/apparmor.d/abstractions/base

http://github.com/brinkman83/bashrc · #! · 102 lines · 85 code · 17 blank · 0 comment · 0 complexity · 0efe83056552382c9e26cee05107afab MD5 · raw file 

    

  1. # vim:syntax=apparmor
    2. 

  2. # ------------------------------------------------------------------
    3. 

  3. #
    4. 

  4. #    Copyright (C) 2002-2009 Novell/SUSE
    5. 

  5. #    Copyright (C) 2009 Canonical Ltd.
    6. 

  6. #
    7. 

  7. #    This program is free software; you can redistribute it and/or
    8. 

  8. #    modify it under the terms of version 2 of the GNU General Public
    9. 

  9. #    License published by the Free Software Foundation.
    10. 

  10. #
    11. 

  11. # ------------------------------------------------------------------
    12. 

  12. 

  13. 

  14. 

  15.   # (Note that the ldd profile has inlined this file; if you make
    16. 

  16.   # modifications here, please consider including them in the ldd
    17. 

  17.   # profile as well.)
    18. 

  18. 

  19.   # The __canary_death_handler function writes a time-stamped log
    20. 

  20.   # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
    21. 

  21.   # and localisations of date should be available EVERYWHERE, so
    22. 

  22.   # StackGuard, FormatGuard, etc., alerts can be properly logged.
    23. 

  23.   /dev/log                       w,
    24. 

  24.   /dev/random                    r,
    25. 

  25.   /dev/urandom                   r,
    26. 

  26.   /etc/locale/**                 r,
    27. 

  27.   /etc/locale.alias              r,
    28. 

  28.   /etc/localtime                 r,
    29. 

  29.   /usr/share/locale-langpack/**  r,
    30. 

  30.   /usr/share/locale/**           r,
    31. 

  31.   /usr/share/**/locale/**        r,
    32. 

  32.   /usr/share/zoneinfo/           r,
    33. 

  33.   /usr/share/zoneinfo/**         r,
    34. 

  34.   /usr/share/X11/locale/**       r,
    35. 

    36. 

  36.   /usr/lib{,32,64}/locale/**             mr,
    37. 

  37.   /usr/lib{,32,64}/gconv/*.so            mr,
    38. 

  38.   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
    39. 

    40. 

  40.   # used by glibc when binding to ephemeral ports
    41. 

  41.   /etc/bindresvport.blacklist    r,
    42. 

    43. 

  43.   # ld.so.cache and ld are used to load shared libraries; they are best
    44. 

  44.   # available everywhere
    45. 

  45.   /etc/ld.so.cache               mr,
    46. 

  46.   /lib{,32,64}/ld{,32,64}-*.so   mrix,
    47. 

  47.   /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
    48. 

  48.   /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
    49. 

  49.   /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
    50. 

    51. 

  51.   # we might as well allow everything to use common libraries
    52. 

  52.   /lib{,32,64}/**                r,
    53. 

  53.   /lib{,32,64}/lib*.so*          mr,
    54. 

  54.   /lib{,32,64}/**/lib*.so*       mr,
    55. 

  55.   /usr/lib{,32,64}/**            r,
    56. 

  56.   /usr/lib{,32,64}/*.so*         mr,
    57. 

  57.   /usr/lib{,32,64}/**/lib*.so*   mr,
    58. 

  58.   /lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
    59. 

  59. 

  60.   # /dev/null is pretty harmless and frequently used
    61. 

  61.   /dev/null                      rw,
    62. 

  62.   # as is /dev/zero
    63. 

  63.   /dev/zero                      rw,
    64. 

  64.   # recent glibc uses /dev/full in preference to /dev/null for programs
    65. 

  65.   # that don't have open fds at exec()
    66. 

  66.   /dev/full                      rw,
    67. 

  67. 

  68.   # Sometimes used to determine kernel/user interfaces to use
    69. 

  69.   @{PROC}/sys/kernel/version     r,
    70. 

  70.   # Depending on which glibc routine uses this file, base may not be the
    71. 

  71.   # best place -- but many profiles require it, and it is quite harmless.
    72. 

  72.   @{PROC}/sys/kernel/ngroups_max r,
    73. 

  73. 

  74.   # glibc's sysconf(3) routine to determine free memory, etc
    75. 

  75.   @{PROC}/meminfo                r,
    76. 

  76.   @{PROC}/stat                   r,
    77. 

  77.   @{PROC}/cpuinfo                r,
    78. 

  78. 

  79.   # glibc's *printf protections read the maps file
    80. 

  80.   @{PROC}/*/maps                 r,
    81. 

    82. 

  82.   # libgcrypt reads some flags from /proc
    83. 

  83.   @{PROC}/sys/crypto/*           r,
    84. 

    85. 

  85.   # some applications will display license information
    86. 

  86.   /usr/share/common-licenses/**  r,
    87. 

    88. 

  88.   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
    89. 

  89.   # filesystems generally. This does not appreciably decrease security with
    90. 

  90.   # Ubuntu profiles because the user is expected to have access to files owned
    91. 

  91.   # by him/her. Exceptions to this are explicit in the profiles. While this rule
    92. 

  92.   # grants access to those exceptions, the intended privacy is maintained due to
    93. 

  93.   # the encrypted contents of the files in this directory. Files in this
    94. 

  94.   # directory will also use filename encryption by default, so the files are
    95. 

  95.   # further protected. Also, with the use of 'owner', this rule properly
    96. 

  96.   # prevents access to the files from processes running under a different uid.
    97. 

    98. 

  98.   # encrypted ~/.Private and old-style encrypted $HOME
    99. 

  99.   owner @{HOME}/.Private/** mrixwlk,
    100. 

  100.   # new-style encrypted $HOME
    101. 

  101.   owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
    102.