PageRenderTime 326ms CodeModel.GetById 322ms app.highlight 1ms RepoModel.GetById 1ms app.codeStats 0ms

/apparmor/logprof.conf

http://github.com/brinkman83/bashrc
Config | 132 lines | 109 code | 23 blank | 0 comment | 0 complexity | 000d1e33edddbf74d677cb914ea2c8da MD5 | raw file
  1# $Id$
  2# ------------------------------------------------------------------
  3#
  4#    Copyright (C) 2004-2006 Novell/SUSE
  5#
  6#    This program is free software; you can redistribute it and/or
  7#    modify it under the terms of version 2 of the GNU General Public
  8#    License published by the Free Software Foundation.
  9#
 10# ------------------------------------------------------------------
 11
 12[settings]
 13  profiledir = /etc/apparmor.d /etc/subdomain.d
 14  inactive_profiledir = /usr/share/doc/apparmor-profiles/extras 
 15  logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog
 16
 17  parser = /sbin/apparmor_parser /sbin/subdomain_parser
 18  ldd = /usr/bin/ldd
 19  logger = /bin/logger /usr/bin/logger
 20
 21  # customize how file ownership permissions are presented
 22  # 0 - off
 23  # 1 - default of what ever mode the log reported
 24  # 2 - force the new permissions to be user
 25  # 3 - force all perms on the rule to be user
 26  default_owner_prompt = 1
 27
 28  # custom directory locations to look for #includes
 29  #
 30  # each name should be a valid directory containing possible #include
 31  # candidate files under the profile dir which by default is /etc/apparmor.d.
 32  #
 33  # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
 34  # be used by the yast UI and profiling tools as a source of #include
 35  # files.
 36  custom_includes =
 37
 38
 39[repository]
 40  distro         = ubuntu-intrepid
 41  url            = http://apparmor.test.opensuse.org/backend/api
 42  preferred_user = ubuntu
 43
 44[qualifiers]
 45  # things will be painfully broken if bash has a profile
 46  /bin/bash     = icnu
 47  /bin/ksh	= icnu
 48  /bin/dash	= icnu
 49
 50  # these programs can't function if they're confined
 51  /bin/mount    = u
 52  /etc/init.d/subdomain = u
 53  /sbin/cardmgr = u
 54  /sbin/subdomain_parser = u
 55  /usr/sbin/genprof = u
 56  /usr/sbin/logprof = u
 57  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
 58  /usr/lib/YaST2/servers_non_y2/ag_logprof = u
 59
 60  # these ones shouln't have their own profiles
 61  /bin/awk      = icn
 62  /bin/cat      = icn
 63  /bin/chmod    = icn
 64  /bin/chown    = icn
 65  /bin/cp       = icn
 66  /bin/gawk     = icn
 67  /bin/grep     = icn
 68  /bin/gunzip   = icn
 69  /bin/gzip     = icn
 70  /bin/kill     = icn
 71  /bin/ln       = icn
 72  /bin/ls       = icn
 73  /bin/mkdir    = icn
 74  /bin/mv       = icn
 75  /bin/readlink = icn
 76  /bin/rm       = icn
 77  /bin/sed      = icn
 78  /bin/touch    = icn
 79  /sbin/killall5 = icn
 80  /usr/bin/find = icn
 81  /usr/bin/killall = icn
 82  /usr/bin/nice = icn
 83  /usr/bin/perl = icn
 84  /usr/bin/tr   = icn
 85
 86[required_hats]
 87  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
 88  ^.+/httpd(|2|2-prefork)$  = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
 89
 90[defaulthat]
 91  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI
 92  ^.+/httpd(|2|2-prefork)$  = DEFAULT_URI
 93
 94[globs]
 95  # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
 96  /lib/lib[^\/]+so[^\/]*$           = /lib/lib*so*
 97
 98  # strip kernel version numbers from kernel module accesses
 99  ^/lib/modules/[^\/]+\/            = /lib/modules/*/
100
101  # strip pid numbers from /proc accesses
102  ^/proc/\d+/                       = /proc/*/
103
104  # if it looks like a home directory, glob out the username
105  ^/home/[^\/]+                     = /home/*
106
107  # if they use any perl modules, grant access to all
108  ^/usr/lib/perl5/.+$               = /usr/lib/perl5/**
109
110  # locale foo
111  ^/usr/lib/locale/.+$              = /usr/lib/locale/**
112  ^/usr/share/locale/.+$            = /usr/share/locale/**
113
114  # timezone fun
115  ^/usr/share/zoneinfo/.+$          = /usr/share/zoneinfo/**
116
117  # /foobar/fonts/baz -> /foobar/fonts/**
118  /fonts/.+$                        = /fonts/**
119
120  # turn /foo/bar/baz.8907234 into /foo/bar/baz.*
121  # BUGBUG - this one looked weird because it would suggest a glob for
122  # BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
123  # \.\d+$                            = .*
124
125  # some various /etc/security poo -- dunno about these ones...
126  ^/etc/security/_[^\/]+$           = /etc/security/*
127  ^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
128  ^/lib/security/pam_[^\/]+\.so$    = /lib/security/pam_*.so
129
130  ^/etc/pam.d/[^\/]+$               = /etc/pam.d/*
131  ^/etc/profile.d/[^\/]+\.sh$       = /etc/profile.d/*.sh
132