/crypto/*           r,
 84
 85  # some applications will display license information
 86  /usr/share/common-licenses/**  r,
 87
 88  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
 89  # filesystems generally. This does not appreciably decrease security with
 90  # Ubuntu profiles because the user is expected to have access to files owned
 91  # by him/her. Exceptions to this are explicit in the profiles. While this rule
 92  # grants access to those exceptions, the intended privacy is maintained due to
 93  # the encrypted contents of the files in this directory. Files in this
 94  # directory will also use filename encryption by default, so the files are
 95  # further protected. Also, with the use of 'owner', this rule properly
 96  # prevents access to the files from processes running under a different uid.
 97
 98  # encrypted ~/.Private and old-style encrypted $HOME
 99  owner @{HOME}/.Private/** mrixwlk,
100  # new-style encrypted $HOME
101  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
102