File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/apparmor.d.tar

Back
local/README��0000644��00000002126�15027405350�0006520 0��ustar�00��# This directory is intended to contain profile additions and overrides for # inclusion by distributed profiles to aid in packaging AppArmor for # distributions. # # The shipped profiles in /etc/apparmor.d can still be modified by an # administrator and people should modify the shipped profile when making # large policy changes, rather than trying to make those adjustments here. # # For simple access additions or the occasional deny override, adjusting them # here can prevent the package manager of the distribution from interfering # with local modifications. As always, new policy should be reviewed to ensure # it is appropriate for your site. # # For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has: # include <local/usr.sbin.smbd> # # then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to # contain any additional paths to be allowed, such as: # # /var/exports/ lrwk, # # Keep in mind that 'deny' rules are evaluated after allow rules, so you won't # be able to allow access to files that are explicitly denied by the shipped # profile using this mechanism. ��local/usr.bin.tcpdump��0000644��00000000000�15027405350�0010603 0��ustar�00��local/ubuntu_pro_esm_cache��0000644��00000000000�15027405350�0011741 0��ustar�00��local/nvidia_modprobe��0000644��00000000000�15027405350�0010711 0��ustar�00��local/sbin.dhclient��0000644��00000000000�15027405350�0010274 0��ustar�00��local/usr.bin.man��0000644��00000000000�15027405350�0007702 0��ustar�00��local/usr.sbin.rsyslogd��0000644��00000000000�15027405350�0011160 0��ustar�00��local/ubuntu_pro_apt_news��0000644��00000000000�15027405350�0011652 0��ustar�00��local/usr.lib.snapd.snap-confine.real��0000644��00000000000�15027405350�0013533 0��ustar�00��local/lsb_release��0000644��00000000000�15027405350�0010030 0��ustar�00��usr.sbin.rsyslogd��0000644��00000003070�15027405350�0010100 0��ustar�00��# Last Modified: Sun Sep 25 08:58:35 2011 #include <tunables/global> # Debugging the syslogger can be difficult if it can't write to the file # that the kernel is logging denials to. In these cases, you can do the # following: # watch -n 1 'dmesg \| tail -5' profile rsyslogd /usr/sbin/rsyslogd { #include <abstractions/base> #include <abstractions/nameservice> capability sys_tty_config, capability dac_override, capability dac_read_search, capability setuid, capability setgid, capability sys_nice, capability syslog, unix (receive) type=dgram, unix (receive) type=stream, # rsyslog configuration /etc/rsyslog.conf r, /etc/rsyslog.d/ r, /etc/rsyslog.d/ r, /{,var/}run/rsyslogd.pid{,.tmp} rwk, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rwk, /usr/sbin/rsyslogd mr, /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/.so mr, /dev/tty rw, /dev/xconsole rw, @{PROC}/kmsg r, /dev/log rwl, /{,var/}run/utmp rk, /var/lib//dev/log rwl, /var/spool/postfix/dev/log rwl, /{,var/}run/systemd/notify w, # 'r' is needed when using imfile /var/log/* rw, # Add these for mysql support #/etc/mysql/my.cnf r, #/{,var/}run/mysqld/mysqld.sock rw, # Add thes for postgresql support ##include <abstractions/openssl> ##include <abstractions/ssl_certs> #/{,var/}run/postgresql/.s.PGSQL.[0-9] rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.rsyslogd> } ��abi/kernel-5.4-vanilla��0000644��00000002426�15027405350�0010437 0��ustar�00��query {label {multi_transaction {yes } data {yes } perms {allow deny audit quiet } } } signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost } } ptrace {mask {read trace } } caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read } } rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime } } capability {0xffffff } namespaces {pivot_root {no } profile {yes } } mount {mask {mount umount pivot_root } } } file {mask {create read write exec append mmap_exec link lock } } domain {version {1.2 } attach_conditions {xattr {yes } } computed_longest_left {yes } post_nnp_subset {yes } fix_binfmt_elf_mmap {yes } stack {yes } change_profile {yes } change_onexec {yes } change_hatv {yes } change_hat {yes } } policy {set_load {yes } versions {v8 {yes } v7 {yes } v6 {yes } v5 {yes } } } ��abi/kernel-5.4-outoftree-network��0000644��00000003141�15027405350�0012507 0��ustar�00��query {label {multi_transaction {yes } data {yes } perms {allow deny audit quiet } } } dbus {mask {acquire send receive } } signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost } } ptrace {mask {read trace } } caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read } } rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime } } capability {0xffffff } namespaces {pivot_root {no } profile {yes } } mount {mask {mount umount pivot_root } } network {af_unix {yes } af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp } } } file {mask {create read write exec append mmap_exec link lock } } domain {version {1.2 } attach_conditions {xattr {yes } } computed_longest_left {yes } post_nnp_subset {yes } fix_binfmt_elf_mmap {yes } stack {yes } change_profile {yes } change_onexec {yes } change_hatv {yes } change_hat {yes } } policy {set_load {yes } versions {v8 {yes } v7 {yes } v6 {yes } v5 {yes } } } ��abi/3.0��0000644��00000003605�15027405350�0005527 0��ustar�00��query {label {multi_transaction {yes } data {yes } perms {allow deny audit quiet } } } dbus {mask {acquire send receive } } signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost } } ptrace {mask {read trace } } caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf } } rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime } } capability {0xffffff } namespaces {pivot_root {no } profile {yes } } mount {mask {mount umount pivot_root } } network {af_unix {yes } af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp } } network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp } } file {mask {create read write exec append mmap_exec link lock } } domain {version {1.2 } attach_conditions {xattr {yes } } computed_longest_left {yes } post_nnp_subset {yes } fix_binfmt_elf_mmap {yes } stack {yes } change_profile {yes } change_onexec {yes } change_hatv {yes } change_hat {yes } } policy {set_load {yes } versions {v8 {yes } v7 {yes } v6 {yes } v5 {yes } } } ��usr.bin.tcpdump��0000644��00000003227�15027405350�0007527 0��ustar�00��# vim:syntax=apparmor #include <tunables/global> profile tcpdump /usr/bin/tcpdump { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability net_raw, capability setuid, capability setgid, capability dac_override, capability chown, network raw, network packet, # for -D @{PROC}/bus/usb/ r, @{PROC}/bus/usb/* r, # for finding an interface /dev/ r, @{PROC}/[0-9]/net/dev r, /sys/bus/usb/devices/ r, /sys/class/net/ r, /sys/devices//net/* r, # for -j capability net_admin, # for tracing USB bus, which libpcap supports /dev/usbmon* r, /dev/bus/usb/ r, /dev/bus/usb/ r, # for init_etherarray(), with -e /etc/ethers r, # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) /dev/bus/usb//[0-9]* w, # for -z /{usr/,}bin/gzip ixr, /{usr/,}bin/bzip2 ixr, # for -F and -w audit deny @{HOME}/.* mrwkl, audit deny @{HOME}/./ rw, audit deny @{HOME}/./ mrwkl, audit deny @{HOME}/bin/ rw, audit deny @{HOME}/bin/ mrwkl, owner @{HOME}/ r, owner @{HOME}/ rw, # for -r, -F and -w /.[pP][cC][aA][pP] rw, /.[pP][cC][aA][pP][nN][gG] rw, /.[cC][aA][pP] rw, # -W adds a numerical suffix /*.[pP][cC][aA][pP][0-9] rw, /*.[pP][cC][aA][pP][nN][gG][0-9] rw, /*.[cC][aA][pP][0-9] rw, # for convenience with -r (ie, read pcap files from other sources) /var/log/snort/log r, /usr/bin/tcpdump mr, # allow printing to stdout/stderr when inside a container # (LP: #1667016) /dev/pts/* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.tcpdump> } ��ubuntu_pro_esm_cache��0000644��00000015325�15027405350�0010667 0��ustar�00�� abi <abi/3.0>, include <tunables/global> # attach_disconnected is needed in all profiles defined here because this # service runs with systemd's PrivateTmp=true profile ubuntu_pro_esm_cache flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/openssl> include <abstractions/python> include <abstractions/user-tmp> capability chown, capability dac_override, capability dac_read_search, capability fowner, capability kill, capability setgid, capability setuid, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv, /etc/apt/ r, /etc/machine-id r, /etc/ubuntu-advantage/uaclient.conf r, # GH: #3109 # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/,lib/}os-release r, /run/ubuntu-advantage/ rw, /run/ubuntu-advantage/ rw, /run/systemd/container/ r, /run/systemd/container/ r, /{,usr/}bin/apt mrix, /{,usr/}bin/apt-cache mrix, /{,usr/}bin/ischroot mrix, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /{,usr/}bin/cloud-id Cx -> cloud_id, # LP: #2067319 /{,usr/}bin/ps Cx -> ps, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /{,usr/}bin/dpkg Cx -> dpkg, /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info, /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv, /{,usr/}lib/apt/methods/http Cx -> apt_methods, /{,usr/}lib/apt/methods/https Cx -> apt_methods, /{,usr/}lib/apt/methods/store Cx -> apt_methods, # when there is no status.json cached, esm-cache.service will invoke "snap status" /{,usr/}bin/snap PUx, /usr/share/dpkg/ r, /usr/share/keyrings/* r, /var/cache/apt/ rw, /var/lib/apt/ r, /var/lib/dpkg/ r, /var/lib/ubuntu-advantage/ rwk, /var/log/ubuntu-advantage.log rw, @{PROC}/@{pid}/fd/ r, @{PROC}/1/cgroup r, @{PROC}/version_signature r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, profile ps flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> capability sys_ptrace, # GH: #3079 capability dac_read_search, capability dac_override, # GH: #3119 ptrace (read,trace), # LP: #2067319 /{,usr/}bin/ps mrix, /dev/tty r, @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/uptime r, @{PROC}/sys/kernel/ r, # GH: #3079 @{PROC}/tty/drivers r, /sys/devices/system/node/ r, /sys/devices/system/node/ r, } profile cloud_id flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/python> ptrace read peer=unconfined, /etc/cloud/ r, /etc/apt/ r, /etc/apport/ r, /etc/ssl/openssl.cnf r, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/1/environ r, @{PROC}/1/cmdline r, @{PROC}/@{pid}/status r, /run/cloud-init/ r, /{,usr/}bin/ r, /{,usr/}bin/cloud-id r, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /usr/share/dpkg/ r, # workarounds for # https://gitlab.com/apparmor/apparmor/-/issues/346 # LP: #2067319 /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /var/lib/cloud/ r, } profile dpkg flags=(attach_disconnected) { include <abstractions/base> capability setgid, /etc/dpkg/ r, /{,usr/}bin/dpkg mr, # LP: #2067810 /var/lib/dpkg/ r, } profile ubuntu_distro_info flags=(attach_disconnected) { include <abstractions/base> /{,usr/}bin/ubuntu-distro-info mr, /usr/share/distro-info/ r, } profile apt_methods flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, network inet stream, network inet6 stream, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/ r, /{,usr/}lib/apt/methods/gpgv mr, /{,usr/}lib/apt/methods/http mr, /{,usr/}lib/apt/methods/https mr, /{,usr/}lib/apt/methods/store mr, /usr/share/dpkg/ r, # LP: #2067810 /var/lib/dpkg/ r, /var/lib/ubuntu-advantage/apt-esm/ rwk, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fd/ r, } profile apt_methods_gpgv flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/** r, # there are just too many shell script tools that are called, like head, # tail, cut, sed, etc /{,usr/}bin/* mrix, /{,usr/}lib/apt/methods/gpgv mr, /usr/share/dpkg/** r, /usr/share/keyrings/* r, /var/lib/ubuntu-advantage/apt-esm/ r, @{PROC}/@{pid}/fd/ r, # apt-config command needs these # Note: observed only in xenial tests, but makes sense for all releases /etc/apt/ r, /var/lib/apt/ r, # LP: #2067810 /var/lib/dpkg/ r, } # Site-specific additions and overrides. See local/README for details. #include <local/ubuntu_pro_esm_cache> } # these profiles were initially subprofiles of cloud-id, but: # a) that crashes the kernel # https://gitlab.com/apparmor/apparmor/-/issues/346 # b) <= bionic doesn't like the // or - chars in profile names # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) { include <abstractions/base> capability net_admin, capability sys_ptrace, ptrace read peer=unconfined, # LP: #2067319 /{,usr/}bin/systemctl mr, /run/systemd/private rw, /run/systemd/** r, @{PROC}/cmdline r, # GH: #3119 @{PROC}/1/* r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, # GH: 3119 /sys/firmware/efi/efivars/ r, } profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) { include <abstractions/base> capability sys_ptrace, ptrace read peer=unconfined, /{,usr/}bin/systemd-detect-virt mr, /run/systemd/ r, /sys/devices/virtual/ r, # GH: #3119 /sys/firmware/efi/efivars/ r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/1/cmdline r, @{PROC}/sys/kernel/osrelease r, }��nvidia_modprobe��0000644��00000002245�15027405350�0007634 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, include <tunables/global> profile nvidia_modprobe { include <abstractions/base> # Capabilities capability chown, capability mknod, capability setuid, capability sys_admin, # Main executable /usr/bin/nvidia-modprobe mr, # Other executables /usr/bin/kmod Cx -> kmod, # System files /dev/nvidia-modeset w, /dev/nvidia-uvm w, /dev/nvidia-uvm-tools w, @{sys}/bus/pci/devices/ r, @{sys}/devices/pci[0-9]//config r, @{PROC}/devices r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, @{PROC}/sys/kernel/modprobe r, # Child profiles profile kmod { include <abstractions/base> # Capabilities capability sys_module, # Main executable /usr/bin/kmod mrix, # Other executables /{,usr/}bin/{,ba,da}sh ix, # System files /etc/modprobe.d/{,.conf} r, /etc/nvidia/current/.conf r, @{sys}/module/ipmi_devintf/initstate r, @{sys}/module/ipmi_msghandler/initstate r, @{sys}/module/nvidia/initstate r, @{PROC}/cmdline r, } # Site-specific additions and overrides. See local/README for details. include if exists <local/nvidia_modprobe> } ��sbin.dhclient��0000644��00000006654�15027405350�0007227 0��ustar�00��# vim:syntax=apparmor #include <tunables/global> /{,usr/}sbin/dhclient flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl> capability net_bind_service, capability net_raw, capability dac_override, capability net_admin, network packet, network raw, @{PROC}/[0-9]/net/ r, @{PROC}/[0-9]/net/* r, # dhclient wants to update its threads with functional names # https://gitlab.com/apparmor/apparmor/-/merge_requests/730 # see LP: #1918410 owner @{PROC}/@{pid}/task/[0-9]/comm rw, # LP: #1926139 @{PROC}/cmdline r, /{,usr/}sbin/dhclient mr, # LP: #1197484 and LP: #1202203 - why is this needed? :( /{,usr/}bin/bash mr, /etc/dhclient.conf r, /etc/dhcp/ r, /etc/dhcp/* r, /var/lib/dhcp{,3}/dhclient* lrw, /{,var/}run/dhclient.pid lrw, /{,var/}run/dhclient.lease* lrw, # NetworkManager /{,var/}run/nmconf r, /{,var/}run/sendsigs.omit.d/network-manager.dhclient.pid lrw, /{,var/}run/NetworkManager/dhclient.pid lrw, /var/lib/NetworkManager/dhclient.conf lrw, /var/lib/NetworkManager/dhclient.lease lrw, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, # connman /{,var/}run/connman/dhclient.pid lrw, /{,var/}run/connman/dhclient.leases lrw, # synce-hal /usr/share/synce-hal/dhclient.conf r, # if there is a custom script, let it run unconfined /etc/dhcp/dhclient-script Uxr, # The dhclient-script shell script sources other shell scripts rather than # executing them, so we can't just use a separate profile for dhclient-script # with 'Uxr' on the hook scripts. However, for the long-running dhclient3 # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be # able to subvert dhclient-script or write to the hooks.d directories. As # such, if the dhclient3 daemon is subverted, this effectively limits it to # only being able to run the hooks scripts. /{,usr/}sbin/dhclient-script Uxr, # Run the ELF executables under their own unrestricted profiles /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm, /usr/lib/connman/scripts/dhclient-script Pxrm, # Support the new executable helper from NetworkManager. /usr/lib/NetworkManager/nm-dhcp-helper Pxrm, signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper, # Site-specific additions and overrides. See local/README for details. #include <local/sbin.dhclient> } /usr/lib/NetworkManager/nm-dhcp-client.action { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/NetworkManager/nm-dhcp-client.action mr, /var/lib/NetworkManager/lease r, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, network inet dgram, network inet6 dgram, } /usr/lib/NetworkManager/nm-dhcp-helper { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/NetworkManager/nm-dhcp-helper mr, /run/NetworkManager/private-dhcp rw, signal (send) peer=/sbin/dhclient, /var/lib/NetworkManager/lease r, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, network inet dgram, network inet6 dgram, } /usr/lib/connman/scripts/dhclient-script { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/connman/scripts/dhclient-script mr, network inet dgram, network inet6 dgram, } ��tunables/kernelvars��0000644��00000002557�15027405350�0010472 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # This file should contain declarations to kernel vars or variables # that will become kernel vars at some point # until kernel vars are implemented # and until the parser supports nested groupings like # @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} # use @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} #same pattern as @{pid} for now @{tid}=@{pid} #A pattern for pids that can appear @{pids}=@{pid} # Placeholder for user id until kernel var is implemented to match # current user of the confined application. # Values are 0...4,294,967,295 (32-bit unsigned, 10 digits). @{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]} #same pattern as @{uid} for now @{uids}=@{uid} # until kernel var is implemented @{sys}=/sys/ ��tunables/etc��0000644��00000002065�15027405350�0007063 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2020 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{etc_ro} contains a space-separated list of the system configuration directories. # Traditionally this means /etc/, but when using a read-only / filesystem and/or # with the goal of having only user-modified config files in /etc/, directories # like /usr/etc/ get introduced for storing the default config. # @{etc_ro} contains read-only directories with configuration files. # Do not use @{etc_ro} in rules that allow write access. @{etc_ro}=/etc/ /usr/etc/ # @{etc_rw} contains directories where writing to configuration files is allowed. @{etc_rw}=/etc/ # Also, include files in tunables/etc.d/ for site-specific adjustments to # @{etc_ro} and @{etc_rw}. include if exists <tunables/etc.d> ��tunables/dovecot��0000644��00000001444�15027405350�0007753 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim:ft=apparmor # @{DOVECOT_MAILSTORE} is a space-separated list of all directories # where dovecot is allowed to store and read mails # # The default value is quite broad to avoid breaking existing setups. # Please change @{DOVECOT_MAILSTORE} to (only) contain the directory # you use, and remove everything else. @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ ��tunables/global��0000644��00000001367�15027405350�0007554 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010-2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # All the tunables definitions that should be available to every profile # should be included here include <tunables/home> include <tunables/multiarch> include <tunables/proc> include <tunables/alias> include <tunables/kernelvars> include <tunables/xdg-user-dirs> include <tunables/share> include <tunables/etc> include <tunables/run> ��tunables/home��0000644��00000001726�15027405350�0007243 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{HOME} is a space-separated list of all user home directories. While # it doesn't refer to a specific home directory (AppArmor doesn't # enforce discretionary access controls) it can be used as if it did # refer to a specific home directory @{HOME}=@{HOMEDIRS}// /root/ # @{HOMEDIRS} is a space-separated list of where user home directories # are stored, for programs that must enumerate all home directories on a # system. @{HOMEDIRS}=/home/ # Also, include files in tunables/home.d for site-specific adjustments to # @{HOMEDIRS}. include <tunables/home.d> ��tunables/securityfs��0000644��00000000625�15027405350�0010510 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{securityfs} is the location where securityfs is mounted. @{securityfs}=@{sys}/kernel/security/ ��tunables/share��0000644��00000001463�15027405350�0007413 0��ustar�00��@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/////export} # System-wide directories with behaviour analogous to /usr/share # in patterns like the freedesktop.org basedir spec. These are # owned by root or a system user, appear in XDG_DATA_DIRS, and # are the parent directory for `applications`, `themes`, # `dbus-1/services`, etc. @{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share # Per-user/personal directories with behaviour analogous to # ~/.local/share in patterns like the freedesktop.org basedir spec. # These are owned by the user running an application, appear in # XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory # for the same subdirectories as @{system_share_dirs} @{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share ��tunables/proc��0000644��00000000670�15027405350�0007253 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{PROC} is the location where procfs is mounted. @{PROC}=/proc/ ��tunables/multiarch��0000644��00000001166�15027405350�0010301 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{multiarch} is the set of patterns matching multi-arch library # install prefixes. @{multiarch}=-linux-gnu* # Also, include files in tunables/multiarch.d for site and packaging # specific adjustments to @{multiarch}. include <tunables/multiarch.d> ��tunables/xdg-user-dirs��0000644��00000001543�15027405350�0011005 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Define the common set of XDG user directories (usually defined in # /etc/xdg/user-dirs.defaults) @{XDG_DESKTOP_DIR}="Desktop" @{XDG_DOWNLOAD_DIR}="Downloads" @{XDG_TEMPLATES_DIR}="Templates" @{XDG_PUBLICSHARE_DIR}="Public" @{XDG_DOCUMENTS_DIR}="Documents" @{XDG_MUSIC_DIR}="Music" @{XDG_PICTURES_DIR}="Pictures" @{XDG_VIDEOS_DIR}="Videos" # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories include <tunables/xdg-user-dirs.d> ��tunables/run��0000644��00000000027�15027405350�0007110 0��ustar�00��@{run}=/run/ /var/run/ ��tunables/apparmorfs��0000644��00000000567�15027405350�0010467 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ include <tunables/securityfs> @{apparmorfs}=@{securityfs}/apparmor/ ��tunables/sys��0000644��00000000572�15027405350�0007127 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ #This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now. ��tunables/alias��0000644��00000001160�15027405350�0007374 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Alias rules can be used to rewrite paths and are done after variable # resolution. For example, if '/usr' is on removable media: # alias /usr/ -> /mnt/usr/, # # Or if mysql databases are stored in /home: # alias /var/lib/mysql/ -> /home/mysql/, ��tunables/home.d/site.local��0000644��00000001172�15027405350�0011515 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # The following is a space-separated list of where additional user home # directories are stored, each must have a trailing '/'. Directories added # here are appended to @{HOMEDIRS}. See tunables/home for details. Eg: #@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/ ��tunables/home.d/ubuntu��0000644��00000000521�15027405350�0010777 0��ustar�00��# This file is auto-generated. It is recommended you update it using: # $ sudo dpkg-reconfigure apparmor # # The following is a space-separated list of where additional user home # directories are stored, each must have a trailing '/'. Directories added # here are appended to @{HOMEDIRS}. See tunables/home for details. #@{HOMEDIRS}+= ��tunables/multiarch.d/site.local��0000644��00000001205�15027405350�0012552 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # The following is a space-separated list of where additional multipath # prefixes are stored, each should not have a trailing '/'. Directories # added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg: #@{multiarch}+=-freebsd s390-hurd-zomg ��tunables/xdg-user-dirs.d/site.local��0000644��00000001332�15027405350�0013260 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2014 Canonical Ltd. # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # The following may be used to add additional entries such as for # translations. See tunables/xdg-user-dirs for details. Eg: #@{XDG_MUSIC_DIR}+="Musique" #@{XDG_DESKTOP_DIR}+="" #@{XDG_DOWNLOAD_DIR}+="" #@{XDG_TEMPLATES_DIR}+="" #@{XDG_PUBLICSHARE_DIR}+="" #@{XDG_DOCUMENTS_DIR}+="" #@{XDG_MUSIC_DIR}+="" #@{XDG_PICTURES_DIR}+="" #@{XDG_VIDEOS_DIR}+="" ��usr.bin.man��0000644��00000006570�15027405350�0006632 0��ustar�00��# vim:syntax=apparmor #include <tunables/global> /usr/bin/man { #include <abstractions/base> # Use a special profile when man calls anything groff-related. We only # include the programs that actually parse input data in a non-trivial # way, not wrappers such as groff and nroff, since the latter would need a # broader profile. /usr/bin/eqn rmCx -> &man_groff, /usr/bin/grap rmCx -> &man_groff, /usr/bin/pic rmCx -> &man_groff, /usr/bin/preconv rmCx -> &man_groff, /usr/bin/refer rmCx -> &man_groff, /usr/bin/tbl rmCx -> &man_groff, /usr/bin/troff rmCx -> &man_groff, /usr/bin/vgrind rmCx -> &man_groff, # Similarly, use a special profile when man calls decompressors and other # simple filters. /{,usr/}bin/bzip2 rmCx -> &man_filter, /{,usr/}bin/gzip rmCx -> &man_filter, /usr/bin/col rmCx -> &man_filter, /usr/bin/compress rmCx -> &man_filter, /usr/bin/iconv rmCx -> &man_filter, /usr/bin/lzip.lzip rmCx -> &man_filter, /usr/bin/tr rmCx -> &man_filter, /usr/bin/xz rmCx -> &man_filter, # Allow basically anything in terms of file system access, subject to DAC. # The purpose of this profile isn't to confine man itself (that might be # nice in the future, but is tricky since it's quite configurable), but to # confine the processes it calls that parse untrusted data. / mrixwlk, unix, capability setuid, capability setgid, # Ordinary permission checks sometimes involve checking whether the # process has this capability, which can produce audit log messages. # Silence them. deny capability dac_override, deny capability dac_read_search, signal peer=@{profile_name}, signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_filter, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.man> } profile man_groff { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> # man always runs its groff pipeline with the input file open on stdin, # so we can skip <abstractions/user-manpages>. /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, /usr/bin/preconv rm, /usr/bin/refer rm, /usr/bin/tbl rm, /usr/bin/troff rm, /usr/bin/vgrind rm, /etc/groff/ r, /etc/papersize r, /usr/lib/groff/site-tmac/ r, /usr/share/groff/ r, /tmp/groff* rw, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_groff, } profile man_filter { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> /{,usr/}bin/bzip2 rm, /{,usr/}bin/gzip rm, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm, /usr/bin/lzip.lzip rm, /usr/bin/tr rm, /usr/bin/xz rm, # Manual pages can be more or less anywhere, especially with "man -l", and # there's no harm in allowing wide read access here since the worst it can # do is feed data to the invoking man process. / r, # Allow writing cat pages. /var/cache/man/ w, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_filter, } ��ubuntu_pro_apt_news��0000644��00000003314�15027405350�0010573 0��ustar�00�� abi <abi/3.0>, include <tunables/global> # attach_disconnected is needed here because this service runs with systemd's # PrivateTmp=true profile ubuntu_pro_apt_news flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/openssl> include <abstractions/python> # Needed because apt-news calls apt_pkg.init() which tries to # switch to the _apt system user/group. capability setgid, capability setuid, capability dac_read_search, # GH: 3079 capability dac_override, /etc/apt/** r, /etc/default/apport r, /etc/ubuntu-advantage/* r, # GH: #3109 # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/,lib/}os-release r, /{,usr/}bin/python3.{1,}[0-9] mrix, # "import uuid" in focal triggers an uname call # And also see LP: #2067319 /{,usr/}bin/uname mrix, /{,usr/}lib/apt/methods/http mrix, /{,usr/}lib/apt/methods/https mrix, /{,usr/}lib/ubuntu-advantage/apt_news.py r, /usr/share/dpkg/* r, /var/log/ubuntu-advantage.log rw, /var/lib/ubuntu-advantage/** r, /var/lib/ubuntu-advantage/messages/ rw, /var/lib/ubuntu-advantage/messages/* rw, /run/ubuntu-advantage/ rw, /run/ubuntu-advantage/* rw, # LP: #2072489 # the apt-news package selector needs access to packaging information # this is a good candidate for a child profile owner /tmp/ rw, /etc/machine-id r, /etc/dpkg/ r, /{,usr/}bin/dpkg mrix, /var/lib/apt/ r, /var/lib/dpkg/ r, /var/cache/apt/** rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/cgroup r, # Site-specific additions and overrides. See local/README for details. #include <local/ubuntu_pro_apt_news> }��usr.lib.snapd.snap-confine.real��0000644��00000076055�15027405350�0012470 0��ustar�00��# Author: Jamie Strandboge <jamie@canonical.com> #include <tunables/global> @{SNAP_MOUNT_DIR_LIST}="{,/var/lib/snapd}/snap" /usr/lib/snapd/snap-confine (attach_disconnected) { # Include any additional files that snapd chose to generate. # - for $HOME on remote file system. # - for $HOME on encrypted media # # Those are discussed on https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor # and https://forum.snapcraft.io/t/snaps-and-nfs-home/ #include "/var/lib/snapd/apparmor/snap-confine" # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /etc/ld.so.preload r, # Do not assume that the interpreter is always named like # ld-linux-x86_64.so, as on some architectures there can be a version after # the .so suffix, eg. ld-linux-aarch64.so.1 /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so* mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /usr/lib/snapd/snap-confine mr, # This rule is needed when executing from a "base: core" devmode snap on # UC18 and newer where the /usr/lib/snapd/snap-confine inside the # "base: core" mount namespace always comes from the snapd snap, and thus # we will execute snap-confine via this path, and thus need to be able to # read this path when executing. It's also necessary on classic where both # the snapd and the core snap are installed at the same time. # TODO: remove this rule when we stop supporting executing other snaps from # inside devmode snaps, ideally even in the short term we would only include # this rule on core only, and specifically uc18 and newer where we need it #@VERBATIM_LIBEXECDIR_SNAP_CONFINE@ mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, /dev/pts/[0-9]* rw, /dev/tty rw, # SNAP_MOUNT_DIR probe logic /proc/1/root/snap r, # cgroup: devices capability sys_admin, capability dac_read_search, capability dac_override, /sys/fs/cgroup/ r, /sys/fs/cgroup/devices/ r, /sys/fs/cgroup/devices/snap./ rw, /sys/fs/cgroup/devices/snap./cgroup.procs w, /sys/fs/cgroup/devices/snap./devices.{allow,deny} w, # cgroup: freezer # Allow creating per-snap cgroup freezers and adding snap command (task) # invocations to the freezer. This allows for reliably enumerating all # running processes for the snap. In addition, allow enumerating processes # in the cgroup to determine if it is occupied. /sys/fs/cgroup/freezer/ r, /sys/fs/cgroup/freezer/snap./ w, /sys/fs/cgroup/freezer/snap./cgroup.procs rw, /sys/fs/cgroup/ r, /sys/fs/cgroup/* r, # cgroup: reading own cgroup @{PROC}/@{pid}/cgroup r, # cgroup: manage bpf map for device cgroup /sys/fs/bpf/ r, /sys/fs/bpf/snap/ rw, /sys/fs/bpf/snap/* rw, # s-c may need to raise the memlock limit capability sys_resource, # querying udev /etc/udev/udev.conf r, /sys//uevent r, /run/udev/ rw, /{,usr/}bin/tr ixr, /usr/lib/locale/** r, /usr/lib/@{multiarch}/gconv/gconv-modules r, /usr/lib/@{multiarch}/gconv/gconv-modules.cache r, # priv dropping capability setuid, capability setgid, # changing profile @{PROC}/[0-9]/attr/{,apparmor/}exec w, # Reading current profile @{PROC}/[0-9]/attr/{,apparmor/}current r, # Reading available filesystems @{PROC}/filesystems r, # To find where apparmor is mounted @{PROC}/[0-9]/mounts r, # To find if apparmor is enabled /sys/module/apparmor/parameters/enabled r, # For detecting if we're in a container /run/systemd/container r, # Don't allow changing profile to unconfined or profiles that start with # '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on # the environment for determining the capabilities of the architecture. # 'unsafe' is ok here because the kernel will have already cleared the # environment as part of launching snap-confine with CAP_SYS_ADMIN. This # does leave directories as configured by ld.so.preload as well as # LD_PRELOAD to be set to a library which is in a directory configured by # ld.so.conf, but access to those locations is mediated by this profile # (which requires rules for specific locations). # TODO: use GenerateAAREExclusionPatterns for this, though the first # rule and the fact that the generative aspect is not an absolute filepath # complicate using that function directly change_profile unsafe /* -> [^u/], change_profile unsafe / -> u[^n], change_profile unsafe / -> un[^c], change_profile unsafe / -> unc[^o], change_profile unsafe / -> unco[^n], change_profile unsafe / -> uncon[^f], change_profile unsafe / -> unconf[^i], change_profile unsafe / -> unconfi[^n], change_profile unsafe / -> unconfin[^e], change_profile unsafe / -> unconfine[^d], change_profile unsafe / -> unconfined?, # allow changing to a few not caught above change_profile unsafe / -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, # LP: #1446794 - when this bug is fixed, change the above to: # deny change_profile unsafe / -> {unconfined,/}, # change_profile unsafe / -> , # reading seccomp filters. # Note 1: We still need to consider .bin extension because of global.bin file. # Note 2: This rule is not needed because of rule '/var/lib/** rw', however we keep it because at # some point we want to investigate if we can narrow the scope of the aforementioned rule. /{tmp/snap.rootfs_/,}var/lib/snapd/seccomp/bpf/.bin{,2} r, # adding a missing bpf mount mount fstype=bpf options=(rw) bpf -> /sys/fs/bpf/, # For mounting base dir by dir (write dirs and mount on them) /tmp/snap.rootfs_** rw, mount options=(remount ro) -> /tmp/snap.rootfs_/, mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}//// -> /tmp/snap.rootfs_/, # For mounting individual files mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///* -> /tmp/snap.rootfs_/, mount options=(rw rslave) -> /tmp/snap.rootfs_/, # Allow mounting dirs from / mount options=(rw rbind) // -> /tmp/snap.rootfs_*/, # LP: #1668659 and parallel instances of classic snaps mount options=(rw rbind) /snap/ -> /snap/, mount options=(rw rshared) -> /snap/, mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/, mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace /tmp/snap.rootfs_/ rw, mount fstype=tmpfs none -> /tmp/snap.rootfs_/, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_/ -> /tmp/snap.rootfs_/, mount options=(rw unbindable) -> /tmp/snap.rootfs_/, # the next line is for classic system mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/// -> /tmp/snap.rootfs_/, # the next line is for core system mount options=(rw rbind) / -> /tmp/snap.rootfs_/, # all of the constructed rootfs is a rslave mount options=(rw rslave) -> /tmp/snap.rootfs_/, # bidirectional mounts (for both classic and core) # NOTE: this doesn't capture the MERGED_USR configuration option so that # when a distro with merged /usr and / that uses apparmor shows up it # should be handled here. /{,run/}media/ w, mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_/{,run/}media/, /run/netns/ w, mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_/run/netns/, # unidirectional mounts (only for classic system) mount options=(rw rbind) /dev/ -> /tmp/snap.rootfs_/dev/, mount options=(rw rslave) -> /tmp/snap.rootfs_/dev/, mount options=(rw rbind) /etc/ -> /tmp/snap.rootfs_/etc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/etc/, mount options=(rw rbind) /home/ -> /tmp/snap.rootfs_/home/, mount options=(rw rslave) -> /tmp/snap.rootfs_/home/, mount options=(rw rbind) /root/ -> /tmp/snap.rootfs_/root/, mount options=(rw rslave) -> /tmp/snap.rootfs_/root/, mount options=(rw rbind) /proc/ -> /tmp/snap.rootfs_/proc/, mount options=(rw rslave) -> /tmp/snap.rootfs_/proc/, mount options=(rw rbind) /sys/ -> /tmp/snap.rootfs_/sys/, mount options=(rw rslave) -> /tmp/snap.rootfs_/sys/, mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/tmp/, mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/dhcp/, mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/snapd/, mount options=(rw rbind) /var/snap/ -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/snap/, mount options=(rw rbind) /var/tmp/ -> /tmp/snap.rootfs_/var/tmp/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/tmp/ -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/tmp/, mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_/run/, mount options=(rw rslave) -> /tmp/snap.rootfs_/run/, mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/extrausers/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/modules/, mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rslave) -> /tmp/snap.rootfs_{,/usr}/lib/firmware/, mount options=(rw rbind) /var/log/ -> /tmp/snap.rootfs_/var/log/, # /var/volatile is the default volatile location on Yocto/Poky, typically used with read-only rootfs setups mount options=(rw rbind) /var/volatile/log/ -> /tmp/snap.rootfs_/var/log/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/log/, mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rslave) -> /tmp/snap.rootfs_/usr/src/, mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_/mnt/, mount options=(rw rslave) -> /tmp/snap.rootfs_/mnt/, # allow making host snap-exec available inside base snaps mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making re-execed host snap-exec available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/core//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, # allow making snapd snap tools available inside base snaps mount options=(ro bind) @{SNAP_MOUNT_DIR_LIST}/snapd//usr/lib/snapd/ -> /tmp/snap.rootfs_/usr/lib/snapd/, mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_/usr/bin/snapctl, mount options=(rw slave) -> /tmp/snap.rootfs_/usr/bin/snapctl, # /etc/alternatives (classic and normal mode) mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/ssl/ -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/nsswitch.conf -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor/ -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw bind) @{SNAP_MOUNT_DIR_LIST}///etc/apparmor.d/ -> /tmp/snap.rootfs_/etc/apparmor.d/, # /etc/alternatives (core/legacy mode) mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.rootfs_/etc/alternatives/, # making all those directories slave shared. mount options=(rw slave) -> /tmp/snap.rootfs_/etc/alternatives/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/ssl/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/nsswitch.conf, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor/, mount options=(rw slave) -> /tmp/snap.rootfs_/etc/apparmor.d/, # the /snap directory mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/ -> /tmp/snap.rootfs_/snap/, mount options=(rw rslave) -> /tmp/snap.rootfs_/snap/, # pivot_root preparation and execution mount options=(rw bind) /tmp/snap.rootfs_/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, mount options=(rw private) -> /tmp/snap.rootfs_/var/lib/snapd/hostfs/, # pivot_root mediation in AppArmor is not complete. See LP: #1791711. # However, we can mediate the new_root and put_old to be what we expect, # and then deny directory creation within old_root to prevent trivial # pivoting into an allowlisted path. pivot_root oldroot=/tmp/snap.rootfs_/var/lib/snapd/hostfs/ /tmp/snap.rootfs_/, # Explicitly deny creating the old_root directory in case it is # inadvertently added somewhere else. While this doesn't resolve # LP: #1791711, it provides some hardening. # For dir on dir mounts, we do need write permissions in /var though audit deny /tmp/snap.rootfs_/{var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w, # cleanup umount /var/lib/snapd/hostfs/tmp/snap.rootfs_/, umount /var/lib/snapd/hostfs/sys/, umount /var/lib/snapd/hostfs/dev/, umount /var/lib/snapd/hostfs/proc/, mount options=(rw rslave) -> /var/lib/snapd/hostfs/, # Hide /writable from view of snaps. mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/, umount /{,var/lib/snapd/hostfs/}writable/, # set up user mount namespace mount options=(rslave) -> /, # set up mount namespace for parallel instances of classic snaps mount options=(rw rbind) @{SNAP_MOUNT_DIR_LIST}/{,/} -> @{SNAP_MOUNT_DIR_LIST}/{,/}, mount options=(rslave) -> @{SNAP_MOUNT_DIR_LIST}/, mount options=(rslave) -> /var/snap/, mount options=(rw rbind) /var/snap/{,/} -> /var/snap/{,/}, mount options=(rw rshared) -> /var/snap/, # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/}os-release r, # Allow creating /var/lib/snapd/hostfs, if missing /var/lib/snapd/hostfs/ rw, # set up snap-specific private /tmp dir capability chown, /tmp/ rw, /tmp/snap-private-tmp/ rw, /tmp/snap-private-tmp/snap./ rw, /tmp/snap-private-tmp/snap./tmp/ rw, mount options=(rw private) -> /tmp/, mount options=(rw bind) /tmp/snap-private-tmp/snap./tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD # Workaround for LP: #1584456 on older kernels that mistakenly think # /dev/pts/ptmx needs a trailing '/' mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/, # for running snaps on classic /snap/ r, /snap/ r, @{SNAP_MOUNT_DIR_LIST}/ r, @{SNAP_MOUNT_DIR_LIST}/ r, # NOTE: at this stage the /snap directory is stable as we have called # pivot_root already. # nvidia handling, glob needs /usr/ and the launcher must be # able to bind mount the nvidia dir /sys/module/nvidia/version r, /sys//drivers/nvidia{,_}/ r, /sys/*/nvidia/uevent r, /sys/module/nvidia{,_}/ r, /dev/nvidia[0-9]* r, /dev/nvidiactl r, /dev/nvidia-uvm r, /usr/** r, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, mount options=(rw bind) /usr/lib{,32}/nvidia-/ -> /{tmp/snap.rootfs_/,}var/lib/snapd/lib/gl{,32}/, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/, # Vulkan support /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/, # GLVND EGL vendor /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/{,} w, mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, mount options=(remount ro bind) -> /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/, # create gl dirs as needed /tmp/snap.rootfs_/ r, /tmp/snap.rootfs_/var/ r, /tmp/snap.rootfs_/var/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/gl{,32}/* rw, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/vulkan/** rw, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/ r, /tmp/snap.rootfs_/var/lib/snapd/lib/glvnd/** rw, # for chroot on steroids, we use pivot_root as a better chroot that makes # apparmor rules behave the same on classic and outside of classic. # for creating the user data directories: ~/snap, ~/snap/<name> and # ~/snap/<name>/<version> / r, @{HOMEDIRS}/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet @{HOME}/ r, @{HOME}/snap/{,/,//} rw, # experimental @{HOME}/.snap/ rw, @{HOME}/.snap/data/{,/,//} rw, @{HOME}/Snap/{,/,//} rw, # Special case for classic* snaps that are used by users with existing dirs # in /var/lib/. Like jenkins, postgresql, mysql, puppet, ... # (see https://forum.snapcraft.io/t/9717) # TODO: this can be removed once we support home-dirs outside of /home # better /var/ r, /var/lib/ r, # These should both have 'owner' match but due to LP: #1466234, we can't # yet /var/lib// r, /var/lib//snap/{,/,//} rw, # for creating the user shared memory directories /{dev,run}/{,shm/} r, # This should both have 'owner' match but due to LP: #1466234, we can't yet /{dev,run}/shm/{,/,//} rw, # for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and # /run/user/UID/<name> /run/user/{,[0-9]/,[0-9]//} rw, # Workaround https://launchpad.net/bugs/359338 until upstream handles # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, @{HOME}/.Private/* mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs//.Private/ r, @{HOMEDIRS}/.ecryptfs//.Private/** mrwlk, # Allow snap-confine to move to the void, creating it if necessary. /var/lib/snapd/void/ rw, # Allow snap-confine to read snap contexts /var/lib/snapd/context/snap.* r, # Allow snap-confine to unmount stale mount namespaces. umount /run/snapd/ns/.mnt, /run/snapd/ns/snap..fstab w, # Allow snap-confine to read and write mount namespace information files. /run/snapd/ns/snap..info rw, # Required to correctly unmount bound mount namespace. # See LP: #1735459 for details. umount /, # support for locking /run/snapd/lock/ rw, /run/snapd/lock/.lock rwk, # support for the mount namespace sharing capability sys_ptrace, # allow snap-confine to read /proc/1/ns/mnt ptrace read peer=unconfined, # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21 ptrace trace peer=unconfined, mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/, mount options=(private) -> /run/snapd/ns/, / rw, /run/ rw, /run/snapd/ rw, /run/snapd/ns/ rw, /run/snapd/ns/.lock rwk, /run/snapd/ns/.mnt rw, ptrace (read, readby, tracedby) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, @{PROC}//mountinfo r, capability sys_chroot, capability sys_admin, signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine, signal (send) set=(int) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, signal (send, receive) set=(int, alrm, exists) peer=/usr/lib/snapd/snap-confine, signal (receive) set=(exists) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # workaround for linux 4.13/upstream, see # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3 ptrace (trace, tracedby) peer=/usr/lib/snapd/snap-confine, # Allow reading snap cookies. /var/lib/snapd/cookie/snap. r, # For aa_change_hat() to go into ^mount-namespace-capture-helper @{PROC}/[0-9]/attr/{,apparmor/}current w, # As a special exception allow snap-confine to write to anything in /var/lib. # This code should be changed to allow delegation so that snap-confine can # inherit any file descriptor and pass it to the invoked application but # this is not possible in apparmor yet. # See https://bugs.launchpad.net/snapd/+bug/1815869 /var/lib/* rw, ^mount-namespace-capture-helper (attach_disconnected) { # We run privileged, so be fanatical about what we include and don't use # any abstractions /etc/ld.so.cache r, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld{-,64}.so* mrix, # libc, you are funny /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so mr, # normal libs in order /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]}.so* mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libudev.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libseccomp.so mr, /{,{,var/lib/snapd/}snap/{snapd,core}//}{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcap.so mr, /usr/lib/snapd/snap-confine mr, /dev/null rw, /dev/full rw, /dev/zero rw, /dev/random r, /dev/urandom r, capability sys_ptrace, capability sys_admin, # This allows us to read and bind mount the namespace file / r, @{PROC}/ r, @{PROC}// r, @{PROC}//ns/ r, @{PROC}//ns/mnt r, /run/ r, /run/snapd/ r, /run/snapd/ns/ r, /run/snapd/ns/.mnt rw, # NOTE: the source name is / even though we map /proc/123/ns/mnt mount options=(rw bind) / -> /run/snapd/ns/.mnt, # This is the SIGALRM that we send and receive if a timeout expires signal (send, receive) set=(alrm) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # Those two rules are exactly the same but we don't know if the parent process is still alive # and hence has the appropriate label or is already dead and hence has no label. signal (send) set=(exists) peer=/usr/lib/snapd/snap-confine, signal (send) set=(exists) peer=unconfined, # This is so that we can abort signal (send, receive) set=(abrt) peer=/usr/lib/snapd/snap-confine//mount-namespace-capture-helper, # This is the signal we get if snap-confine dies (we subscribe to it with prctl) signal (receive) set=(int) peer=/usr/lib/snapd/snap-confine, # This allows snap-confine to be killed from the outside. signal (receive) peer=unconfined, # This allows snap-confine to wait for us ptrace (read, trace, tracedby) peer=/usr/lib/snapd/snap-confine, } # Allow snap-confine to be killed signal (receive) peer=unconfined, # Allow switching to snap-update-ns with a per-snap profile. change_profile -> snap-update-ns., # Allow executing snap-update-ns when... # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the distribution package. This is also the location used when using # the core/base snap on all-snap systems. The variants here represent # various locations of libexecdir across distributions. /usr/lib{,exec,64}/snapd/snap-update-ns r, # ...snap-confine is not, conceptually, re-executing and uses # snap-update-ns from the distribution package but we are already inside # the constructed mount namespace so we must traverse "hostfs". The # variants here represent various locations of libexecdir across # distributions. /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns r, # ..snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core or snapd snaps. Note that the location of the actual snap # varies from distribution to distribution. The variants here represent # different locations of snap mount directory across distributions. /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # ...snap-confine is, conceptually, re-executing and uses snap-update-ns # from the core snap or snapd snap, but we are already inside the # constructed mount namespace. Here the apparmor kernel module # re-constructs the path to snap-update-ns using the "hostfs" mount entry # rather than the more "natural" /snap mount entry but we have no control # over that. This is reported as (LP: #1716339). The variants here # represent different locations of snap mount directory across # distributions. /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns r, # Allow executing snap-discard-ns, just like the set for snap-update-ns # above but with the key difference that snap-discard-ns does not # have a dedicated profile so we need to inherit snap-confine's profile. /usr/lib{,exec,64}/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix, /{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-discard-ns rix, # Allow mounting /var/lib/jenkins from the host into the snap. mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_/var/lib/jenkins/, mount options=(rw rslave) -> /tmp/snap.rootfs_/var/lib/jenkins/, # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is # fixed. deny /dev/shm/.org.chromium.Chromium.* rw, # While snap-confine itself doesn't require unix rules and therefore all # unix rules are implicitly denied, adding an explicit deny for unix to # silence noisy denials breaks nested lxd. Until the cause is determined, # do not use an explicit deny for unix. (LP: #1855355) #deny unix, # Explicitly deny these accesses which show up on Arch to silence the # denials for this unneeded access. deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9].so mr, deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9].so mr, deny /etc/nsswitch.conf r, deny /etc/passwd r, } ��lsb_release��0000644��00000002473�15027405350�0006756 0��ustar�00��# Note: This profile does not specify an attachment path because it is # intended to be used only via "Px -> lsb_release" exec transitions from # other profiles. We want to confine the lsb_release(1) utility when it # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. abi <abi/3.0>, include <tunables/global> # Do not attach to /usr/bin/lsb_release by default profile lsb_release { include <abstractions/base> include <abstractions/python> owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, /usr/bin/lsb_release r, /usr/bin/python3.{1,}[0-9] mr, /etc/debian_version r, /etc/default/apport r, /etc/dpkg/origins/** r, /etc/lsb-release r, /etc/lsb-release.d/ r, /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr, /usr/bin/basename ixr, /usr/bin/dpkg-query ixr, /usr/bin/getopt ixr, /usr/bin/sed ixr, /usr/bin/tr ixr, # TODO - many more permissions needed for this to work deny /usr/bin/apt-cache x, /usr/bin/ r, /usr/include/python/pyconfig.h r, /usr/share/distro-info/* r, /usr/share/dpkg/ r, /usr/share/terminfo/ r, /var/lib/dpkg/** r, # file_inherit deny /tmp/gtalkplugin.log w, # Site-specific additions and overrides. See local/README for details. include if exists <local/lsb_release> } ��usr.sbin.mariadbd��0000644��00000001332�15027405350�0007774 0��ustar�00��# This file is intentionally empty to disable apparmor by default for newer # versions of MariaDB, while providing seamless upgrade from older versions # and from mysql, where apparmor is used. # # By default, we do not want to have any apparmor profile for the MariaDB # server. It does not provide much useful functionality/security, and causes # several problems for users who often are not even aware that apparmor # exists and runs on their system. # # Users can modify and maintain their own profile, and in this case it will # be used. # # When upgrading from previous version, users who modified the profile # will be prompted to keep or discard it, while for default installs # we will automatically disable the profile. ��abstractions/opencl��0000644��00000000562�15027405350�0010447 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # OpenCL access requirements # TODO: use conditionals to select allowed implementations include <abstractions/opencl-intel> include <abstractions/opencl-mesa> include <abstractions/opencl-nvidia> include <abstractions/opencl-pocl> # Include additions to the abstraction include if exists <abstractions/opencl.d> ��abstractions/ubuntu-unity7-base��0000644��00000004776�15027405350�0012671 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2013-2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # # Rules common to applications running under Unity 7 # include <abstractions/gnome> include <abstractions/dbus-session-strict> include <abstractions/dbus-strict> # # Access required for connecting to/communication with Unity HUD # dbus (send) bus=session path="/com/canonical/hud", dbus (send) bus=session interface="com.canonical.hud.", dbus (send) bus=session path="/com/canonical/hud/applications/", dbus (receive) bus=session path="/com/canonical/hud", dbus (receive) bus=session interface="com.canonical.hud.", # # Allow access for connecting to/communication with the appmenu # # dbusmenu dbus (send) bus=session interface="com.canonical.AppMenu.", dbus (receive, send) bus=session path=/com/canonical/menu/*, # gmenu dbus (receive, send) bus=session interface=org.gtk.Actions, dbus (receive, send) bus=session interface=org.gtk.Menus, # # Access required for using freedesktop notifications # dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities, dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation, dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify, dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"), dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed, dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification, # accessibility dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi, dbus (receive, send) bus=accessibility, # # Deny potentially dangerous access # deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug*, # Include additions to the abstraction include if exists <abstractions/ubuntu-unity7-base.d> ��abstractions/recent-documents-write��0000644��00000000722�15027405350�0013574 0��ustar�00��# vim:syntax=apparmor # Allow updating recent documents abi <abi/3.0>, # User files owner @{HOME}/.local/share/RecentDocuments/ rw, owner @{HOME}/.local/share/RecentDocuments/#[0-9] rw, owner @{HOME}/.local/share/RecentDocuments/.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9], owner @{HOME}/.local/share/RecentDocuments/.lock rwk, # Include additions to the abstraction include if exists <abstractions/recent-documents-write.d> ��abstractions/ubuntu-helpers��0000644��00000007317�15027405350�0012156 0��ustar�00��# Lenient profile that is intended to be used when 'Ux' is desired but # does not provide enough environment sanitizing. This effectively is an # open profile that blacklists certain known dangerous files and also # does not allow any capabilities. For example, it will not allow 'm' on files # owned be the user invoking the program. While this provides some additional # protection, please use with care as applications running under this profile # are effectively running without any AppArmor protection. Use this profile # only if the process absolutely must be run (effectively) unconfined. # # Usage: # Because this abstraction defines the sanitized_helper profile, it must only # be included once. Therefore this abstraction should typically not be # included in other abstractions so as to avoid parser errors regarding # multiple definitions. # # Limitations: # 1. This does not work for root owned processes, because of the way we use # owner matching in the sanitized helper. We could do a better job with # this to support root, but it would make the policy harder to understand # and going unconfined as root is not desirable any way. # # 2. For this sanitized_helper to work, the program running in the sanitized # environment must open symlinks directly in order for AppArmor to mediate # it. This is confirmed to work with: # - compiled code which can load shared libraries # - python imports # It is known not to work with: # - perl includes # 3. Sanitizing ruby and java # # Use at your own risk. This profile was developed as an interim workaround for # LP: #851986 until AppArmor utilizes proper environment filtering. abi <abi/3.0>, profile sanitized_helper { include <abstractions/base> include <abstractions/X> # Allow all networking network inet, network inet6, # Allow all DBus communications include <abstractions/dbus-session-strict> include <abstractions/dbus-strict> dbus, # Needed for Google Chrome ptrace (trace) peer=//sanitized_helper, # Allow exec of anything, but under this profile. Allow transition # to other profiles if they exist. /{usr/,usr/local/,}{bin,sbin}/ Pixr, # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* /usr/{,local/}lib/{,/} Pixr, # Allow exec of software-center scripts. We may need to allow wider # permissions for /usr/share, but for now just do this. (LP: #972367) /usr/share/software-center/* Pixr, # Allow exec of texlive font build scripts (LP: #1010909) /usr/share/texlive/texmf{,-dist}/web2c/{,*/} Pixr, # While the chromium and chrome sandboxes are setuid root, they only link # in limited libraries so glibc's secure execution should be enough to not # require the santized_helper (ie, LD_PRELOAD will only use standard system # paths (man ld.so)). /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, /opt/google/chrome{,-beta,-unstable}/chrome Pixr, /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr, /opt/google/chrome{,-beta,-unstable}/{,*/}lib.so{,.} m, # The same is needed for Brave /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr, /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr, /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr, /opt/brave.com/brave{,-beta,-dev,-nightly}/{,/}lib.so{,.} m, # Full access / r, /* rwkl, /{,usr/,usr/local/}lib{,32,64}/{,*/}.so{,.} m, # Dangerous files audit deny owner // m, # compiled libraries audit deny owner /*/.py* r, # python imports } ��abstractions/gnome��0000644��00000007347�15027405350�0010304 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/base> include <abstractions/fonts> include <abstractions/X> include <abstractions/freedesktop.org> include <abstractions/xdg-desktop> include <abstractions/user-tmp> include <abstractions/wayland> # systemwide gtk defaults /etc/gnome/gtkrc* r, /etc/gtk/* r, /usr/lib{,32,64}/gtk/ mr, /usr/lib/@{multiarch}/gtk/ mr, /usr/lib{,32,64}/gtk-[0-9]/* mr, /usr/lib/@{multiarch}/gtk-[0-9]/* mr, /usr/share/themes/ r, /usr/share/themes/** r, /usr/share/gtk-3.0/settings.ini r, # communitheme snap /snap/communitheme//share/themes/ r, /snap/communitheme//share/themes/** r, # for gnome 1 applications /etc/orbitrc r, # gtk-2 needed some new rights /etc/fonts/* r, /etc/gtk-/ r, /etc/pango/* r, /usr/lib{,32,64}/pango/** mr, /usr/lib{,32,64}/gtk-/* mr, /usr/lib{,32,64}/gdk-pixbuf-/* mr, /usr/lib/@{multiarch}/pango/** mr, /usr/lib/@{multiarch}/gtk-/* mr, /usr/lib/@{multiarch}/gdk-pixbuf-/* mr, # per-user gtk configuration owner @{HOME}/.config/gtk-3.0/ w, owner @{HOME}/.config/gtk-3.0/* r, owner @{HOME}/.gnome/Gnome r, owner @{HOME}/.gtk r, owner @{HOME}/.gtkrc r, owner @{HOME}/.gtkrc-2.0 r, owner @{HOME}/.gtk-bookmarks r, owner @{HOME}/.themes/ r, owner @{HOME}/.themes/ r, owner @{user_share_dirs}/themes/ r, owner @{user_share_dirs}/themes/ r, # for gtk file dialog owner @{HOME}/.config/gtk-2.0/ w, owner @{HOME}/.config/gtk-2.0/** r, owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, # from evolution-mail owner @{HOME}/.gconfd/lock/* r, owner @{HOME}/.gnome/application-info r, # per-user font business owner @{HOME}/.fonts.cache-* rwl, # GtkComposeTable owner @{HOME}/.cache/gtk-3.0/ r, # icon caches /var/cache//icon-theme.cache r, /usr/share/*/icon-theme.cache r, # GLib schemas /usr/{local/,}share/glib-[0-9]/schemas/ r, /usr/{local/,}share/glib-[0-9]/schemas/* r, # gnome VFS modules /etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/* r, /usr/lib/gnome-vfs-2.0/modules/.so mr, /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/.so mr, # gvfs /usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/* r, @{PROC}/@{pid}/mounts r, @{run}/mount/utab r, # printing /etc/papersize r, /etc/cups/lpoptions r, /usr/share/cups/charmaps/** r, # holds MIT-MAGIC-COOKIE for gnome owner @{run}/gdm/auth/database r, # mime-types /etc/gnome/defaults.list r, /etc/xdg/{,-}mimeapps.list r, /usr/share/gnome/applications/ r, /usr/share/gnome/applications/mimeinfo.cache r, # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-"), # Include additions to the abstraction include if exists <abstractions/gnome.d> ��abstractions/private-files-strict��0000644��00000002274�15027405350�0013251 0��ustar�00��# vim:syntax=apparmor # privacy-violations-strict contains additional rules for sensitive # files that you want to explicitly deny access abi <abi/3.0>, include <abstractions/private-files> # potentially extremely sensitive files audit deny @{HOME}/.aws/{,} mrwkl, audit deny @{HOME}/.gnupg/{,} mrwkl, audit deny @{HOME}/.ssh/{,} mrwkl, audit deny @{HOME}/.gnome2_private/{,} mrwkl, audit deny @{HOME}/.gnome2/ w, audit deny @{HOME}/.gnome2/keyrings/{,} mrwkl, # don't allow access to any gnome-keyring modules audit deny @{run}/user/[0-9]/keyring mrwkl, audit deny @{HOME}/.mozilla/{,} mrwkl, audit deny @{HOME}/.config/ w, audit deny @{HOME}/.config/chromium/{,} mrwkl, audit deny @{HOME}/.config/evolution/{,} mrwkl, audit deny @{HOME}/.evolution/{,} mrwkl, audit deny @{HOME}/.{,mozilla-}thunderbird/{,} mrwkl, audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,} mrwkl, audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,} mrwkl, audit deny @{HOME}/.local/share/kwalletd/{,*} mrwkl, # Include additions to the abstraction include if exists <abstractions/private-files-strict.d> ��abstractions/dovecot-common��0000644��00000001243�15027405350�0012115 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2014 Canonical, Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # used with dovecot/ abi <abi/3.0>, capability setgid, deny capability block_suspend, # dovecot's master can send us signals signal receive peer=dovecot, owner @{run}/dovecot/config rw, # Include additions to the abstraction include if exists <abstractions/dovecot-common.d> ��abstractions/user-download��0000644��00000001733�15027405350�0011753 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # Description: Where common programs should allow users to download # files owner @{HOME}/tmp/ rwl, owner @{HOME}/[dD]ownload{,s}/ r, owner @{HOME}/[dD]ownload{,s}/ rwl, owner @{HOME}/[^.]* rwl, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/* rwl, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/* rwl, owner "@{HOME}/My Downloads/" r, owner "@{HOME}/My Downloads/*" rwl, # Include additions to the abstraction include if exists <abstractions/user-download.d> ��abstractions/mesa��0000644��00000002242�15027405350�0010111 0��ustar�00��# vim:syntax=apparmor # Rules for Mesa implementation of the OpenGL API abi <abi/3.0>, # System files /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() # Needed to check if the kernel supports the i915 perf interface # (src/intel/perf/gen_perf.c, load_oa_metrics()) @{PROC}/sys/dev/i915/perf_stream_paranoid r, # User files owner @{HOME}/.cache/ w, # if user clears all caches owner @{HOME}/.cache/mesa_shader_cache/ rw, owner @{HOME}/.cache/mesa_shader_cache/index rw, owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f] rw, owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f].tmp rwk, # Fallback location when @{HOME}/.cache is not available owner /tmp/Temp-[a-f0-9]/mesa_shader_cache/ rw, owner /tmp/Temp-[a-f0-9]/mesa_shader_cache/index rw, owner /tmp/Temp-[a-f0-9]/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, owner /tmp/Temp-[a-f0-9]/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f] rw, owner /tmp/Temp-[a-f0-9]/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f].tmp rwk, # Include additions to the abstraction include if exists <abstractions/mesa.d> ��abstractions/libpam-systemd��0000644��00000001402�15027405350�0012113 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2015-2016 Simon Deziel # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/dbus-strict> # libpam-systemd notifies systemd-logind about session logins/logouts dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession}, # Include additions to the abstraction include if exists <abstractions/libpam-systemd.d> ��abstractions/perl��0000644��00000001716�15027405350�0010133 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # a few files typically required for perl scripts /usr/bin/perl rmix, /usr/bin/perl[0-9].[0-9].[0-9] rmix, /usr/lib{,32,64}/perl5/ r, /usr/lib{,32,64}/perl{,5}/.so* mr, /usr/lib/@{multiarch}/perl{,5,-base}/** r, /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]/.so mr, /usr/share/perl/ r, /usr/share/perl5/ r, /etc/perl/** r, # Include additions to the abstraction include if exists <abstractions/perl.d> ��abstractions/consoles��0000644��00000001607�15027405350�0011015 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # there are three common ways to refer to consoles /dev/console rw, /dev/tty rw, # this next entry is a tad unfortunate; /dev/tty will always be # associated with the controlling terminal by the kernel, but if a # program uses the /dev/pts/ interface, it actually has access to # -all- xterm, sshd, etc, terminals on the system. /dev/pts/[0-9]* rw, /dev/pts/ r, # Include additions to the abstraction include if exists <abstractions/consoles.d> ��abstractions/kde-icon-cache-write��0000644��00000000400�15027405350�0013040 0��ustar�00��# vim:syntax=apparmor # Rules for writing KDE icon cache abi <abi/3.0>, # User files owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader # Include additions to the abstraction include if exists <abstractions/kde-icon-cache-write.d> ��abstractions/kde��0000644��00000005463�15027405350�0007737 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/base> include <abstractions/fonts> include <abstractions/X> include <abstractions/freedesktop.org> include <abstractions/xdg-desktop> include <abstractions/user-tmp> include <abstractions/qt5> /etc/qt3/kstylerc r, /etc/qt3/qt_plugins_3.3rc r, /etc/qt3/qtrc r, /etc/kderc r, /etc/kde3/* r, /etc/kde4rc r, /etc/xdg/kdeglobals r, /etc/xdg/Trolltech.conf r, /usr/share/knotifications5/.notifyrc r, # KNotification::sendEvent() /usr/share/kubuntu-default-settings/kf5-settings/ r, owner @{HOME}/.DCOPserver_* r, owner @{HOME}/.ICEauthority r, owner @{HOME}/.fonts.* lrw, owner @{HOME}/.kde{,4}/share/config/kdeglobals rw, owner @{HOME}/.kde{,4}/share/config/.lock rwl, owner @{HOME}/.qt/* rw, owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache owner @{HOME}/.config/Trolltech.conf rwk, owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent() owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc. owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so owner @{HOME}/.config/trashrc r, # Used by KFileWidget /usr/share/X11/XKeysymDB r, # kde3 /usr/lib/kde3/plugins/styles/ r, /usr/lib/kde3/plugins/styles/* mr, /usr/lib/kde3/libso* mr, /usr/lib/@{multiarch}/kde3/plugins/styles/ r, /usr/lib/@{multiarch}/kde3/plugins/styles/* mr, /usr/lib/@{multiarch}/kde3/libso mr, /usr/lib/qt3/lib/libso mr, /usr/lib/qt3/plugins/* mr, /usr/lib/@{multiarch}/qt3/lib/libso* mr, /usr/lib/@{multiarch}/qt3/plugins/** mr, /usr/lib/libqt-mtso* mr, /usr/lib/libquiso* mr, /usr/lib/@{multiarch}/libqt-mtso mr, /usr/lib/@{multiarch}/libquiso mr, /usr/share/qt3/lib/libqt-mtso* mr, /usr/share/qt3/lib/libquiso* mr, # kde4 /usr/lib/kde4/plugins//.so mr, /usr/lib/kde4/plugins// r, /usr/lib/kde4/libso mr, /usr/lib/@{multiarch}/kde4/plugins//.so mr, /usr/lib/@{multiarch}/kde4/plugins// r, /usr/lib/@{multiarch}/kde4/libso* mr, /usr/lib/qt4/lib/libso mr, /usr/lib/qt4/plugins/* mr, /usr/lib/@{multiarch}/qt4/lib/libso* mr, /usr/lib/@{multiarch}/qt4/plugins/ mr, /usr/share/qt4/ r, # Include additions to the abstraction include if exists <abstractions/kde.d> ��abstractions/kde-language-write��0000644��00000001077�15027405350�0012645 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # Rules for changing per-application language settings on KDE. Some KDE # applications have "Help -> Switch Application Language..." option, that needs # write access to language settings file. # User files owner @{HOME}/.config/#[0-9]* rw, owner @{HOME}/.config/klanguageoverridesrc rw, owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9], owner @{HOME}/.config/klanguageoverridesrc.lock rwk, # Include additions to the abstraction include if exists <abstractions/kde-language-write.d> ��abstractions/ubuntu-unity7-launcher��0000644��00000000467�15027405350�0013551 0��ustar�00�� abi <abi/3.0>, # # Access required for connecting to/communicating with the Unity Launcher # dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update", # Include additions to the abstraction include if exists <abstractions/ubuntu-unity7-launcher.d> ��abstractions/dbus-strict��0000644��00000001415�15027405350�0011430 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, @{run}/dbus/system_bus_socket rw, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), # Include additions to the abstraction include if exists <abstractions/dbus-strict.d> ��abstractions/orbit2��0000644��00000000305�15027405350�0010363 0��ustar�00��# vim:syntax=apparmor # orbit2 permissions abi <abi/3.0>, # system library /usr/lib/orbit-2.0/.so mr, # Include additions to the abstraction include if exists <abstractions/orbit2.d> ��abstractions/mozc��0000644��00000001075�15027405350�0010137 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc."), # Include additions to the abstraction include if exists <abstractions/mozc.d> ��abstractions/ubuntu-console-email��0000644��00000001316�15027405350�0013234 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing console email clients in Ubuntu. These will # typically also need a terminal, so when using this abstraction, should also # do something like: # # include <abstractions/ubuntu-gnome-terminal> # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/alpine Cx -> sanitized_helper, /usr/bin/citadel Cx -> sanitized_helper, /usr/bin/cone Cx -> sanitized_helper, /usr/bin/elmo Cx -> sanitized_helper, /usr/bin/mutt Cx -> sanitized_helper, # Include additions to the abstraction include if exists <abstractions/ubuntu-console-email.d> ��abstractions/xad��0000644��00000001730�15027405350�0007741 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2007 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /opt/novell/xad/lib/ r, /opt/novell/xad/lib/lib.so* mr, /opt/novell/xad/lib/gss/.so mr, /opt/novell/lib/libpthread_ext.so mr, /opt/novell/lib/libccs2.so* mr, /opt/novell/xad/lib64/ r, /opt/novell/xad/lib64/lib.so mr, /opt/novell/xad/lib64/gss/.so mr, /opt/novell/lib64/libpthread_ext.so mr, /opt/novell/lib64/libccs2.so* mr, /etc/opt/novell/xad/krb5.conf r, /etc/opt/novell/nici.cfg r, /var/opt/novell/nici/* r, /var/opt/novell/nici// r, /var/opt/novell/nici//* rw, # Include additions to the abstraction include if exists <abstractions/xad.d> ��abstractions/fonts��0000644��00000004346�15027405350�0010324 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /usr/share/AbiSuite/fonts/ r, /usr/lib/xorg/modules/fonts/.so* mr, /usr/share/fonts/{,*} r, /usr/share/fonts-/{,} r, /etc/fonts/ r, # Debian, openSUSE paths are different /usr/share/{fontconfig,fonts-config,-fonts}/conf.avail/{,} r, /usr/share/ghostscript/fonts/{,} r, /opt/kde3/share/fonts/* r, /usr/lib{,32,64}/openoffice/share/fonts/ r, /var/cache/fonts/ r, /var/cache/fontconfig/ mr, /var/lib/defoma/ mr, /usr/share/a2ps/fonts/ r, /usr/share/xfce/fonts/ r, /usr/share/ghostscript/fonts/** r, /usr/share/javascript//fonts/* r, /usr/share/texmf/{,/}fonts/* r, /usr/share/texlive/texmf-dist/fonts/ r, /var/lib/ghostscript/ r, owner @{HOME}/.fonts.conf r, owner @{HOME}/.fonts/ r, owner @{HOME}/.fonts/ r, owner @{HOME}/.local/share/fonts/ r, owner @{HOME}/.local/share/fonts/ r, owner @{HOME}/.fonts.cache-2 mr, owner @{HOME}/.{,cache/}fontconfig/ rw, owner @{HOME}/.{,cache/}fontconfig/ mrl, owner @{HOME}/.fonts.conf.d/ r, owner @{HOME}/.fonts.conf.d/ r, owner @{HOME}/.config/fontconfig/ r, owner @{HOME}/.config/fontconfig/ r, owner @{HOME}/.Fontmatrix/Activated/ r, owner @{HOME}/.Fontmatrix/Activated/ r, /usr/local/share/fonts/ r, /usr/local/share/fonts/ r, # poppler CMap tables /usr/share/poppler/cMap/ r, # data files for LibThai /usr/share/libthai/thbrk.tri r, # Include additions to the abstraction include if exists <abstractions/fonts.d> ��abstractions/audio��0000644��00000003704�15027405350�0010271 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /dev/admmidi* rw, /dev/adsp* rw, /dev/aload* rw, /dev/amidi* rw, /dev/audio* rw, /dev/dmfm* rw, /dev/dmmidi* rw, /dev/dsp* rw, /dev/midi* rw, /dev/mixer* rw, /dev/mpu401data rw, /dev/mpu401stat rw, /dev/patmgr* rw, /dev/phone* rw, /dev/radio* rw, /dev/rmidi* rw, /dev/sequencer rw, /dev/sequencer2 rw, /dev/smpte* rw, /dev/snd/* rw, /dev/sound/* rw, @{PROC}/asound/ rw, /usr/share/alsa/ r, /usr/share/sounds/** r, owner @{HOME}/.esd_auth r, /etc/asound.conf r, owner @{HOME}/.asoundrc r, /etc/esound/esd.conf r, # libao /etc/libao.conf r, owner @{HOME}/.libao r, # libcanberra owner @{HOME}/.cache/event-sound-cache.* rwk, # pulse /etc/pulse/ r, /etc/pulse/** r, /dev/shm/ r, @{run}/shm/ r, owner /dev/shm/pulse-shm* rwk, owner @{run}/shm/pulse-shm* rwk, owner @{HOME}/.pulse-cookie rwk, owner @{HOME}/.pulse/ rw, owner @{HOME}/.pulse/* rwk, owner @{run}/user//pulse/ rw, owner @{run}/user//pulse/{native,pid} rwk, owner @{HOME}/.config/pulse/.conf r, owner @{HOME}/.config/pulse/client.conf.d/{,.conf} r, owner @{HOME}/.config/pulse/cookie rwk, owner /tmp/pulse-/ rw, owner /tmp/pulse-/* rw, # libgnome2 /etc/sound/ r, /etc/sound/** r, # openal /etc/alsa/conf.d/{,} r, /etc/openal/alsoft.conf r, owner @{HOME}/.alsoftrc r, /usr/{,local/}share/openal/hrtf/{,} r, owner @{HOME}/.local/share/openal/hrtf/{,} r, # wildmidi /etc/wildmidi/wildmidi.cfg r, # Include additions to the abstraction include if exists <abstractions/audio.d> ��abstractions/dbus-network-manager-strict��0000644��00000002573�15027405350�0014535 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=GetDevices peer=(name=org.freedesktop.NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9] interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member={GetDevices,ListConnections} peer=(name=org.freedesktop.NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings peer=(name=org.freedesktop.NetworkManager), include if exists <abstractions/dbus-network-manager-strict.d> ��abstractions/video��0000644��00000000347�15027405350�0010276 0��ustar�00��# vim:syntax=apparmor # video device access abi <abi/3.0>, # System devices @{sys}/class/video4linux/ r, @{sys}/class/video4linux/** r, # Include additions to the abstraction include if exists <abstractions/video.d> ��abstractions/enchant��0000644��00000004254�15027405350�0010611 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # abstraction for Enchant spellchecking frontend /usr/share/enchant/ r, /usr/share/enchant/enchant.ordering r, /usr/share/enchant-2/ r, /usr/share/enchant-2/enchant.ordering r, # aspell include <abstractions/aspell> /var/lib/dictionaries-common/aspell/ r, /var/lib/dictionaries-common/aspell/* r, # hspell /usr/share/hspell/ r, /usr/share/hspell/.wgz. r, # hunspell /usr/share/hunspell/ r, /usr/share/hunspell/* r, # ispell /usr/lib/ispell/ r, /usr/lib/ispell/.hash r, /usr/share/dict/ r, /usr/share/dict/ r, /var/lib/dictionaries-common/ r, /var/lib/dictionaries-common/{ispell,wordlist}/ r, /var/lib/dictionaries-common/{ispell,wordlist}/* r, # myspell /usr/share/myspell/ r, /usr/share/myspell/** r, # voikko /usr/lib/voikko/ r, /usr/lib/voikko/2/ r, /usr/lib/voikko/2/mor-standard/ r, /usr/lib/voikko/2/mor-standard/voikko* r, # zemberek /usr/share/java/ r, /usr/share/java/zemberek-[0-9].jar r, /usr/share/java/zemberek-tr-[0-9].jar r, # per-user dictionaries owner @{HOME}/.config/enchant/ rw, owner @{HOME}/.config/enchant/* rwk, # Include additions to the abstraction include if exists <abstractions/enchant.d> ��abstractions/mir��0000644��00000001266�15027405350�0007760 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2015 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # mir libraries sometimes do not have a lib prefix # see LP: #1422521 /usr/lib/@{multiarch}/mir/.so mr, /usr/lib/@{multiarch}/mir/*/.so* mr, # unprivileged mir socket for clients # Include additions to the abstraction include if exists <abstractions/mir.d> ��abstractions/qt5-compose-cache-write��0000644��00000000617�15027405350�0013535 0��ustar�00��# vim:syntax=apparmor # Allow writing cache for Qt5 "platforminputcontexts" plugins abi <abi/3.0>, # User files owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9][0-9], owner @{HOME}/.cache/#[0-9][0-9] rw, # QSaveFile (anonymous shared memory) # Include additions to the abstraction include if exists <abstractions/qt5-compose-cache-write.d> ��abstractions/authentication��0000644��00000003501�15027405350�0012202 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2012 Canonical Ltd # Copyright (C) 2019-2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # Some services need to perform authentication of users # Such authentication almost certainly needs access to the local users # databases containing passwords, PAM configuration files, PAM libraries @{etc_ro}/nologin r, @{etc_ro}/pam.d/* r, @{etc_ro}/securetty r, @{etc_ro}/security/* r, @{etc_ro}/shadow r, @{etc_ro}/gshadow r, @{etc_ro}/pwdb.conf r, /{usr/,}lib{,32,64}/security/pam_filter/* mr, /{usr/,}lib{,32,64}/security/pam_.so mr, /{usr/,}lib{,32,64}/security/ r, /{usr/,}lib/@{multiarch}/security/pam_filter/ mr, /{usr/,}lib/@{multiarch}/security/pam_.so mr, /{usr/,}lib/@{multiarch}/security/ r, # kerberos include <abstractions/kerberosclient> # SuSE's pwdutils are different: @{etc_ro}/default/passwd r, @{etc_ro}/login.defs r, @{etc_ro}/login.defs.d/ r, @{etc_ro}/login.defs.d/.defs r, # nis include <abstractions/nis> # winbind include <abstractions/winbind> # likewise include <abstractions/likewise> # smbpass include <abstractions/smbpass> # p11-kit (PKCS#11 modules configuration) include <abstractions/p11-kit> # Include additions to the abstraction include if exists <abstractions/authentication.d> ��abstractions/dconf��0000644��00000000530�15027405350�0010253 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # permissions for querying dconf settings; granting write access should # be specified in a specific application's profile. /etc/dconf/** r, owner @{run}/user//dconf/user r, owner @{HOME}/.config/dconf/user r, # Include additions to the abstraction include if exists <abstractions/dconf.d> ��abstractions/dri-common��0000644��00000001036�15027405350�0011230 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This file contains common DRI-specific rules useful for GUI applications # (needed by libdrm and similar). /usr/lib{,32,64}/dri/* mr, /usr/lib/@{multiarch}/dri/ mr, /usr/lib/fglrx/dri/ mr, /dev/dri/ r, /dev/dri/** rw, /etc/drirc r, /usr/share/drirc.d/{,.conf} r, owner @{HOME}/.drirc r, # Include additions to the abstraction include if exists <abstractions/dri-common.d> ��abstractions/p11-kit��0000644��00000001747�15027405350�0010363 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /etc/pkcs11/ r, /etc/pkcs11/pkcs11.conf r, /etc/pkcs11/modules/ r, /etc/pkcs11/modules/ r, /usr/lib{,32,64}/pkcs11/.so mr, /usr/lib/@{multiarch}/pkcs11/.so mr, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, # gnome-keyring pkcs11 module owner @{run}/user/[0-9]/keyring/pkcs11 rw, # p11-kit also supports reading user configuration from ~/.pkcs11 depending # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be # included in this abstraction. # Include additions to the abstraction include if exists <abstractions/p11-kit.d> ��abstractions/dbus-accessibility-strict��0000644��00000001370�15027405350�0014255 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), # Include additions to the abstraction include if exists <abstractions/dbus-accessibility-strict.d> ��abstractions/opencl-nvidia��0000644��00000001577�15027405350�0011726 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # OpenCL access requirements for NVIDIA implementation include <abstractions/nvidia> include <abstractions/opencl-common> # Executables # https://github.com/NVIDIA/nvidia-modprobe # This setuid executable is used to create various device files and load the # the nvidia kernel module. /usr/bin/nvidia-modprobe Px -> nvidia_modprobe, # System files # libnvidia-opencl.so rules: /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, @{sys}/devices/pci[0-9]//config r, @{sys}/devices/system/memory/block_size_bytes r, /usr/share/nvidia/* r, @{PROC}/devices r, @{PROC}/sys/vm/mmap_min_addr r, # User files owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, # Include additions to the abstraction include if exists <abstractions/opencl-nvidia.d> ��abstractions/crypto��0000644��00000001451�15027405350�0010505 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # Copyright (C) 2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, @{etc_ro}/gcrypt/random.conf r, @{PROC}/sys/crypto/fips_enabled r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, # crypto policies used by various libraries /etc/crypto-policies//.txt r, /usr/share/crypto-policies//.txt r, include if exists <abstractions/crypto.d> ��abstractions/ruby��0000644��00000001760�15027405350�0010151 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r, /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*.rb r, /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/-linux/.so mr, /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r, /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/.rb r, /usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/-linux/.so mr, /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r, /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/* r, # Include additions to the abstraction include if exists <abstractions/ruby.d> ��abstractions/aspell��0000644��00000000634�15027405350�0010447 0��ustar�00��# vim:syntax=apparmor # aspell permissions abi <abi/3.0>, # per-user settings and dictionaries owner @{HOME}/.aspell..{pws,prepl} rwk, # system libraries and dictionaries /usr/lib/aspell/ r, /usr/lib/aspell/ r, /usr/lib/aspell/.so m, /usr/share/aspell/ r, /usr/share/aspell/ r, /var/lib/aspell/* r, # Include additions to the abstraction include if exists <abstractions/aspell.d> ��abstractions/apache2-common��0000644��00000001722�15027405350�0011757 0��ustar�00��# vim:syntax=apparmor # This file contains basic permissions for Apache and every vHost abi <abi/3.0>, include <abstractions/nameservice> # Allow unconfined processes to send us signals by default signal (receive) peer=unconfined, # Allow apache to send us signals by default signal (receive) peer=apache2, # Allow other hats to signal by default signal peer=apache2//, # Allow us to signal ourselves signal peer=@{profile_name}, # Apache network inet stream, network inet6 stream, # apache manual, error pages and icons /usr/share/apache2/* r, # changehat itself @{PROC}/@{pid}/attr/{apparmor/,}current rw, # htaccess files - for what ever it is worth /*/.htaccess r, /dev/urandom r, # sasl-auth @{run}/saslauthd/mux rw, # OCSP stapling @{run}/lock/apache2/stapling-cache rw, # Include additions to the abstraction include if exists <abstractions/apache2-common.d> ��abstractions/likewise��0000644��00000001123�15027405350�0010775 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /tmp/.lwidentity/pipe rw, /var/lib/likewise-open/lwidentity_privileged/pipe rw, # Include additions to the abstraction include if exists <abstractions/likewise.d> ��abstractions/qt5-settings-write��0000644��00000001002�15027405350�0012654 0��ustar�00��# vim:syntax=apparmor # Allow writing shared settings for Qt-based applications abi <abi/3.0>, # User files owner @{HOME}/.config/#[0-9][0-9] rw, owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9][0-9], # for temporary files like QtProject.conf.Aqrgeb owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9][0-9], owner @{HOME}/.config/QtProject.conf.lock rwk, # Include additions to the abstraction include if exists <abstractions/qt5-settings-write.d> ��abstractions/bash��0000644��00000003116�15027405350�0010102 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # user-specific bash files @{HOMEDIRS} r, @{HOME}/.bashrc r, @{HOME}/.profile r, @{HOME}/.bash_profile r, @{HOME}/.bash_history rw, # system-wide bash configuration /etc/profile.dos r, /etc/profile r, /etc/profile.d/ r, /etc/profile.d/ r, /etc/bashrc r, /etc/bash.bashrc r, /etc/bash.bashrc.local r, /etc/bash_completion r, /etc/bash_completion.d/ r, /etc/bash_completion.d/* r, # bash relies on system-wide readline configuration /etc/inputrc r, # bash inspects filesystems at startup /etc/mtab r, @{PROC}/@{pid}/mounts r, @{PROC}/filesystems r, # probably readline wants to know terminal capabilities /usr/share/terminfo/ r, # run out of /etc/bash.bashrc /etc/DIR_COLORS r, /{usr/,}bin/ls mix, /usr/bin/dircolors mix, # Include additions to the abstraction include if exists <abstractions/bash.d> ��abstractions/user-tmp��0000644��00000001370�15027405350�0010741 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # per-user tmp directories owner @{HOME}/tmp/ rwkl, owner @{HOME}/tmp/ rw, # global tmp directories owner /var/tmp/ rwkl, /var/tmp/ rw, owner /tmp/ rwkl, /tmp/ rw, # Include additions to the abstraction include if exists <abstractions/user-tmp.d> ��abstractions/gio-open��0000644��00000003012�15027405350�0010675 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via gio helper. # # NOTE: most likely you want to use xdg-open abstraction instead for better # portability across desktop environments, unless you are sure that confined # application only uses /usr/bin/gio directly. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/gio rPx -> foo//gio-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//gio-open { # include <abstractions/gio-open> # # # needed for ubuntu-* abstractions # include <abstractions/ubuntu-helpers> # # # Only allow to handle http[s]: and mailto: links # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # # # < add additional allowed applications here > # } include <abstractions/base> include <abstractions/dbus-session-strict> # Main executables /usr/bin/gio rix, /usr/bin/gio-launch-desktop ix, # for OpenSUSE /usr/lib/@{multiarch}/glib-[0-9]/gio-launch-desktop ix, # System files /etc/gnome/defaults.list r, /usr/share/mime/ r, /usr/share/{,/}applications/{,} r, /var/cache/gio-[0-9].[0-9]/gnome-mimeapps.list r, /var/lib/snapd/desktop/applications/{,} r, # User files owner @{HOME}/.config/mimeapps.list r, owner @{HOME}/.local/share/applications/{,.desktop} r, owner @{PROC}/@{pid}/fd/ r, # Include additions to the abstraction include if exists <abstractions/gio-open.d> ��abstractions/smbpass��0000644��00000001105�15027405350�0010631 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # libpam-smbpass/pam_smbpass.so permissions /var/lib/samba/.[lt]db rwk, # Include additions to the abstraction include if exists <abstractions/smbpass.d> ��abstractions/kde-open5��0000644��00000007163�15027405350�0010762 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via kde-open5 helper. # # NOTE: most likely you want to use xdg-open abstraction instead for better # portability across desktop environments, unless you are sure that confined # application only uses /usr/bin/kde-open5 directly. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/kde-open5 rPx -> foo//kde-open5, # ... # } # end of main profile # # # out-of-line child profile # profile foo//kde-open5 { # include <abstractions/kde-open5> # # # needed for ubuntu- abstractions # include <abstractions/ubuntu-helpers> # # # Only allow to handle http[s]: and mailto: links # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # # # Add if accesibility access is considered as required # # (for message boxe in case exo-open fails) # include <abstractions/dbus-accessibility> # # # Add if audio support for message box is # # considered as required. # include if exists <abstractions/gstreamer> # # # < add additional allowed applications here > # } # ``` include <abstractions/audio> # for alert messages include <abstractions/base> include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-network-manager-strict> include <abstractions/dbus-session-strict> include <abstractions/dbus-strict> include <abstractions/kde-icon-cache-write> include <abstractions/kde> include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so) include <abstractions/openssl> include <abstractions/qt5> include <abstractions/recent-documents-write> include <abstractions/X> # Main executables /usr/bin/kde-open5 rix, /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, # DBus dbus bus=session interface=org.kde.KLauncher member=start_service_by_desktop_path peer=(name=org.kde.klauncher5), # Denied system files deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 # libpcre2 on openSUSE tries to mmap() shared memory on directory. # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html # AppArmor does not allow to distinguish "real" file vs shared memory one, # so we deny this path to protect from loading exploits from /tmp. deny /tmp/#[0-9][0-9] m, # System files /dev/tty r, /etc/xdg/accept-languages.codes r, /etc/xdg/menus/{,/} r, /usr/share/fonts/conf.avail/.conf r, # for openSUSE, when showing error message box /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so /usr/share/icu/[0-9].[0-9]/.dat r, # for openSUSE /usr/share/kservices5/{,*} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so /usr/share/mime/ r, /usr/share/mime/generic-icons r, /usr/share/plasma/look-and-feel//contents/defaults r, # TODO: move to kde abstraction? /usr/share/sounds/ r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, # User files owner /tmp/xauth-[0-9]-_[0-9] r, # for libQt5XcbQpa.so owner @{run}/user/[0-9]/#[0-9]* rw, # for /run/user/1000/#13 owner @{run}/user/[0-9]/kioclientslave-socket lrw -> @{run}/user/[0-9]/#[0-9], # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) owner @{HOME}/.cache/kio_http/ rw, # Include additions to the abstraction include if exists <abstractions/kde-open5.d> ��abstractions/freedesktop.org��0000644��00000002574�15027405350�0012275 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # system configuration @{system_share_dirs}/applications/{,} r, @{system_share_dirs}/icons/{,} r, @{system_share_dirs}/pixmaps/{,} r, # communitheme snap /snap/communitheme//share/icons/ r, /snap/communitheme//share/icons/* r, # mimeinfo and desktop files for snaps /var/lib/snapd/desktop/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/{,.desktop} r, # this should probably go elsewhere @{system_share_dirs}/mime/* r, # per-user configurations owner @{HOME}/.icons/ r, owner @{HOME}/.recently-used.xbel* rw, owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.config/user-dirs.dirs r, owner @{HOME}/.config/mimeapps.list r, owner @{user_share_dirs}/applications/{,} r, owner @{user_share_dirs}/icons/{,} r, owner @{user_share_dirs}/mime/{,} r, # Include additions to the abstraction include if exists <abstractions/freedesktop.org.d> ��abstractions/php5��0000644��00000000320�15027405350�0010033 0��ustar�00��#backwards compatibility include, actual abstraction moved from php5 to php abi <abi/3.0>, include <abstractions/php> # Include additions to the abstraction include if exists <abstractions/php5.d> ��abstractions/svn-repositories��0000644��00000003340�15027405350�0012517 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # This little snippet should abstract the read/write access to a repository. # it is intended to be included in profiles for svnserve/apache2 and maybe # some repository viewers like trac/viewvc # no hooks exec by default; please define whatever you need explicitely. /srv/svn//conf/* r, /srv/svn//format r, /srv/svn//db/fs-type r, /srv/svn//db/format r, # FSFS /srv/svn//db/ r, /srv/svn//db/uuid r, /srv/svn//db/write-lock rwl, /srv/svn//db/current rwl, /srv/svn//db/current.tmp rwl, /srv/svn//db/revs/ r, /srv/svn//db/revs/ rw, /srv/svn//db/revprops/ r, /srv/svn//db/revprops/* rw, /srv/svn//db/transactions/ rw, # BDB /srv/svn//db/DB_CONFIG r, /srv/svn//db/__db.[0-9]* rwl, /srv/svn/*/db/log.[0-9] rwl, /srv/svn//db/nodes rwl, /srv/svn//db/revisions rwl, /srv/svn//db/transactions rwl, /srv/svn//db/copies rwl, /srv/svn//db/changes rwl, /srv/svn//db/representations rwl, /srv/svn//db/strings rwl, /srv/svn//db/uuids rwl, /srv/svn//db/locks rwl, /srv/svn//db/lock-tokens rwl, # temp files /tmp/apr* rwl, /var/tmp/apr* rwl, /tmp/report.tmp rwl, # Include additions to the abstraction include if exists <abstractions/svn-repositories.d> ��abstractions/php��0000644��00000002206�15027405350�0007753 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2009-2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # shared snippets for config files /etc/php{,5,7,8}// r, /etc/php{,5,7,8}/.ini r, # Xlibs /usr/X11R6/lib{,32,64}/lib.so* mr, # php extensions /usr/lib{64,}/php{,5,7,8}//.so mr, # ICU (unicode support) data tables /usr/share/icu//.dat r, # php session mmap socket /var/lib/php{,5,7,8}/session_mm_* rwlk, # file based session handler /var/lib/php{,5,7,8}/sess_* rwlk, /var/lib/php{,5,7,8}/sessions/* rwlk, # php libraries /usr/share/php{,5,7,8}/ r, /usr/share/php{,5,7,8}/ mr, # MySQL extension /usr/share/mysql/ r, # Zend opcache /tmp/.ZendSem.* rwlk, # Include additions to the abstraction include if exists <abstractions/php.d> ��abstractions/nis��0000644��00000001161�15027405350�0007754 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # NIS rules /var/yp/binding/* r, # portmapper may ask root processes to do nis/ldap at low ports capability net_bind_service, # Include additions to the abstraction include if exists <abstractions/nis.d> ��abstractions/dri-enumerate��0000644��00000000610�15027405350�0011722 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This file contains common DRI-specific rules useful for GUI applications that # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from # libdrm). @{sys}/devices/pci[0-9]//{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # Include additions to the abstraction include if exists <abstractions/dri-enumerate.d> ��abstractions/wayland��0000644��00000001205�15027405350�0010621 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2016 intrigeri <intrigeri@boum.org> # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, owner @{run}/user//wayland-[0-9]* rw, owner @{run}/user//{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared- rw, # Include additions to the abstraction include if exists <abstractions/wayland.d> ��abstractions/base��0000644��00000015421�15027405350�0010101 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/crypto> # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd # profile as well.) # The __canary_death_handler function writes a time-stamped log # message to /dev/log for logging by syslogd. So, /dev/log, timezones, # and localisations of date should be available EVERYWHERE, so # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, /dev/random r, /dev/urandom r, # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user). @{run}/uuidd/request r, @{etc_ro}/locale/ r, @{etc_ro}/locale.alias r, @{etc_ro}/localtime r, /etc/writable/localtime r, /usr/share/locale-bundle/ r, /usr/share/locale-langpack/ r, /usr/share/locale/ r, /usr/share//locale/ r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/ r, /usr/share/X11/locale/ r, @{run}/systemd/journal/dev-log w, # systemd native journal API (see sd_journal_print(4)) @{run}/systemd/journal/socket w, # Nested containers and anything using systemd-cat need this. 'r' shouldn't # be required but applications fail without it. journald doesn't leak # anything when reading so this is ok. @{run}/systemd/journal/stdout rw, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/.so mr, /usr/lib{,32,64}/gconv/gconv-modules mr, /usr/lib/@{multiarch}/gconv/.so mr, /usr/lib/@{multiarch}/gconv/gconv-modules mr, # used by glibc when binding to ephemeral ports @{etc_ro}/bindresvport.blacklist r, # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere @{etc_ro}/ld.so.cache mr, @{etc_ro}/ld.so.conf r, @{etc_ro}/ld.so.conf.d/{,.conf} r, @{etc_ro}/ld.so.preload r, /{usr/,}lib{,32,64}/ld{,32,64}-.so mr, /{usr/,}lib/@{multiarch}/ld{,32,64}-.so mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-.so mr, /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-.so mr, /opt/-linux-uclibc/lib/ld-uClibcso mr, # we might as well allow everything to use common libraries /{usr/,}lib{,32,64}/ r, /{usr/,}lib{,32,64}/.so* mr, /{usr/,}lib/@{multiarch}/ r, /{usr/,}lib/@{multiarch}/.so* mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/.so mr, /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/.so mr, # FIPS-140-2 versions of some crypto libraries need to access their # associated integrity verification file, or they will abort. /{usr/,}lib{,32,64}/.lib.so.hmac r, /{usr/,}lib/@{multiarch}/.lib.so.hmac r, # /dev/null is pretty harmless and frequently used /dev/null rw, # as is /dev/zero /dev/zero rw, # recent glibc uses /dev/full in preference to /dev/null for programs # that don't have open fds at exec() /dev/full rw, # Sometimes used to determine kernel/user interfaces to use @{PROC}/sys/kernel/version r, # Depending on which glibc routine uses this file, base may not be the # best place -- but many profiles require it, and it is quite harmless. @{PROC}/sys/kernel/ngroups_max r, # glibc's sysconf(3) routine to determine free memory, etc @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/online r, # glibc's printf protections read the maps file @{PROC}/@{pid}/{maps,auxv,status} r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/ r, # some applications will display license information /usr/share/common-licenses/ r, # glibc statvfs @{PROC}/filesystems r, # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, # Allow determining the highest valid capability of the running kernel @{PROC}/sys/kernel/cap_last_cap r, # Allow other processes to read our /proc entries, futexes, perf tracing and # kcmp for now (they will need 'read' in the first place). Administrators can # override with: # deny ptrace (readby) ... ptrace (readby), # Allow other processes to trace us by default (they will need 'trace' in # the first place). Administrators can override with: # deny ptrace (tracedby) ... ptrace (tracedby), # Allow us to ptrace read ourselves ptrace (read) peer=@{profile_name}, # Allow unconfined processes to send us signals by default signal (receive) peer=unconfined, # Allow us to signal ourselves signal peer=@{profile_name}, # Checking for PID existence is quite common so add it by default for now signal (receive, send) set=("exists"), # Allow us to create and use abstract and anonymous sockets unix peer=(label=@{profile_name}), # Allow unconfined processes to us via unix sockets unix (receive) peer=(label=unconfined), # Allow us to create abstract and anonymous sockets unix (create), # Allow us to getattr, getopt, setop and shutdown on unix sockets unix (getattr, getopt, setopt, shutdown), # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned # by him/her. Exceptions to this are explicit in the profiles. While this rule # grants access to those exceptions, the intended privacy is maintained due to # the encrypted contents of the files in this directory. Files in this # directory will also use filename encryption by default, so the files are # further protected. Also, with the use of 'owner', this rule properly # prevents access to the files from processes running under a different uid. # encrypted ~/.Private and old-style encrypted $HOME owner @{HOME}/.Private/ r, owner @{HOME}/.Private/ mrixwlk, # new-style encrypted $HOME owner @{HOMEDIRS}/.ecryptfs//.Private/ r, owner @{HOMEDIRS}/.ecryptfs//.Private/** mrixwlk, # Include additions to the abstraction include if exists <abstractions/base.d> ��abstractions/winbind��0000644��00000001562�15027405350�0010622 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # pam_winbindd /tmp/.winbindd/pipe rw, /var/lib/samba/winbindd_privileged/pipe rw, @{run}/samba/winbindd_privileged/pipe rw, /etc/samba/smb.conf r, /etc/samba/dhcp.conf r, /usr/lib/samba/valid.dat r, /usr/lib/samba/upcase.dat r, /usr/lib/samba/lowcase.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, # Include additions to the abstraction include if exists <abstractions/winbind.d> ��abstractions/opencl-common��0000644��00000001004�15027405350�0011725 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # implementation-independent OpenCL access requirements # System files /etc/OpenCL/* r, @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so @{sys}/devices/system/node/node[0-9]/meminfo r, # for clGetPlatformIDs() from libOpenCL.so # Include additions to the abstraction include if exists <abstractions/opencl-common.d> ��abstractions/user-write��0000644��00000001714�15027405350�0011275 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # per-user write directories owner @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ r, owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ r, owner @{HOME}/[^.]/ rw, owner @{HOME}/[^.]* rwl, owner @{HOME}/@{XDG_DESKTOP_DIR}/ rwl, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ rwl, owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl, # Include additions to the abstraction include if exists <abstractions/user-write.d> ��abstractions/opencl-mesa��0000644��00000001174�15027405350�0011372 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # OpenCL access requirements for Mesa implementation include <abstractions/opencl-common> # Additional libraries /usr/lib/@{multiarch}/gallium-pipe/.so mr, # libMesaOpenCL.so /usr/lib{,64}/gallium-pipe/.so mr, # libMesaOpenCL.so on openSUSE # System files /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so /dev/dri/render* rw, # libMesaOpenCL.so /etc/drirc r, # libMesaOpenCL.so # User files owner @{HOME}/.cache/mesa_shader_cache/{,*} rw, # libMesaOpenCL.so -> pipe_nouveau.so # Include additions to the abstraction include if exists <abstractions/opencl-mesa.d> ��abstractions/dbus-session-strict��0000644��00000001762�15027405350�0013116 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2011-2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # unique per-machine identifier /etc/machine-id r, /var/lib/dbus/machine-id r, unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-"), # dbus with systemd and --enable-user-session owner @{run}/user/[0-9]/bus rw, dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), # Include additions to the abstraction include if exists <abstractions/dbus-session-strict.d> ��abstractions/ubuntu-bittorrent-clients��0000644��00000001465�15027405350�0014345 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing graphical bittorrent clients in Ubuntu # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/azureus Cxr -> sanitized_helper, /usr/bin/bitstormlite Cxr -> sanitized_helper, /usr/bin/btmaketorrentgui Cxr -> sanitized_helper, /usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper, /usr/bin/gnome-btdownload Cxr -> sanitized_helper, /usr/bin/kget Cxr -> sanitized_helper, /usr/bin/ktorrent Cxr -> sanitized_helper, /usr/bin/qbittorrent Cxr -> sanitized_helper, /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper, # Include additions to the abstraction include if exists <abstractions/ubuntu-bittorrent-clients.d> ��abstractions/qt5��0000644��00000001537�15027405350�0007703 0��ustar�00��# vim:syntax=apparmor # Common rules for Qt5-based applications abi <abi/3.0>, # Additional libraries /usr/lib{,64,/@{multiarch}}/qt5/plugins/.so mr, /usr/lib{,64,/@{multiarch}}/qt5/qml/.so mr, /usr/lib{,64,/@{multiarch}}/qt5/qml/.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules # System files /etc/xdg/QtProject/qtlogging.ini r, /usr/share/qt5/translations/.qm r, /usr/lib{,64,/@{multiarch}}/qt5/plugins/ r, /usr/lib{,64,/@{multiarch}}/qt5/qml/ r, # User files owner @{HOME}/.config/QtProject/qtlogging.ini r, owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access) owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins # Include additions to the abstraction include if exists <abstractions/qt5.d> ��abstractions/ubuntu-email��0000644��00000002077�15027405350�0011601 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing graphical email clients in Ubuntu # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/anjal Cx -> sanitized_helper, /usr/bin/balsa Cx -> sanitized_helper, /usr/bin/claws-mail Cx -> sanitized_helper, /usr/bin/evolution Cx -> sanitized_helper, /usr/bin/geary Cx -> sanitized_helper, /usr/bin/gnome-gmail Cx -> sanitized_helper, /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper, /usr/bin/kmail Cx -> sanitized_helper, /usr/bin/mailody Cx -> sanitized_helper, /usr/bin/modest Cx -> sanitized_helper, /usr/bin/seamonkey Cx -> sanitized_helper, /usr/bin/sylpheed Cx -> sanitized_helper, /usr/bin/tkrat Cx -> sanitized_helper, /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop /usr/lib/thunderbird/thunderbird{,.sh,-bin} Cx -> sanitized_helper, # Include additions to the abstraction include if exists <abstractions/ubuntu-email.d> ��abstractions/apparmor_api/is_enabled��0000644��00000001220�15027405350�0013716 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # permissions needed for aa_is_enabled # Make sure to include tunables/apparmorfs and tunables/global # when using this abstraction include <abstractions/apparmor_api/find_mountpoint> @{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/available r, # TODO: add alternate apparmorfs interface for enabled ��abstractions/apparmor_api/change_profile��0000644��00000000644�15027405350�0014607 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/apparmor_api/introspect> @{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w, ��abstractions/apparmor_api/find_mountpoint��0000644��00000001006�15027405350�0015047 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, #permissions needed for aa_find_mountpoint # Make sure to include at least tunables/proc and tunables/kernelvars # when using this abstraction, if not tunables/global. @{PROC}/@{pids}/mounts r, ��abstractions/apparmor_api/examine��0000644��00000000770�15027405350�0013270 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Make sure to include at least tunables/proc and tunables/kernelvars # when using this abstraction, if not tunables/global. abi <abi/3.0>, @{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r, ��abstractions/apparmor_api/introspect��0000644��00000000767�15027405350�0014042 0��ustar�00��# Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # Make sure to include at least tunables/proc and tunables/kernelvars # when using this abstraction, if not tunables/global. @{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r, ��abstractions/ubuntu-konsole��0000644��00000000705�15027405350�0012160 0��ustar�00��# vim:syntax=apparmor # # for allowing access to konsole # abi <abi/3.0>, include <abstractions/consoles> include <abstractions/kde> capability sys_ptrace, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/cmdline r, /{,var/}run/utmp r, /dev/ptmx rw, # do not use ux or Ux here. Use at a minimum ix /usr/bin/konsole ix, # Include additions to the abstraction include if exists <abstractions/ubuntu-konsole.d> ��abstractions/exo-open��0000644��00000003601�15027405350�0010716 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via exo-open helper. # # NOTE: most likely you want to use xdg-open abstraction instead for better # portability across desktop environments, unless you are sure that confined # application only uses /usr/bin/exo-open directly. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/exo-open rPx -> foo//exo-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//exo-open { # include <abstractions/exo-open> # # # needed for ubuntu- abstractions # include <abstractions/ubuntu-helpers> # # # Only allow to handle http[s]: and mailto: links # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # # # Add if accesibility access is considered as required # # (for message boxe in case exo-open fails) # include <abstractions/dbus-accessibility> # # # < add additional allowed applications here > # } include <abstractions/X> include <abstractions/audio> # for alert messages include <abstractions/base> include <abstractions/dbus-session-strict> include <abstractions/gnome> # Main executables /usr/bin/exo-open rix, /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, # Other executables /{,usr/}bin/which rix, # System files /etc/xdg/{,xdg-/}xfce4/helpers.rc r, /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? /usr/share/sounds/freedesktop/* r, # for message box alert sound /usr/share/xfce4/helpers/.desktop r, /usr/share/{xfce{,4},xubuntu}/applications/{,.list} r, # User files owner @{PROC}/@{pid}/fd/ r, owner @{HOME}/.config/xfce4/helpers.rc r, owner @{HOME}/.local/share/xfce4/helpers/.desktop r, # Include additions to the abstraction include if exists <abstractions/exo-open.d> ��abstractions/cups-client��0000644��00000001464�15027405350�0011417 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # discoverable system configuration for non-local cupsd /etc/cups/client.conf r, # client should be able to talk the local cupsd @{run}/cups/cups.sock rw, # client should be able to read user-specified cups configuration owner @{HOME}/.cups/client.conf r, owner @{HOME}/.cups/lpoptions r, # Include additions to the abstraction include if exists <abstractions/cups-client.d> ��abstractions/user-manpages��0000644��00000001750�15027405350�0011736 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # perhaps your configuration has users elsewhere, or you don't wish # them to read their own manpages owner @{HOME}/man/ r, owner @{HOME}/man/* r, owner @{HOME}/tmp/groff* rwl, # kindof required owner /tmp/groff* rwl, # standard system manpages /usr/local/share/man/man?/ r, /usr/local/share/man/man?/ r, /usr/{share,X11R6,local,kerberos}/man/ r, /usr/man/** r, # Include additions to the abstraction include if exists <abstractions/user-manpages.d> ��abstractions/xdg-open��0000644��00000004355�15027405350�0010714 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via xdg-open helper. xdg-open abstraction # will allow to use gio-open, kde-open5 and other helpers of the different # desktop environments. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/xdg-open rPx -> foo//xdg-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//xdg-open { # include <abstractions/xdg-open> # # # Enable a11y support if considered required by # # profile author for (rare) error message boxes. # include <abstractions/dbus-accessibility> # # # Enable gstreamer support if considered required by # # profile author for (rare) error message boxes. # include if exists <abstractions/gstreamer> # # # needed for ubuntu-* abstractions # include <abstractions/ubuntu-helpers> # # # Only allow to handle http[s]: and mailto: links # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # # # < add additional allowed applications here > # } # ``` include <abstractions/base> # for openin with `exo-open` include <abstractions/exo-open> # for opening with `gio open <uri>` include <abstractions/gio-open> # for opening with gvfs-open (deprecated) include <abstractions/gvfs-open> # for opening with kde-open5 include <abstractions/kde-open5> # Main executables /{,usr/}bin/{b,d}ash mr, /usr/bin/xdg-open r, # Additional executables /usr/bin/xdg-mime rix, /{,usr/}bin/cut rix, # for xdg-mime /{,usr/}bin/head rix, # for xdg-mime /{,usr/}bin/sed rix, # for xdg-open /{,usr/}bin/tr rix, # for xdg-mime /{,usr/}bin/which rix, # for xdg-open /{,usr/}bin/{grep,egrep} rix, # for xdg-open # System files /dev/pts/[0-9]* rw, /dev/tty w, /etc/gnome/defaults.list r, # for grep /usr/share/applications/mimeinfo.cache r, # for grep /usr/share/terminfo/s/screen r, # for bash on openSUSE /usr/share/{,/}applications/{,.desktop} r, # for xdg-mime /var/lib/menu-xdg/applications/ r, # for xdg-mime # Usr files owner @{HOME}/.local/share/applications/{,.desktop} r, # Include additions to the abstraction include if exists <abstractions/xdg-open.d> ��abstractions/ubuntu-unity7-messaging��0000644��00000000471�15027405350�0013720 0��ustar�00�� abi <abi/3.0>, # # Access required for connecting to/communicating with the Unity messaging # indicator # dbus (receive, send) bus=session path="/com/canonical/indicator/messages/", # Include additions to the abstraction include if exists <abstractions/ubuntu-unity7-messaging.d> ��abstractions/gnupg��0000644��00000000713�15027405350�0010305 0��ustar�00��# vim:syntax=apparmor # gnupg sub-process running permissions abi <abi/3.0>, # user configurations owner @{HOME}/.gnupg/options r, owner @{HOME}/.gnupg/pubring.gpg r, owner @{HOME}/.gnupg/pubring.kbx r, owner @{HOME}/.gnupg/random_seed rw, owner @{HOME}/.gnupg/secring.gpg r, owner @{HOME}/.gnupg/so/.x86_64 mr, owner @{HOME}/.gnupg/trustdb.gpg rw, # Include additions to the abstraction include if exists <abstractions/gnupg.d> ��abstractions/gtk��0000644��00000002662�15027405350�0007757 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /usr/share/themes/{,} r, /usr/share/gtksourceview-[0-9]/{,*} r, /usr/share/gtk-2.0/ r, /usr/share/gtk-2.0/gtkrc r, /usr/share/gtk-3.0/ r, /usr/share/gtk-3.0/settings.ini r, /etc/gtk-2.0/ r, /etc/gtk-2.0/gtkrc r, /etc/gtk-3.0/ r, /etc/gtk-3.0/.conf r, /etc/gtk/gtkrc r, owner @{HOME}/.themes/{,} r, owner @{HOME}/.local/share/themes/{,} r, owner @{HOME}/.gtk r, owner @{HOME}/.gtkrc r, owner @{HOME}/.gtkrc-2.0 r, owner @{HOME}/.gtk-bookmarks r, owner @{HOME}/.config/gtkrc r, owner @{HOME}/.config/gtkrc-2.0 r, owner @{HOME}/.config/gtk-3.0/ rw, owner @{HOME}/.config/gtk-3.0/settings.ini r, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/gtk-3.0/gtk.css r, # for gtk file dialog owner @{HOME}/.config/gtk-2.0/ rw, owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, # .Xauthority file required for X connections owner @{HOME}/.Xauthority r, # Xsession errors file owner @{HOME}/.xsession-errors w, # Include additions to the abstraction include if exists <abstractions/gtk.d> ��abstractions/hosts_access��0000644��00000000777�15027405350�0011660 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2020 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /etc/hosts.deny r, /etc/hosts.allow r, include if exists <abstractions/hosts_access.d> �abstractions/php-worker��0000644��00000001056�15027405350�0011264 0��ustar�00��# vim:syntax=apparmor # This file contains basic permissions for php-fpm workers abi <abi/3.0>, # load common libraries and their support files include <abstractions/base> # common php files and support files that php needs include <abstractions/php> signal (receive) peer=php-fpm, # This is some php opcaching file /tmp/.ZendSem.* rwk, # I think this is adaptive memory management /sys/devices/system/node/* r, /sys/devices/system/node//meminfo r, /sys/devices/system/node/ r, include if exists <abstractions/php-worker.d> ��abstractions/fcitx-strict��0000644��00000001465�15027405350�0011615 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/dbus-session-strict> dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), owner @{HOME}/.config/fcitx/dbus/ r, # Include additions to the abstraction include if exists <abstractions/fcitx-strict.d> ��abstractions/samba��0000644��00000002207�15027405350�0010250 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /etc/samba/* r, /usr/lib/ldb/.so mr, /usr/lib/ldb2/.so mr, /usr/lib/ldb2/modules/ldb/.so mr, /usr/lib/samba/ldb/.so mr, /usr/share/samba/.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, /var/cache/samba/ w, /var/cache/samba/lck/ rwk, /var/lib/samba/ rwk, /var/log/samba/cores/ rw, /var/log/samba/cores/ rw, /var/log/samba/* w, @{run}/{,lock/}samba/ w, @{run}/{,lock/}samba/.tdb rw, @{run}/{,lock/}samba/msg.lock/ rwk, @{run}/{,lock/}samba/msg.lock/[0-9] rwk, /var/cache/samba/msg.lock/ rwk, /var/cache/samba/msg.lock/[0-9]* rwk, # required for clustering /var/lib/ctdb/** rwk, # Include additions to the abstraction include if exists <abstractions/samba.d> ��abstractions/xdg-desktop��0000644��00000001416�15027405350�0011417 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # Entries based on: # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html owner @{HOME}/.cache/ rw, owner @{HOME}/.config/ rw, owner @{HOME}/.local/ rw, owner @{HOME}/.local/share/ rw, # fallbacks /usr/share/ r, /usr/local/share/ r, # Include additions to the abstraction include if exists <abstractions/xdg-desktop.d> ��abstractions/private-files��0000644��00000003174�15027405350�0011743 0��ustar�00��# vim:syntax=apparmor # privacy-violations contains rules for common files that you want to # explicitly deny access abi <abi/3.0>, # privacy violations (don't audit files under $HOME otherwise get a # lot of false positives when reading contents of directories) deny @{HOME}/.history mrwkl, deny @{HOME}/.fetchmail mrwkl, deny @{HOME}/.mutt** mrwkl, deny @{HOME}/.viminfo* mrwkl, deny @{HOME}/.~ mrwkl, deny @{HOME}/..swp mrwkl, deny @{HOME}/.~1~ mrwkl, deny @{HOME}/..bak mrwkl, # special attention to (potentially) executable files audit deny @{HOME}/bin/{,} wl, audit deny @{HOME}/.config/ w, audit deny @{HOME}/.config/autostart/{,} wl, audit deny @{HOME}/.config/upstart/{,} wl, audit deny @{HOME}/.init/{,} wl, audit deny @{HOME}/.kde{,4}/ w, audit deny @{HOME}/.kde{,4}/Autostart/{,} wl, audit deny @{HOME}/.kde{,4}/env/{,} wl, audit deny @{HOME}/.local/{,share/} w, audit deny @{HOME}/.local/share/thumbnailers/{,*} wl, audit deny @{HOME}/.pki/ w, audit deny @{HOME}/.pki/nssdb/{,.so{,.[0-9]}} wl, # don't allow reading/updating of run control files deny @{HOME}/.rc mrk, audit deny @{HOME}/.rc wl, # bash deny @{HOME}/.bash mrk, audit deny @{HOME}/.bash* wl, deny @{HOME}/.inputrc mrk, audit deny @{HOME}/.inputrc wl, # sh/dash/csh/tcsh/pdksh/zsh deny @{HOME}/.{,z}profile* mrk, audit deny @{HOME}/.{,z}profile* wl, deny @{HOME}/.{,z}log{in,out} mrk, audit deny @{HOME}/.{,z}log{in,out} wl, deny @{HOME}/.zshenv mrk, audit deny @{HOME}/.zshenv wl, # Include additions to the abstraction include if exists <abstractions/private-files.d> ��abstractions/ubuntu-media-players��0000644��00000004460�15027405350�0013244 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing access to media players in Ubuntu # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/amarok Cxr -> sanitized_helper, /usr/bin/audacious2 Cxr -> sanitized_helper, /usr/bin/audacity Cxr -> sanitized_helper, /usr/bin/bangarang Cxr -> sanitized_helper, /usr/bin/banshee Cxr -> sanitized_helper, /usr/bin/banshee-1 Cxr -> sanitized_helper, /usr/bin/decibel Cxr -> sanitized_helper, /usr/bin/dragon Cxr -> sanitized_helper, /usr/bin/esperanza Cxr -> sanitized_helper, /usr/bin/exaile Cxr -> sanitized_helper, /usr/bin/freevo Cxr -> sanitized_helper, /usr/bin/gmerlin Cxr -> sanitized_helper, /usr/bin/gxmms Cxr -> sanitized_helper, /usr/bin/gxmms2 Cxr -> sanitized_helper, /usr/bin/hornsey Cxr -> sanitized_helper, /usr/bin/jlgui Cxr -> sanitized_helper, /usr/bin/juk Cxr -> sanitized_helper, /usr/bin/kaffeine Cxr -> sanitized_helper, /usr/bin/listen Cxr -> sanitized_helper, /usr/share/minirok/minirok.py Cxr -> sanitized_helper, # mplayer /etc/mplayerplug-in.conf r, /usr/bin/gmplayer Cxr -> sanitized_helper, /usr/bin/gnome-mplayer Cxr -> sanitized_helper, /usr/bin/kmplayer Cxr -> sanitized_helper, /usr/bin/mplayer Cxr -> sanitized_helper, /usr/bin/smplayer Cxr -> sanitized_helper, /usr/bin/muine Cxr -> sanitized_helper, /usr/bin/potamus Cxr -> sanitized_helper, /usr/bin/promoe Cxr -> sanitized_helper, /usr/bin/qmmp Cxr -> sanitized_helper, /usr/bin/quodlibet Cxr -> sanitized_helper, /usr/bin/rhythmbox Cxr -> sanitized_helper, /usr/bin/strange-quark Cxr -> sanitized_helper, /usr/bin/swfdec-player Cxr -> sanitized_helper, /usr/bin/timidity Cxr -> sanitized_helper, /usr/lib/totem/ ixr, /usr/bin/totem-gstreamer Cxr -> sanitized_helper, /usr/bin/totem-xine Cxr -> sanitized_helper, /usr/bin/totem Cxr -> sanitized_helper, /usr/bin/vlc Cxr -> sanitized_helper, /usr/bin/xfmedia Cxr -> sanitized_helper, /usr/bin/xmms Cxr -> sanitized_helper, # gnash /usr/bin/gtk-gnash ixr, /etc/gnashrc r, /etc/gnashpluginrc r, owner @{HOME}/.gnash/ rw, owner @{HOME}/.gnash/ rw, # Include additions to the abstraction include if exists <abstractions/ubuntu-media-players.d> ��abstractions/ubuntu-console-browsers��0000644��00000001333�15027405350�0014012 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing access to text-only browsers in Ubuntu. These will # typically also need a terminal, so when using this abstraction, should also # do something like: # # include <abstractions/ubuntu-gnome-terminal> # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/elinks Cx -> sanitized_helper, /usr/bin/links Cx -> sanitized_helper, /usr/bin/lynx.cur Cx -> sanitized_helper, /usr/bin/netrik Cx -> sanitized_helper, /usr/bin/w3m Cx -> sanitized_helper, # Include additions to the abstraction include if exists <abstractions/ubuntu-console-browsers.d> ��abstractions/ubuntu-gnome-terminal��0000644��00000000454�15027405350�0013425 0��ustar�00��# vim:syntax=apparmor # # for allowing access to gnome-terminal # abi <abi/3.0>, include <abstractions/gnome> # do not use ux or PUx here. Use at a minimum ix /usr/bin/gnome-terminal ix, # Include additions to the abstraction include if exists <abstractions/ubuntu-gnome-terminal.d> ��abstractions/vulkan��0000644��00000002075�15027405350�0010470 0��ustar�00��# vim:syntax=apparmor # Vulkan access requirements abi <abi/3.0>, # System files /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa) /etc/glvnd/egl_vendor.d/{,.json} r, /etc/vulkan/icd.d/{,.json} r, /etc/vulkan/{explicit,implicit}_layer.d/{,.json} r, # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa) @{sys}/devices/pci[0-9]//drm/ r, @{sys}/devices/pci[0-9]//drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so @{sys}/devices/pci[0-9]//drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so @{sys}/devices/pci[0-9]//drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so /usr/share/glvnd/egl_vendor.d/{,.json} r, /usr/share/vulkan/icd.d/{,.json} r, /usr/share/vulkan/{explicit,implicit}_layer.d/{,.json} r, # User files owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,.json} r, # Include additions to the abstraction include if exists <abstractions/vulkan.d> ��abstractions/nss-systemd��0000644��00000002340�15027405350�0011454 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # libnss-systemd # # https://systemd.io/USER_GROUP_API/ # https://systemd.io/USER_RECORD/ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html # # Allow User/Group lookups via common VarLink socket APIs. Applications need # to either consult all of them or the io.systemd.Multiplexer frontend. @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined @{PROC}/sys/kernel/random/boot_id r, include if exists <abstractions/nss-systemd.d> ��abstractions/ubuntu-browsers��0000644��00000003125�15027405350�0012353 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing access to graphical browsers in Ubuntu # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/arora Cx -> sanitized_helper, /usr/bin/dillo Cx -> sanitized_helper, /usr/bin/Dooble Cx -> sanitized_helper, /usr/bin/epiphany Cx -> sanitized_helper, /usr/bin/epiphany-browser Cx -> sanitized_helper, /usr/bin/epiphany-webkit Cx -> sanitized_helper, /usr/lib/fennec-/fennec Cx -> sanitized_helper, /usr/bin/kazehakase Cx -> sanitized_helper, /usr/bin/konqueror Cx -> sanitized_helper, /usr/bin/midori Cx -> sanitized_helper, /usr/bin/netsurf Cx -> sanitized_helper, /usr/bin/seamonkey Cx -> sanitized_helper, /usr/bin/sensible-browser Pixr, /usr/bin/chromium{,-browser} Cx -> sanitized_helper, /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper, # this should cover all firefox browsers and versions (including shiretoko # and abrowser) /usr/bin/firefox Cxr -> sanitized_helper, /usr/lib{,64}/firefox/firefox Cx -> sanitized_helper, # Iceweasel /usr/bin/iceweasel Cxr -> sanitized_helper, /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper, # some unpackaged, but popular browsers /usr/lib/icecat-/icecat Cx -> sanitized_helper, /usr/bin/opera Cx -> sanitized_helper, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper, /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper, ��abstractions/dbus-session��0000644��00000001353�15027405350�0011604 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2011-2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # This abstraction grants full session bus access. Consider using the # dbus-session-strict abstraction for fine-grained bus mediation. include <abstractions/dbus-session-strict> /usr/bin/dbus-launch ix, dbus bus=session, # Include additions to the abstraction include if exists <abstractions/dbus-session.d> ��abstractions/ubuntu-feed-readers��0000644��00000000710�15027405350�0013030 0��ustar�00��# vim:syntax=apparmor # # abstraction for allowing graphical news feed readers in Ubuntu # # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, /usr/bin/akregator Cxr -> sanitized_helper, /usr/bin/liferea-add-feed Cxr -> sanitized_helper, # Include additions to the abstraction include if exists <abstractions/ubuntu-feed-readers.d> ��abstractions/dbus��0000644��00000001266�15027405350�0010126 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # This abstraction grants full system bus access. Consider using the # dbus-strict abstraction for fine-grained bus mediation. include <abstractions/dbus-strict> dbus bus=system, # Include additions to the abstraction include if exists <abstractions/dbus.d> ��abstractions/X��0000644��00000003705�15027405350�0007400 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/dri-common> # .ICEauthority files required for X authentication, per user owner @{HOME}/.ICEauthority r, owner @{run}/user//ICEauthority r, # .Xauthority files required for X connections, per user owner @{HOME}/.Xauthority r, owner @{HOME}/.local/share/sddm/.Xauthority r, owner @{run}/gdm{,3}//database r, owner @{run}/lightdm/authority/[0-9] r, owner @{run}/lightdm//xauthority r, owner @{run}/user//gdm/Xauthority r, owner @{run}/user//X11/Xauthority r, owner @{run}/user//xauth_* r, # the unix socket to use to connect to the display /tmp/.X11-unix/* rw, unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]"), /usr/include/X11/ r, /usr/include/X11/ r, # The X tree changes and is large -- grant read access to the whole thing /usr/X11R6/ r, /usr/share/X11/ r, /usr/share/X11/ r, /usr/X11R6/.so* mr, # EGL /usr/lib/@{multiarch}/egl/.so mr, # Xcompose owner @{HOME}/.XCompose r, /var/cache/libx11/compose/* r, deny /var/cache/libx11/compose/* wlk, # mouse themes /etc/X11/cursors/ r, /etc/X11/cursors/** r, # Xwayland owner @{run}/user//.mutter-Xwaylandauth. r, # Include additions to the abstraction include if exists <abstractions/X.d> ��abstractions/python��0000644��00000003504�15027405350�0010507 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/*.{pyc,so,so.[0-9]} mr, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/.{egg,py,pth} r, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages// r, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/.dist-info/{METADATA,namespace_packages.txt} r, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/.VERSION r, /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/.egg-info/PKG-INFO r, /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/.so mr, # Site-wide configuration /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/ r, # shared python paths /usr/share/{pyshared,pycentral,python-support}/ r, /{var,usr}/lib/{pyshared,pycentral,python-support}/ r, /usr/lib/{pyshared,pycentral,python-support}/.so mr, /var/lib/{pyshared,pycentral,python-support}/.pyc mr, /usr/lib/python3/dist-packages/.so mr, # wx paths /usr/lib/wx/python/.pth r, # python build configuration and headers /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}/pyconfig.h r, # Include additions to the abstraction include if exists <abstractions/python.d> ��abstractions/dbus-accessibility��0000644��00000001351�15027405350�0012746 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2013 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # This abstraction grants full accessibility bus access. Consider using the # dbus-accessibility-strict abstraction for fine-grained bus mediation. include <abstractions/dbus-accessibility-strict> dbus bus=accessibility, # Include additions to the abstraction include if exists <abstractions/dbus-accessibility.d> ��abstractions/ssl_keys��0000644��00000001652�15027405350�0011024 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # private ssl permissions # Just include the whole /etc/ssl directory if we should have access to # private keys too /etc/ssl/ r, /etc/ssl/** r, # acmetool /var/lib/acme/live/* r, /var/lib/acme/certs/ r, /var/lib/acme/keys/ r, # dehydrated /{etc,var/lib}/dehydrated/certs//privkey.pem r, # certbot / letsencrypt /etc/letsencrypt/archive//privkey.pem r, /etc/certbot/archive//privkey.pem r, # Include additions to the abstraction include if exists <abstractions/ssl_keys.d> ��abstractions/kerberosclient��0000644��00000002401�15027405350�0012174 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # files required by kerberos client programs /usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, /usr/lib{,32,64}/krb5/plugins/preauth/ r, /usr/lib{,32,64}/krb5/plugins/preauth/* mr, /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, /etc/krb5.keytab rk, /etc/krb5.conf r, /etc/krb5.conf.d/ r, /etc/krb5.conf.d/* r, # config files found via strings on libs /etc/krb.conf r, /etc/krb.realms r, /etc/srvtab r, # credential caches /tmp/krb5cc* r, # Include additions to the abstraction include if exists <abstractions/kerberosclient.d> ��abstractions/web-data��0000644��00000001453�15027405350�0010653 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2014 Canonical Ltd # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /srv/www/htdocs/ r, /srv/www/htdocs/ r, # virtual hosting /srv/www/vhosts/ r, /srv/www/vhosts/ r, # mod_userdir @{HOME}/public_html/ r, @{HOME}/public_html/** r, /srv/www/rails//public/ r, /srv/www/rails//public/ r, /var/www/html/ r, /var/www/html/ r, # Include additions to the abstraction include if exists <abstractions/web-data.d> ��abstractions/fcitx��0000644��00000001056�15027405350�0010303 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, include <abstractions/fcitx-strict> dbus bus=fcitx, # Include additions to the abstraction include if exists <abstractions/fcitx.d> ��abstractions/ldapclient��0000644��00000001530�15027405350�0011302 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2011 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # files required by LDAP clients (e.g. nss_ldap/pam_ldap) /etc/ldap.conf r, /etc/ldap.secret r, /etc/openldap/* r, /etc/openldap/cacerts/* r, # SASL plugins and config /etc/sasl2/* r, /usr/lib{,32,64}/sasl2/* r, # local LDAP name service daemon @{run}/nslcd/socket rw, include <abstractions/ssl_certs> # Include additions to the abstraction include if exists <abstractions/ldapclient.d> ��abstractions/gvfs-open��0000644��00000002234�15027405350�0011071 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via gvfs-open helper. # # NOTE: most likely you want to use xdg-open abstraction instead for better # portability across desktop environments, unless you are sure that confined # application only uses /usr/bin/gvfs-open directly. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/gvfs-open rPx -> foo//gvfs-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//gvfs-open { # include <abstractions/gvfs-open> # # # needed for ubuntu-* abstractions # include <abstractions/ubuntu-helpers> # # # Only allow to handle http[s]: and mailto: links # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # # # < add additional allowed applications here > # } # ``` include <abstractions/base> # gvfs-open is deprecated, it launches gio open <uri> include <abstractions/gio-open> # Main executables /usr/bin/gvfs-open r, /{,usr/}bin/dash mr, # Include additions to the abstraction include if exists <abstractions/gvfs-open.d> ��abstractions/nvidia��0000644��00000001357�15027405350�0010444 0��ustar�00��# vim:syntax=apparmor # nvidia access requirements abi <abi/3.0>, # configuration queries capability ipc_lock, /usr/share/nvidia/nvidia-application-profiles* r, # libvdpau config file for nvidia workarounds /etc/vdpau_wrapper.cfg r, # device files /dev/nvidiactl rw, /dev/nvidia-modeset rw, /dev/nvidia[0-9]* rw, @{PROC}/interrupts r, @{PROC}/sys/vm/max_map_count r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, @{sys}/devices/system/memory/block_size_bytes r, owner @{HOME}/.nv/ w, owner @{HOME}/.nv/GLCache/ rw, owner @{HOME}/.nv/GLCache/** rwk, unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]"), # Include additions to the abstraction include if exists <abstractions/nvidia.d> ��abstractions/ibus��0000644��00000001740�15027405350�0010130 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # abstraction for ibus input methods owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/bus/ rw, owner @{HOME}/.config/ibus/bus/ rw, # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) # type=stream # peer=(addr="@@{HOME}/.cache/ibus/dbus-"), unix (connect, receive, send) type=stream peer=(addr="@/home//.cache/ibus/dbus-"), # Include additions to the abstraction include if exists <abstractions/ibus.d> ��abstractions/openssl��0000644��00000001210�15027405350�0010641 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2011 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /etc/ssl/openssl.cnf r, /etc/ssl/{engdef,engines}.d/ r, /etc/ssl/{engdef,engines}.d/.cnf r, /usr/share/ssl/openssl.cnf r, @{PROC}/sys/crypto/fips_enabled r, # Include additions to the abstraction include if exists <abstractions/openssl.d> ��abstractions/wutmp��0000644��00000001307�15027405350�0010341 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # some services update wtmp, utmp, and lastlog with per-user # connection information /var/log/lastlog rwk, /var/log/wtmp rwk, /var/log/btmp rwk, @{run}/utmp rwk, # Include additions to the abstraction include if exists <abstractions/wutmp.d> ��abstractions/user-mail��0000644��00000001660�15027405350�0011065 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # location of user mail, spool and mboxes owner @{HOME}/[mM]ail/ r, owner @{HOME}/[mM]ail/** rwl, owner @{HOME}/postponed* rwl, /var/{,spool/}mail/ r, owner /var/{,spool/}mail/* rwl, owner @{HOME}/mbox.lock* rwl, owner @{HOME}/mbox rw, owner @{HOME}/inbox rw, owner @{HOME}/.forward r, owner @{HOME}/Maildir/ r, owner @{HOME}/Maildir/** rwl, # Include additions to the abstraction include if exists <abstractions/user-mail.d> ��abstractions/ubuntu-xterm��0000644��00000000532�15027405350�0011643 0��ustar�00��# vim:syntax=apparmor # # for allowing access to xterm # abi <abi/3.0>, include <abstractions/consoles> /dev/ptmx rw, /{,var/}run/utmp r, /etc/X11/app-defaults/XTerm r, # do not use ux or Ux here. Use at a minimum ix /usr/bin/xterm ix, # Include additions to the abstraction include if exists <abstractions/ubuntu-xterm.d> ��abstractions/opencl-pocl��0000644��00000005540�15027405350�0011403 0��ustar�00��# vim:syntax=apparmor # OpenCL access requirements for POCL implementation abi <abi/3.0>, include <abstractions/opencl-common> # Executables /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld, /usr/lib/llvm-[0-9].[0-9]/bin/clang Cx -> opencl_pocl_clang, # System files / r, # libpocl.so -> libhwloc.so @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so @{sys}/devices/pci[0-9]// r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so @{sys}/devices/pci[0-9]/*/block//dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so @{sys}/devices/pci[0-9]//{class,local_cpus} r, # libpocl.so -> libhwlock.so @{sys}/devices/pci[0-9]//net//address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/* r, # libpocl.so -> libhwloc.so @{sys}/devices/system/cpu/cpu[0-9]/online r, # libpocl.so -> libhwlock.so @{sys}/devices/system/cpu/cpu[0-9]/topology/* r, # _siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so @{sys}/devices/system/cpu/cpufreq/policy[0-9]/* r, # for clGetPlatformIDs() from libpocl.so @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so @{sys}/devices/virtual/dmi/id/{,} r, # libpocl.so -> libhwloc.so @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so @{sys}/kernel/mm/hugepages{/,/} r, # libpocl.so -> libhwloc.so /usr/share/pocl/* r, @{run}/udev/data/: r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so # User files owner @{HOME}/.cache/pocl/ w, owner @{HOME}/.cache/pocl/kcache/ w, owner @{HOME}/.cache/pocl/kcache/ rw, owner @{HOME}/.cache/pocl/kcache/.so mrw, # dangerous! owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so # Child profiles profile opencl_pocl_ld { include <abstractions/base> # Main executables /usr/bin/{,@{multiarch}-}ld.bfd mr, # User files owner @{HOME}/.cache/pocl/kcache/tempfile.so rw, owner @{HOME}/.cache/pocl/kcache/.so.o r, } profile opencl_pocl_clang { include <abstractions/base> # Main executables /usr/lib/llvm-[0-9].[0-9]/bin/clang mr, # Additional executables /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile? # System files /etc/debian-version r, /etc/lsb-release r, # User files owner @{HOME}/.cache/pocl/kcache/////.so{,.o} rw, } # Include additions to the abstraction include if exists <abstractions/opencl-pocl.d> ��abstractions/mysql��0000644��00000001343�15027405350�0010332 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /var/lib/mysql{,d}/mysql{,d}.sock rw, @{run}/mysql{,d}/mysql{,d}.sock rw, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r, /usr/share/{mysql,mysql-community-server,mariadb}/charsets/.xml r, # Include additions to the abstraction include if exists <abstractions/mysql.d> ��abstractions/ubuntu-browsers.d/multimedia��0000644��00000002606�15027405350�0014732 0��ustar�00��# vim:syntax=apparmor # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, include <abstractions/X> # Pulseaudio /usr/bin/pulseaudio Pixr, # Image viewers /usr/bin/eog Cxr -> sanitized_helper, /usr/bin/gimp Cxr -> sanitized_helper, /usr/bin/shotwell Cxr -> sanitized_helper, /usr/bin/digikam Cxr -> sanitized_helper, /usr/bin/gwenview Cxr -> sanitized_helper, include <abstractions/ubuntu-media-players> owner @{HOME}/.adobe/ w, owner @{HOME}/.adobe/ rw, owner @{HOME}/.macromedia/ w, owner @{HOME}/.macromedia/ rw, /opt/real/RealPlayer/mozilla/nphelix.so rm, /usr/bin/lpstat Cxr -> sanitized_helper, /usr/bin/lpr Cxr -> sanitized_helper, # Bittorrent clients include <abstractions/ubuntu-bittorrent-clients> # Archivers /usr/bin/ark Cxr -> sanitized_helper, /usr/bin/file-roller Cxr -> sanitized_helper, /usr/bin/xarchiver Cxr -> sanitized_helper, /usr/local/lib{,32,64}/.so mr, # News feed readers include <abstractions/ubuntu-feed-readers> # If we allow the above, nvidia based systems will also need this include <abstractions/nvidia> # Virus scanners /usr/bin/clamscan Cx -> sanitized_helper, # gxine (LP: #1057642) /var/lib/xine/gxine.desktop r, # For WebRTC camera access (LP: #1665535) /dev/video[0-9]* rw, ��abstractions/ubuntu-browsers.d/text-editors��0000644��00000001240�15027405350�0015224 0��ustar�00��# vim:syntax=apparmor # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper, /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper, /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper, /usr/bin/gedit Cxr -> sanitized_helper, /usr/bin/vim.gnome Cxr -> sanitized_helper, /usr/bin/leafpad Cxr -> sanitized_helper, /usr/bin/mousepad Cxr -> sanitized_helper, /usr/bin/kate Cxr -> sanitized_helper, ��abstractions/ubuntu-browsers.d/kde��0000644��00000000411�15027405350�0013333 0��ustar�00��# vim:syntax=apparmor # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, include <abstractions/kde> /usr/bin/kde4-config Cx -> sanitized_helper, ��abstractions/ubuntu-browsers.d/plugins-common��0000644��00000000537�15027405350�0015550 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # # Plugins/helpers # @{PROC}/@{pid}/fd/ r, /usr/lib/** rm, /{,usr/}bin/bash ixr, /{,usr/}bin/dash ixr, /{,usr/}bin/grep ixr, /{,usr/}bin/sed ixr, /usr/bin/m4 ixr, # Since all the ubuntu-browsers.d abstractions need this, just include it # here include <abstractions/ubuntu-helpers> ��abstractions/ubuntu-browsers.d/java��0000644��00000007461�15027405350�0013525 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # Java plugin owner @{HOME}/.java/deployment/deployment.properties k, /etc/java-/ r, /etc/java-/** r, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib//IcedTeaPlugin.so mr, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib//IcedTeaPlugin.so mr, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk, /usr/lib/jvm/java--sun-1./jre/bin/java{,_vm} cx -> browser_java, /usr/lib/jvm/java--sun-1./jre/lib//libnp.so cx -> browser_java, /usr/lib/j2-ibm/jre/bin/java cx -> browser_java, owner /{,var/}run/user//icedteaplugin-/ rw, owner /{,var/}run/user//icedteaplugin-/* rwk, # Profile for the supported OpenJDK in Ubuntu. This doesn't require the # unfortunate workarounds of the proprietary Javas, so have a separate # profile. profile browser_openjdk { include <abstractions/base> include <abstractions/fonts> include <abstractions/gnome> include <abstractions/kde> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> include <abstractions/private-files-strict> network inet stream, network inet6 stream, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, /etc/java-/ r, /etc/java-/** r, /etc/lsb-release r, /etc/ssl/certs/java/* r, /etc/timezone r, /etc/writable/timezone r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/filesystems r, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/ r, /usr/share/ r, /var/lib/dbus/machine-id r, /usr/bin/env ix, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix, /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix, /usr/lib/jvm/java-{6,7}-openjdk/jre/lib/i386/client/classes.jsa m, # Why would java need this? deny /usr/bin/gconftool-2 x, owner /{,var/}run/user/[0-9]/icedteaplugin--/[0-9]-icedteanp-appletviewer-to-plugin rw, owner /{,var/}run/user/[0-9]/icedteaplugin--/[0-9]-icedteanp-plugin-{,debug-}to-appletviewer r, owner @{HOME}/ r, owner @{HOME}/* rwk, } # Profile for commercial Javas. These need workarounds to work right (eg # Sun's forcing of an executable stack (LP: #535247)). profile browser_java { include <abstractions/base> include <abstractions/fonts> include <abstractions/gnome> include <abstractions/kde> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> include <abstractions/private-files-strict> network inet stream, network inet6 stream, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, @{PROC}/loadavg r, /etc/debian_version r, /etc/java-/ r, /etc/java-/** r, /etc/lsb-release r, /etc/ssl/certs/java/* r, /etc/timezone r, /etc/writable/timezone r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/filesystems r, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/ r, /usr/share/ r, /var/lib/dbus/machine-id r, /usr/bin/env ix, /usr/lib/jvm/java--sun-1./jre/bin/java{,_vm} ix, /usr/lib/jvm/java--sun-1./jre/lib/i386/client/classes.jsa m, /usr/lib/j2-ibm/jre/bin/java ix, # noisy, can't write here anyway deny /etc/.java/ w, deny /etc/.java/* w, deny /usr/bin/gconftool-2 x, owner @{HOME}/ r, owner @{HOME}/ rwk, # These are seriously unfortunate, but required due to LP: #535247 /etc/passwd m, owner @{HOME}/.java//cache/ m, owner /tmp/ m, /usr/lib{,32,64}/jvm/*/.jar mr, /usr/share/fonts/** m, } ��abstractions/ubuntu-browsers.d/chromium-browser��0000644��00000001772�15027405350�0016107 0��ustar�00��# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2020 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Author: Jamie Strandboge <jamie@canonical.com> # For site-specific adjustments, please see: # /etc/apparmor.d/local/chromium-browser abi <abi/3.0>, include <abstractions/ubuntu-browsers.d/plugins-common> include <abstractions/ubuntu-browsers.d/mailto> include <abstractions/ubuntu-browsers.d/multimedia> include <abstractions/ubuntu-browsers.d/productivity> include <abstractions/ubuntu-browsers.d/java> include <abstractions/ubuntu-browsers.d/kde> include <abstractions/ubuntu-browsers.d/text-editors> include <abstractions/ubuntu-browsers.d/ubuntu-integration> include <abstractions/ubuntu-browsers.d/user-files> ��abstractions/ubuntu-browsers.d/ubuntu-integration��0000644��00000002156�15027405350�0016443 0��ustar�00��# vim:syntax=apparmor # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, # Apport /usr/bin/apport-bug Cx -> sanitized_helper, # Package installation /usr/bin/apturl Cxr -> sanitized_helper, /usr/share/software-center/software-center Cxr -> sanitized_helper, # Input Methods /usr/bin/scim Cx -> sanitized_helper, /usr/bin/scim-bridge Cx -> sanitized_helper, # File managers /usr/bin/nautilus Cxr -> sanitized_helper, /usr/bin/{t,T}hunar Cxr -> sanitized_helper, /usr/bin/dolphin Cxr -> sanitized_helper, # Themes /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper, # Kubuntu /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper, # Exo-aware applications include <abstractions/exo-open> # unity webapps integration. Could go in its own abstraction owner /run/user//dconf/user rw, owner @{HOME}/.local/share/unity-webapps/availableapps.db rwk, /usr/bin/debconf-communicate Cxr -> sanitized_helper, owner @{HOME}/.config/libaccounts-glib/accounts.db rk, ��abstractions/ubuntu-browsers.d/ubuntu-integration-xul��0000644��00000000271�15027405350�0017245 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # firefox-notify include <abstractions/python> /usr/bin/python2.[4567] ix, /usr/share/xul-ext/notify//download_complete_notify.py ix, ��abstractions/ubuntu-browsers.d/productivity��0000644��00000001576�15027405350�0015352 0��ustar�00��# vim:syntax=apparmor # Users of this abstraction need to include the ubuntu-helpers abstraction # in the toplevel profile. Eg: # include <abstractions/ubuntu-helpers> abi <abi/3.0>, # Openoffice.org /usr/bin/ooffice Cxr -> sanitized_helper, /usr/bin/oocalc Cxr -> sanitized_helper, /usr/bin/oodraw Cxr -> sanitized_helper, /usr/bin/ooimpress Cxr -> sanitized_helper, /usr/bin/oowriter Cxr -> sanitized_helper, /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper, # LibreOffice /usr/bin/libreoffice Cxr -> sanitized_helper, /usr/bin/localc Cxr -> sanitized_helper, /usr/bin/lodraw Cxr -> sanitized_helper, /usr/bin/loimpress Cxr -> sanitized_helper, /usr/bin/lowriter Cxr -> sanitized_helper, /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, # PDFs /usr/bin/evince Cxr -> sanitized_helper, /usr/bin/okular Cxr -> sanitized_helper, ��abstractions/ubuntu-browsers.d/mailto��0000644��00000000523�15027405350�0014061 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # for mailto: include <abstractions/ubuntu-email> include <abstractions/ubuntu-console-email> # Terminals for using console applications. These abstractions should ideally # have 'ix' to restrct access to what only firefox is allowed to do include <abstractions/ubuntu-gnome-terminal> ��abstractions/ubuntu-browsers.d/user-files��0000644��00000001647�15027405350�0014662 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # Allow read to all files user has DAC access to and write access to all # files owned by the user in $HOME. @{HOME}/ r, @{HOME}/ r, owner @{HOME}/ w, # Do not allow read and/or write to particularly sensitive/problematic files include <abstractions/private-files> audit deny @{HOME}/.ssh/{,} mrwkl, audit deny @{HOME}/.gnome2_private/{,} mrwkl, audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,} mrwkl, audit deny @{HOME}/.local/share/kwalletd/{,} mrwkl, # Comment this out if using gpg plugin/addons audit deny @{HOME}/.gnupg/{,} mrwkl, # Allow read to all files user has DAC access to and write for files the user # owns on removable media and filesystems. /media/ r, /mnt/ r, /srv/ r, /net/ r, owner /media/ w, owner /mnt/ w, owner /srv/ w, owner /net/ w, ��abstractions/opencl-intel��0000644��00000001240�15027405350�0011552 0��ustar�00��# vim:syntax=apparmor abi <abi/3.0>, # OpenCL access requirements for Intel implementation include <abstractions/opencl-common> # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay()) include <abstractions/X> # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so include <abstractions/dri-enumerate> # System files /dev/dri/card[0-9]* rw, # beignet/libcl.so @{sys}/devices/pci[0-9]//{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?) /usr/lib/@{multiarch}/beignet/* r, # Include additions to the abstraction include if exists <abstractions/opencl-intel.d> ��abstractions/postfix-common��0000644��00000002514�15027405350�0012150 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2015-2018 Canonical, Ltd. # Copyright (C) 2020-2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # used with postfix/* abi <abi/3.0>, capability setuid, capability setgid, capability sys_chroot, # postfix's master can send us signals signal receive peer=postfix-master, unix (send, receive) peer=(label=postfix-master), /etc/mailname r, /etc/postfix/.cf r, /etc/postfix/.db rk, /etc/postfix/.lmdb rk, @{PROC}/net/if_inet6 r, /usr/lib/postfix/.so mr, /usr/lib{,32,64}/sasl2/* mr, /usr/lib{,32,64}/sasl2/ r, /usr/lib/@{multiarch}/sasl2/* mr, /usr/lib/@{multiarch}/sasl2/ r, /usr/share/icu/[0-9].[0-9]/.dat r, /var/spool/postfix/etc/ r, /var/spool/postfix/lib/lib.so mr, /var/spool/postfix/lib/@{multiarch}/lib.so mr, /etc/postfix/dynamicmaps.cf.d/ r, # Include additions to the abstraction include if exists <abstractions/postfix-common.d> ��abstractions/kde-globals-write��0000644��00000000635�15027405350�0012504 0��ustar�00��# vim:syntax=apparmor # Rules for changing KDE settings (for KFileDialog and other). abi <abi/3.0>, # User files owner @{HOME}/.config/#[0-9]* rw, owner @{HOME}/.config/kdeglobals rw, owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9], owner @{HOME}/.config/kdeglobals.lock rwk, # Include additions to the abstraction include if exists <abstractions/kde-globals-write.d> ��abstractions/snap_browsers��0000644��00000003210�15027405350�0012047 0��ustar�00��profile snap_browsers { include if exists <abstractions/snap_browsers.d> include <abstractions/base> include <abstractions/dbus-session-strict> /etc/passwd r, /etc/nsswitch.conf r, /etc/fstab r, # noisy deny owner /run/user/[0-9]/gdm/Xauthority r, # not needed on Ubuntu /{,snap/core/[0-9]/,snap/snapd/[0-9]/}usr/bin/snap mrix, # re-exec /{,snap/core/[0-9]/,snap/snapd/[0-9]/}usr/lib/snapd/info r, /{,snap/core/[0-9]/,snap/snapd/[0-9]/}usr/lib/snapd/snapd r, /{,snap/core/[0-9]/,snap/snapd/[0-9]/}usr/lib/snapd/snap-seccomp rPix, /{,snap/core/[0-9]/,snap/snapd/[0-9]/}usr/lib/snapd/snap-confine Pix, /var/lib/snapd/system-key r, /run/snapd.socket rw, @{PROC}/version r, @{PROC}/cmdline r, @{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/random/uuid r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{HOME}/.snap/auth.json r, # if exists, required dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"), dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved", /sys/kernel/security/apparmor/features/ r, # allow launching official browser snaps. /snap/chromium/[0-9]/meta/{snap.yaml,hooks/} r, /snap/firefox/[0-9]/meta/{snap.yaml,hooks/} r, /snap/opera/[0-9]/meta/{snap.yaml,hooks/} r, /var/lib/snapd/sequence/{chromium,firefox,opera}.json r, /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk, # add other browsers here } ��abstractions/mdns��0000644��00000001052�15027405350�0010123 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # mdnsd /etc/mdns.allow r, /etc/nss_mdns.conf r, @{run}/mdnsd w, # Include additions to the abstraction include if exists <abstractions/mdns.d> ��abstractions/ssl_certs��0000644��00000003030�15027405350�0011161 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2010-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, /etc/ca-certificates/{,} r, /etc/{,libre}ssl/ r, /etc/{,libre}ssl/cert.pem r, /etc/{,libre}ssl/certs/{,} r, /etc/pki/trust/{,} r, /etc/pki/trust/anchors/{,} r, /usr/share/ca-certificates/{,} r, /usr/share/ssl/certs/ca-bundle.crt r, /usr/local/share/ca-certificates/{,} r, /var/lib/ca-certificates/{,} r, # acmetool /var/lib/acme/certs//chain r, /var/lib/acme/certs//cert r, # dehydrated /{etc,var/lib}/dehydrated/certs//cert.pem r, /{etc,var/lib}/dehydrated/certs//chain.pem r, /{etc,var/lib}/dehydrated/certs//fullchain.pem r, /{etc,var/lib}/dehydrated/certs//ocsp.der r, # certbot /etc/letsencrypt/archive//cert.pem r, /etc/letsencrypt/archive//chain.pem r, /etc/letsencrypt/archive//fullchain.pem r, /etc/certbot/archive//cert.pem r, /etc/certbot/archive//chain.pem r, /etc/certbot/archive//fullchain.pem r, # crypto policies used by various libraries /etc/crypto-policies//.txt r, /usr/share/crypto-policies//.txt r, # Include additions to the abstraction include if exists <abstractions/ssl_certs.d> ��abstractions/nameservice��0000644��00000010445�15027405350�0011471 0��ustar�00��# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi <abi/3.0>, # Many programs wish to perform nameservice-like operations, such as # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. @{etc_ro}/group r, @{etc_ro}/host.conf r, @{etc_ro}/hosts r, @{etc_ro}/nsswitch.conf r, @{etc_ro}/gai.conf r, @{etc_ro}/passwd r, @{etc_ro}/protocols r, # libtirpc (used for NIS/YP login) needs this @{etc_ro}/netconfig r, # When using libnss-extrausers, the passwd and group files are merged from # an alternate path /var/lib/extrausers/group r, /var/lib/extrausers/passwd r, # When using sssd, the passwd and group files are stored in an alternate path # and the nss plugin also needs to talk to a pipe /var/lib/sss/mc/group r, /var/lib/sss/mc/initgroups r, /var/lib/sss/mc/passwd r, /var/lib/sss/pipes/nss rw, @{etc_ro}/resolv.conf r, # On systems where /etc/resolv.conf is managed programmatically, it is # a symlink to @{run}/(whatever program is managing it)/resolv.conf. @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r, @{etc_ro}/resolvconf/run/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, @{etc_ro}/samba/lmhosts r, @{etc_ro}/services r, # db backend /var/lib/misc/.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading # to vast speed increases when working with network-based lookups. @{run}/.nscd_socket rw, @{run}/nscd/socket rw, /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, # nscd renames and unlinks files in it's operation that clients will # have open @{run}/nscd/db rmix, # The nss libraries are sometimes used in addition to PAM; make sure # they are available /{usr/,}lib{,32,64}/libnss_.so mr, /{usr/,}lib/@{multiarch}/libnss_.so mr, @{etc_ro}/default/nss r, # avahi-daemon is used for mdns4 resolution @{run}/avahi-daemon/socket rw, # libnl-3-200 via libnss-gw-name @{PROC}/@{pid}/net/psched r, @{etc_ro}/libnl-*/classid r, # nis include <abstractions/nis> # ldap include <abstractions/ldapclient> # winbind include <abstractions/winbind> # likewise include <abstractions/likewise> # mdnsd include <abstractions/mdns> # kerberos include <abstractions/kerberosclient> #libnss-systemd include <abstractions/nss-systemd> # Also allow lookups for systemd-exec's DynamicUsers via D-Bus # https://www.freedesktop.org/software/systemd/man/systemd.exec.html dbus send bus=system path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}" peer=(name="org.freedesktop.systemd1"), # resolve # # Allow access to the safe members of the systemd-resolved D-Bus API: # # https://www.freedesktop.org/wiki/Software/systemd/resolved/ # # This API may be used directly over the D-Bus system bus or it may be used # indirectly via the nss-resolve plugin: # # https://www.freedesktop.org/software/systemd/man/nss-resolve.html # #include <abstractions/dbus-strict> dbus send bus=system path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="Resolve{Address,Hostname,Record,Service}" peer=(name="org.freedesktop.resolve1"), # TCP/UDP network access network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, # TODO: adjust when support finer-grained netlink rules # Netlink raw needed for nscd network netlink raw, # interface details @{PROC}/@{pid}/net/route r, # Include additions to the abstraction include if exists <abstractions/nameservice.d> ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.02 | proxy | phpinfo | Settings