/apparmor.d/abstractions/base
#! | 102 lines | 85 code | 17 blank | 0 comment | 0 complexity | 0efe83056552382c9e26cee05107afab MD5 | raw file
1# vim:syntax=apparmor 2# ------------------------------------------------------------------ 3# 4# Copyright (C) 2002-2009 Novell/SUSE 5# Copyright (C) 2009 Canonical Ltd. 6# 7# This program is free software; you can redistribute it and/or 8# modify it under the terms of version 2 of the GNU General Public 9# License published by the Free Software Foundation. 10# 11# ------------------------------------------------------------------ 12 13 14 15 # (Note that the ldd profile has inlined this file; if you make 16 # modifications here, please consider including them in the ldd 17 # profile as well.) 18 19 # The __canary_death_handler function writes a time-stamped log 20 # message to /dev/log for logging by syslogd. So, /dev/log, timezones, 21 # and localisations of date should be available EVERYWHERE, so 22 # StackGuard, FormatGuard, etc., alerts can be properly logged. 23 /dev/log w, 24 /dev/random r, 25 /dev/urandom r, 26 /etc/locale/** r, 27 /etc/locale.alias r, 28 /etc/localtime r, 29 /usr/share/locale-langpack/** r, 30 /usr/share/locale/** r, 31 /usr/share/**/locale/** r, 32 /usr/share/zoneinfo/ r, 33 /usr/share/zoneinfo/** r, 34 /usr/share/X11/locale/** r, 35 36 /usr/lib{,32,64}/locale/** mr, 37 /usr/lib{,32,64}/gconv/*.so mr, 38 /usr/lib{,32,64}/gconv/gconv-modules* mr, 39 40 # used by glibc when binding to ephemeral ports 41 /etc/bindresvport.blacklist r, 42 43 # ld.so.cache and ld are used to load shared libraries; they are best 44 # available everywhere 45 /etc/ld.so.cache mr, 46 /lib{,32,64}/ld{,32,64}-*.so mrix, 47 /lib{,32,64}/**/ld{,32,64}-*.so mrix, 48 /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, 49 /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, 50 51 # we might as well allow everything to use common libraries 52 /lib{,32,64}/** r, 53 /lib{,32,64}/lib*.so* mr, 54 /lib{,32,64}/**/lib*.so* mr, 55 /usr/lib{,32,64}/** r, 56 /usr/lib{,32,64}/*.so* mr, 57 /usr/lib{,32,64}/**/lib*.so* mr, 58 /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, 59 60 # /dev/null is pretty harmless and frequently used 61 /dev/null rw, 62 # as is /dev/zero 63 /dev/zero rw, 64 # recent glibc uses /dev/full in preference to /dev/null for programs 65 # that don't have open fds at exec() 66 /dev/full rw, 67 68 # Sometimes used to determine kernel/user interfaces to use 69 @{PROC}/sys/kernel/version r, 70 # Depending on which glibc routine uses this file, base may not be the 71 # best place -- but many profiles require it, and it is quite harmless. 72 @{PROC}/sys/kernel/ngroups_max r, 73 74 # glibc's sysconf(3) routine to determine free memory, etc 75 @{PROC}/meminfo r, 76 @{PROC}/stat r, 77 @{PROC}/cpuinfo r, 78 79 # glibc's *printf protections read the maps file 80 @{PROC}/*/maps r, 81 82 # libgcrypt reads some flags from /proc 83 @{PROC}/sys/crypto/* r, 84 85 # some applications will display license information 86 /usr/share/common-licenses/** r, 87 88 # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked 89 # filesystems generally. This does not appreciably decrease security with 90 # Ubuntu profiles because the user is expected to have access to files owned 91 # by him/her. Exceptions to this are explicit in the profiles. While this rule 92 # grants access to those exceptions, the intended privacy is maintained due to 93 # the encrypted contents of the files in this directory. Files in this 94 # directory will also use filename encryption by default, so the files are 95 # further protected. Also, with the use of 'owner', this rule properly 96 # prevents access to the files from processes running under a different uid. 97 98 # encrypted ~/.Private and old-style encrypted $HOME 99 owner @{HOME}/.Private/** mrixwlk, 100 # new-style encrypted $HOME 101 owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, 102