From 92bc371701e71fecbdba531d0ee8855a35653534 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 18 Jan 2012 15:03:11 +0100 Subject: [PATCH] First version of my ArchLinux Laptop AppArmor profiles --- bin.netstat | 41 +++++ ...vie.private.dotfiles..purple.answerscripts | 17 ++ sbin.dhclient | 73 ++++++++ sbin.dhclient-script | 21 +++ sbin.dhcpcd | 50 ++++++ sbin.portmap | 25 +++ sbin.resmgrd | 32 ++++ sbin.rpc.lockd | 16 ++ sbin.rpc.statd | 29 ++++ usr.bin.acroread | 60 +++++++ usr.bin.apropos | 26 +++ usr.bin.epiphany | 31 ++++ usr.bin.evolution-2.10 | 156 ++++++++++++++++++ usr.bin.fam | 22 +++ usr.bin.freshclam | 27 +++ usr.bin.gaim | 67 ++++++++ usr.bin.man | 43 +++++ usr.bin.netsurf | 21 +++ usr.bin.opera | 76 +++++++++ usr.bin.passwd | 35 ++++ usr.bin.perl | 17 ++ usr.bin.php-cgi | 7 + usr.bin.pidgin | 80 +++++++++ usr.bin.skype | 40 +++++ usr.bin.wireshark | 44 +++++ usr.lib.GConf.2.gconfd-2 | 34 ++++ usr.lib.bonobo.bonobo-activation-server | 25 +++ usr.lib.chromium.chromium | 52 ++++++ ...ion-data-server.evolution-data-server-1.10 | 40 +++++ usr.lib.firefox.firefox | 36 ++++ usr.lib.firefox.firefox.sh | 19 +++ usr.lib.firefox.mozilla-xremote-client | 21 +++ usr.lib.man-db.man | 68 ++++++++ usr.sbin.cupsd | 61 +++++++ usr.sbin.dhcpd | 37 +++++ usr.sbin.in.fingerd | 23 +++ usr.sbin.lighttpd | 77 +++++++++ usr.sbin.minidlna | 18 ++ usr.sbin.mysqld | 28 ++++ usr.sbin.squid | 63 +++++++ usr.sbin.sshd | 139 ++++++++++++++++ usr.sbin.useradd | 50 ++++++ usr.sbin.userdel | 51 ++++++ usr.sbin.vsftpd | 35 ++++ usr.sbin.xinetd | 71 ++++++++ 45 files changed, 2004 insertions(+) create mode 100644 bin.netstat create mode 100644 home.harvie.private.dotfiles..purple.answerscripts create mode 100644 sbin.dhclient create mode 100644 sbin.dhclient-script create mode 100644 sbin.dhcpcd create mode 100644 sbin.portmap create mode 100644 sbin.resmgrd create mode 100644 sbin.rpc.lockd create mode 100644 sbin.rpc.statd create mode 100644 usr.bin.acroread create mode 100644 usr.bin.apropos create mode 100644 usr.bin.epiphany create mode 100644 usr.bin.evolution-2.10 create mode 100644 usr.bin.fam create mode 100644 usr.bin.freshclam create mode 100644 usr.bin.gaim create mode 100644 usr.bin.man create mode 100644 usr.bin.netsurf create mode 100644 usr.bin.opera create mode 100644 usr.bin.passwd create mode 100644 usr.bin.perl create mode 100644 usr.bin.php-cgi create mode 100644 usr.bin.pidgin create mode 100644 usr.bin.skype create mode 100644 usr.bin.wireshark create mode 100644 usr.lib.GConf.2.gconfd-2 create mode 100644 usr.lib.bonobo.bonobo-activation-server create mode 100644 usr.lib.chromium.chromium create mode 100644 usr.lib.evolution-data-server.evolution-data-server-1.10 create mode 100644 usr.lib.firefox.firefox create mode 100644 usr.lib.firefox.firefox.sh create mode 100644 usr.lib.firefox.mozilla-xremote-client create mode 100644 usr.lib.man-db.man create mode 100644 usr.sbin.cupsd create mode 100644 usr.sbin.dhcpd create mode 100644 usr.sbin.in.fingerd create mode 100644 usr.sbin.lighttpd create mode 100644 usr.sbin.minidlna create mode 100644 usr.sbin.mysqld create mode 100644 usr.sbin.squid create mode 100644 usr.sbin.sshd create mode 100644 usr.sbin.useradd create mode 100644 usr.sbin.userdel create mode 100644 usr.sbin.vsftpd create mode 100644 usr.sbin.xinetd diff --git a/bin.netstat b/bin.netstat new file mode 100644 index 0000000..e9198a0 --- /dev/null +++ b/bin.netstat @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# evolution, amongst other things, calls this program. I didn't want to +# give evolution access to significant chunks of /proc +# + +#include + +/bin/netstat { + #include + #include + #include + + capability dac_override, + capability dac_read_search, + deny capability sys_ptrace, + + /bin/netstat rmix, + /etc/networks r, + @{PROC} r, + @{PROC}/[0-9]*/cmdline r, + @{PROC}/[0-9]*/fd r, + @{PROC}/net r, + @{PROC}/net/* r, + @{PROC}/*/fd/ r, + owner @{PROC}/*/net/raw r, + owner @{PROC}/*/net/raw6 r, + owner @{PROC}/*/net/tcp r, + owner @{PROC}/*/net/tcp6 r, + owner @{PROC}/*/net/udp r, + owner @{PROC}/*/net/udp6 r, + owner @{PROC}/*/net/unix r, +} diff --git a/home.harvie.private.dotfiles..purple.answerscripts b/home.harvie.private.dotfiles..purple.answerscripts new file mode 100644 index 0000000..9c72ec7 --- /dev/null +++ b/home.harvie.private.dotfiles..purple.answerscripts @@ -0,0 +1,17 @@ +# Last Modified: Wed Jan 18 12:35:39 2012 +#include + +/home/harvie/private/dotfiles/.purple/answerscripts flags=(complain) { + #include + #include + #include + #include + + + + /** rix, + /home/*/private/dotfiles/.purple/* rwix, + /home/*/private/dotfiles/.purple/answerscripts.d/ r, + /home/*/{,private/dotfiles/.purple/}answerscripts.d/* rix, + +} diff --git a/sbin.dhclient b/sbin.dhclient new file mode 100644 index 0000000..df17e88 --- /dev/null +++ b/sbin.dhclient @@ -0,0 +1,73 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# Note that this profile doesn't include any NetDomain rules; dhclient uses +# raw sockets, and thus cannot be confined with NetDomain +# +# Should these programs have their own domains? +# /bin/ps mrix, +# /sbin/arp mrix, +# /usr/bin/dig mrix, +# /usr/bin/uptime mrix, +# /usr/bin/vmstat mrix, +# /usr/bin/w mrix, + +#include + +/sbin/dhclient { + #include + #include + #include + + network packet packet, + network packet raw, + + /sbin/dhclient mrix, + + /bin/bash mrix, + /bin/df mrix, + /bin/netstat Px, + /bin/ps mrix, + /dev/random r, + /etc/dhclient.conf r, + @{PROC}/ r, + @{PROC}/interrupts r, + @{PROC}/*/net/dev r, + @{PROC}/rtc r, + # following rule shouldn't work, self is a symlink + @{PROC}/self/status r, + /sbin/arp mrix, + /usr/bin/dig mrix, + /usr/bin/uptime mrix, + /usr/bin/vmstat mrix, + /usr/bin/w mrix, + /var/lib/dhcp/dhclient.leases rw, + /var/lib/dhcp/dhclient-*.leases rw, + /var/log/lastlog r, + /var/log/messages r, + /var/log/wtmp r, + /{,var/}run/dhclient.pid rw, + /{,var/}run/dhclient-*.pid rw, + /var/spool r, + /var/spool/mail r, + + # This one will need to be fleshed out depending on what the user is doing + /sbin/dhclient-script mrpix, + + /bin/grep mrix, + /bin/sleep mrix, + /etc/sysconfig/network/dhcp r, + /etc/sysconfig/network/scripts/functions.common r, + /etc/sysconfig/network/scripts/functions r, + /sbin/ip mrix, + /usr/lib/NetworkManager/nm-dhcp-client.action mrix, + /var/lib/dhcp/* rw, + /{,var/}run/nm-dhclient-*.conf r, + +} diff --git a/sbin.dhclient-script b/sbin.dhclient-script new file mode 100644 index 0000000..a86c5ab --- /dev/null +++ b/sbin.dhclient-script @@ -0,0 +1,21 @@ +# Last Modified: Tue Jan 25 16:48:30 2011 +#include + +# dhclient-script will call plugins from /etc/netconfig.d, so this +# will need to be extended on a per-site basis. + +/sbin/dhclient-script { + #include + #include + #include + + /bin/bash rix, + /bin/grep rix, + /bin/sleep rix, + /bin/touch rix, + /dev/.sysconfig/network/** r, + /etc/netconfig.d/* mrix, + /etc/sysconfig/network/** r, + /sbin/dhclient-script r, + /sbin/ip rix, +} diff --git a/sbin.dhcpcd b/sbin.dhcpcd new file mode 100644 index 0000000..de62b13 --- /dev/null +++ b/sbin.dhcpcd @@ -0,0 +1,50 @@ +# Last Modified: Wed Jan 18 14:06:39 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# +# If you wish to use /etc/sysconfig/network/scripts/dhcpcd-hook, be sure +# to configure a subdomain profile for it. +# +# Note that dhcpcd (at least as distributed by SuSE) offers to rewrite +# ntp.conf and yp.conf in addition to resolv.conf. +# + +#include + +/sbin/dhcpcd { + #include + #include + + capability dac_override, + capability net_admin, + capability net_raw, + capability sys_admin, + + + + /bin/bash mrix, + /bin/touch mrix, + /dev/tty rw, + /etc/* r, + /etc/dhcpc/* rwl, + /etc/init.d/syslog Ux, + /etc/ntp.conf{,.sv} rwl, + /etc/resolv.conf{,.sv} rwl, + /etc/sysconfig/network/scripts/dhcpcd-hook mrix, + /etc/yp.conf{,.sv} rwl, + /proc/sys/** w, + /sbin/dhcpcd mrix, + /sbin/ifup Ux, + /sbin/modify_resolvconf mrix, + /usr/lib/networkmanager/nm-dhcp-client.action rix, + /var/lib/dhcpcd/* rw, + /{,var/}run/dhcpcd-*.pid rwlk, + +} diff --git a/sbin.portmap b/sbin.portmap new file mode 100644 index 0000000..e90e8ef --- /dev/null +++ b/sbin.portmap @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/portmap { + #include + #include + + capability net_bind_service, + capability setuid, + capability setgid, + + /etc/bindresvport.blacklist r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /sbin/portmap rmix, +} diff --git a/sbin.resmgrd b/sbin.resmgrd new file mode 100644 index 0000000..a069711 --- /dev/null +++ b/sbin.resmgrd @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Mon Mar 13 15:55:30 2006 + +#include + +/sbin/resmgrd { + #include + #include + + capability fowner, + capability chown, + + /dev/** rw, + /etc/resmgr.conf r, + /etc/resmgr.conf.d/ r, + /etc/resmgr.conf.d/*.conf r, + /sbin/resmgrd r, + /{,var/}run/.resmgr_socket lrw, + /{,var/}run/resmgr.pid lrw, + /{,var/}run/fence* lrw, + /{,var/}run/resmgr/classes/** wl, + /{run,var}/lock/LCK* lrw, +} diff --git a/sbin.rpc.lockd b/sbin.rpc.lockd new file mode 100644 index 0000000..410c3d4 --- /dev/null +++ b/sbin.rpc.lockd @@ -0,0 +1,16 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/rpc.lockd { + #include + /sbin/rpc.lockd rmix, +} diff --git a/sbin.rpc.statd b/sbin.rpc.statd new file mode 100644 index 0000000..a54689e --- /dev/null +++ b/sbin.rpc.statd @@ -0,0 +1,29 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/rpc.statd { + #include + #include + /etc/rpc r, + /sbin/rpc.statd rmix, + /sm rw, + /sm.bak rw, + /state rw, + /var/lib/nfs/sm/* rw, + /var/lib/nfs/statd rw, + /var/lib/nfs/statd/sm r, + /var/lib/nfs/statd/sm/* rwl, + /var/lib/nfs/statd/state rw, + /var/lib/nfs/statd/sm.bak r, + /var/lib/nfs/statd/sm.bak/* rwl, + /{,var/}run/rpc.statd.pid w, +} diff --git a/usr.bin.acroread b/usr.bin.acroread new file mode 100644 index 0000000..e89754a --- /dev/null +++ b/usr.bin.acroread @@ -0,0 +1,60 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Wed Aug 24 16:21:32 2005 + +#include + +/usr/X11R6/bin/acroread { + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + + /bin/basename mixr, + /bin/bash mix, + /bin/cat mixr, + /bin/grep mixr, + /bin/uname mixr, + /etc/** r, + + @{HOME}/.adobe/** rw, + @{HOME}/Desktop/** rw, + @{HOME}/Documents/* rw, + @{HOME}/.fonts.cache-* r, + @{HOME}/.gconfd/saved_state lrw, + @{HOME}/.gconfd/saved_state.orig lw, + @{HOME}/.gconfd/saved_state.tmp lrw, + @{HOME}/.gconf r, + @{HOME}/.gconf/.testing.writeability lw, + @{HOME}/* rw, + + /usr/bin/acroread Pxr, + /usr/bin/gconftool-2 mixr, + /usr/lib/firefox/firefox.sh Pxr, + /usr/lib/GConf/** r, + /usr/lib/GConf/2/gconfd-2 Pxr, + /usr/share/icons r, + /usr/share/icons/hicolor/icon-theme.cache r, + /usr/share/pixmaps r, + /usr/lib/Acrobat7/Reader/intellinux/lib/**so* mixr, + /usr/bin/cut mixr, + /usr/bin/dirname mixr, + /usr/bin/which mixr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/share/icons r, +} diff --git a/usr.bin.apropos b/usr.bin.apropos new file mode 100644 index 0000000..0a26cdc --- /dev/null +++ b/usr.bin.apropos @@ -0,0 +1,26 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/apropos { + #include + #include + #include + /bin/basename mixr, + /bin/bash mixr, + /bin/grep mixr, + /etc/manpath.config r, + /usr/bin/apropos rmix, + /usr/bin/man Px, + /usr/bin/tr mixr, + /var/cache/man/whatis r, + /var/cache/man/** r, +} diff --git a/usr.bin.epiphany b/usr.bin.epiphany new file mode 100644 index 0000000..3805910 --- /dev/null +++ b/usr.bin.epiphany @@ -0,0 +1,31 @@ +# Last Modified: Wed Jan 18 09:14:15 2012 +#include + +/usr/bin/epiphany { + #include + #include + #include + #include + #include + #include + + + + / r, + /dev/ r, + /dev/**/ r, + /etc/** r, + /home/*/ r, + /home/*/** rw, + /home/*/.gnome2/epiphany/** rwk, + /home/*/.local/share/** rwk, + /opt/java/** mr, + /opt/kde/share/** r, + /proc/**/ r, + /sys/devices/system/cpu/online r, + owner /tmp/** rwlk, + /tmp/** m, + /usr/include/** r, + /usr/share/** r, + +} diff --git a/usr.bin.evolution-2.10 b/usr.bin.evolution-2.10 new file mode 100644 index 0000000..f5e9d5e --- /dev/null +++ b/usr.bin.evolution-2.10 @@ -0,0 +1,156 @@ +# vim:syntax=apparmor +# Last Modified: Wed Sep 7 21:32:52 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ---------------------------------------------------------------------- +# +# +# Profile for Evolution 2.4: +# +# Covered scenarios: +# +# Receive Mail: +# IMAP/POP/Local +# Mark mail as junk mail +# Print mail message with lpr local +# Print mail message with cups remote +# View pdf attachements +# Decrypt using gpg +# +# Send Mail: +# SMTP/Sendmail +# Encrypt/Sign using gpg +# +# Contacts: +# Add/Edit/Delete local contacts +# +# Calendaring: +# Add Local calendar +# Add|Edit|Delete event to|in|from local calendar +# Publish free/busy information to webdav server +# Subscribe to webcal:// calendar +# +# + +#include + +/usr/bin/evolution-2.10 { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability ipc_lock, + capability setuid, + + /bin/basename mixr, + /bin/bash mix, + /bin/grep mixr, + /bin/netstat mixr, + /dev/random r, + /etc/cups/client.conf r, + /etc/cups/lpoptions r, + /etc/cups/printcap r, + /etc/mail/spamassassin r, + /etc/mail/spamassassin/* r, + /etc/mtab r, + /etc/gnome-vfs-*/modules r, + /etc/gnome-vfs-*/modules/*.conf r, + /etc/pango/*.modules r, + /etc/opt/kde3/share/applications r, + /etc/opt/kde3/share/applications/kde r, + /etc/opt/kde3/share/applications/kde/*.desktop r, + /etc/opt/kde3/share/applications/mimeinfo.cache r, + /etc/rpc r, + /etc/xdg/menus/*.menu r, + /etc/xdg/menus/applications-merged r, + /etc/xdg/menus/applications-merged/*.menu r, + /etc/xml/*.xml r, + /etc/xml/catalog r, + + @{HOMEDIRS} r, + @{HOMEDIRS}/* r, + @{HOME}* r, + @{HOME}/.AbiSuite/* r, + @{HOME}/.AbiSuite/AbiWord.Profile rw, + @{HOME}/.camel_certs/* rw, + @{HOME}/.evolution-composer.autosave-* lrw, + @{HOME}/.evolution/*.db rw, + @{HOME}/.evolution/cache/tmp r, + @{HOME}/.evolution/cache/tmp/** lrw, + @{HOME}/.evolution/calendar/config/** lrw, + @{HOME}/.evolution/calendar/local/** lrw, + @{HOME}/.evolution/camel-cert.db~ lrw, + @{HOME}/.evolution/mail/** lrw, + @{HOME}/.evolution/tasks/local/system/*.ics rw, + @{HOME}/.evolution/tasks/local/system/*.ics~ lrw, + @{HOME}/.gaim/blist.xml r, + @{HOME}/.gnome2/evolution-* lw, + @{HOME}/.gnome2/gnome-pilot.d/gpilotd rw, + @{HOME}/.gnome2/yelp rw, + @{HOME}/.gnome2/yelp.d/mozilla/** lrw, + @{HOME}/.gnome2_private w, + @{HOME}/.gnome2_private/Evolution rw, + @{HOME}/.kde/share/config/gtkrc-2.0 r, + @{HOME}/.mozilla/pluginreg.dat r, + @{HOME}/.qt/** lrw, + @{HOME}/.recently-used rw, + + /usr/bin/evolution-2.10 mixr, + /usr/bin/firefox Pxr, + /usr/lib/** r, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/lib64/GConf/2/gconfd-2 Px, + /usr/lib/evolution-data-server*/* r, + /usr/lib/evolution-data-server*/evolution-data-server-* Pxr, + /usr/lib/evolution/** r, + /usr/lib/evolution/*/evolution-alarm-notify mixr, + /usr/lib/gnome-** r, + /usr/lib/gnome-spell/libgnome-spell-component-*.so mr, + /usr/lib/gtk-** r, + /usr/lib/gtkhtml/libgnome-gtkhtml-editor-*.so mr, + /usr/lib/libgnomeui/gnome_segv2 mixr, + /usr/lib/pango/** r, + /usr/share/** r, + /opt/kde3/share/** r, + /opt/mozilla/bin/mozilla.sh Pxr, + @{PROC}/*/cmdline r, + @{PROC}/net r, + @{PROC}/net/* r, + /tmp r, + /tmp/* lrw, + /tmp/.ICE-unix/* w, + /tmp/gconfd-** r, + /tmp/orbit** lrw, + /usr/lib/aspell-** r, + /usr/lib/enchant r, + /usr/lib/enchant/*.* mr, + /usr/lib/jvm/java-*/jre/lib/fonts r, + /usr/lib/jvm/java-*/jre/lib/fonts/* r, + /usr/lib/ooo-2.0/share/fonts r, + /usr/lib/ooo-2.0/share/fonts/** r, + /usr/share/applications r, + /usr/share/applications/*.desktop r, + /usr/share/applications/mimeinfo.cache r, + /usr/share/icons r, + /usr/share/mime/** r, + /usr/share/spamassassin r, + /usr/share/spamassassin/*.cf r, + /usr/share/spamassassin/triplets.txt r, + /usr/share/xml/docbook/schema/** r, + /usr/X11R6/lib/Acrobat7/Resource/Font r, + /usr/X11R6/lib/Acrobat7/Resource/Font/** r, + /var/tmp r, +} diff --git a/usr.bin.fam b/usr.bin.fam new file mode 100644 index 0000000..1c435b1 --- /dev/null +++ b/usr.bin.fam @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/fam { + #include + #include + /tmp/.fam* wl, + /etc/mtab rw, + /usr/bin/fam rmix, + # it makes some level of sense for FAM to read all files on the + # filesystem, even if this is a little unfortunate. + /** r, +} diff --git a/usr.bin.freshclam b/usr.bin.freshclam new file mode 100644 index 0000000..5eec8bd --- /dev/null +++ b/usr.bin.freshclam @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/freshclam { + #include + #include + #include + + capability setgid, + capability setuid, + + /etc/clamd.conf r, + /etc/freshclam.conf r, + /usr/bin/freshclam mr, + /var/lib/clamav/clamav-* rw, + /var/lib/clamav/daily.cvd rw, + /var/lib/clamav/main.cvd rw, +} diff --git a/usr.bin.gaim b/usr.bin.gaim new file mode 100644 index 0000000..fd59397 --- /dev/null +++ b/usr.bin.gaim @@ -0,0 +1,67 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Fri Sep 2 19:07:43 2005 + +#include + +/usr/bin/gaim { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + /bin/bash mixr, + /dev/random r, + /etc/esd.conf r, + /etc/pango/pango.modules r, + /etc/pango/pango64.modules r, + + @{HOME}/.fonts r, + @{HOME}/.gaim r, + @{HOME}/.gaim/** lrw, + @{HOME}/.gnome2/nautilus-sendto/* rw, + @{HOME}/.gtk_qt_engine_rc r, + @{HOME}/.icons/** r, + @{HOME}/.mcop/random-seed rw, + @{HOME}/.mcoprc r, + @{HOME}/.kde/share/config/gtkrc-* r, + @{HOME}/.themes/** r, + + /opt/MozillaFirefox/bin/firefox.sh Px, + /usr/bin/gaim mixr, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/share/icons r, + /usr/share/icons/** r, + /usr/share/pixmaps r, + /usr/share/pixmaps/gaim/** r, + /usr/share/sounds/gaim/* r, + /usr/share/themes/** r, + /opt/kde3/bin/kde-config mixr, + @{PROC}/*/cmdline r, + /usr/X11R6/lib/Acrobat*/Resource/Font/* r, + /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r, + /usr/lib/ao/plugins-* r, + /usr/lib/aspell-** mr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/lib/tcl*/encoding/* r, + /usr/lib64/ao/plugins-* r, + /usr/lib64/aspell-* r, + /usr/share/alsa/alsa.conf r, + /usr/share/icons r, + /usr/share/tcl/tcl*/encoding/* r, + /{,var/}run/.resmgr_socket w, +} diff --git a/usr.bin.man b/usr.bin.man new file mode 100644 index 0000000..f3333e7 --- /dev/null +++ b/usr.bin.man @@ -0,0 +1,43 @@ +# Last Modified: Wed Jan 18 10:55:22 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# + +#include + +/usr/bin/man flags=(complain) { + #include + #include + #include + + capability setgid, + capability setuid, + + + + /etc/man_db.conf r, + /opt/java/jre/man/ r, + /opt/java/jre/man/* rk, + /opt/java/man/ r, + /opt/java/man/* rk, + /opt/java/man/*/ r, + /opt/kde/man/ r, + /opt/kde/man/*/ r, + /opt/qt/man/ r, + /opt/qt/man/* r, + /opt/qt/man/*/ r, + /root/.lesshst w, + /usr/lib/man-db/man Px, + /usr/local/man/ r, + /usr/man/ r, + /usr/share/man/ r, + /var/cache/man/** rk, + +} diff --git a/usr.bin.netsurf b/usr.bin.netsurf new file mode 100644 index 0000000..8af7c54 --- /dev/null +++ b/usr.bin.netsurf @@ -0,0 +1,21 @@ +# Last Modified: Wed Jan 18 10:06:57 2012 +#include + +/usr/bin/netsurf { + #include + #include + #include + + + + /etc/* r, + /home/*/.Xauthority r, + /home/*/.gtkrc-2.0 r, + /home/*/.icons/** r, + /home/*/.netsurf/* rw, + /home/*/.themes/** r, + /opt/kde/share/** r, + /sys/** r, + /usr/share/** r, + +} diff --git a/usr.bin.opera b/usr.bin.opera new file mode 100644 index 0000000..5bb664a --- /dev/null +++ b/usr.bin.opera @@ -0,0 +1,76 @@ +# Last Modified: Wed Jan 18 09:29:55 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/opera { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + + + + /bin/true mrix, + /bin/uname rix, + /etc/SuSE-release r, + /etc/X11/.qt_plugins_3.3rc.lock rw, + /etc/X11/.qtrc.lock rw, + /etc/cups/client.conf r, + /etc/mailcap r, + /etc/opera6rc rw, + /etc/opera6rc.fixed rw, + /etc/pkcs11/modules/ r, + /home/*/** mrk, + /opt/ r, + /opt/java/** r, + /opt/kde/share/** r, + /opt/kde3/lib/kde3/plugins/integration/*.so mr, + /proc/*/cmdline r, + /proc/*/fd/ r, + /sys/devices/system/cpu/online r, + owner /tmp/** rwlk, + /tmp/** m, + /usr/ r, + /usr/bin/acroread rPx, + /usr/bin/opera mr, + /usr/lib r, + /usr/lib/RealPlayer10/realplay rPx, + /usr/lib/RealPlayer10/realplay.bin rPx, + /usr/lib/opera/** mrix, + /usr/lib/opera/*/opera ix, + /usr/lib/opera/*/works rix, + /usr/local r, + /usr/share/** rk, + /var/spool/cups/tmp/* rwl, + /{,var/}run/.resmgr_socket w, + @{HOME} r, + @{HOME}/.fonts r, + @{HOME}/.kde/share/** r, + @{HOME}/.opera r, + @{HOME}/.opera/** rwl, + @{HOME}/OperaDownloads/* rw, + @{HOME}/tux/.fonts/ r, + @{HOME}/tux/.opera/ w, + @{HOME}/tux/.qt/.qtrx.lock k, + @{PROC}/[0-9]*/stat r, + @{PROC}/net/if_inet6 r, + @{PROC}/sys/vm/heap-stack-gap r, + +} diff --git a/usr.bin.passwd b/usr.bin.passwd new file mode 100644 index 0000000..e17f636 --- /dev/null +++ b/usr.bin.passwd @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# Last Modified: Sat Jan 6 09:35:33 2007 +# ------------------------------------------------------------------ +# +# Copyright (C) 2006 Volker Kuhlmann +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/passwd { + #include + #include + #include + #include + + capability chown, + capability sys_resource, + + /etc/.pwd.lock w, + /etc/pwdutils/logging r, + /etc/shadow rwl, + /etc/shadow.old rwl, + /etc/shadow.tmp?????? rwl, + /usr/bin/passwd mr, + /usr/lib/pwdutils/lib*.so* mr, + /usr/lib64/pwdutils/lib*.so* mr, + /usr/share/cracklib/pw_dict.hwm r, + /usr/share/cracklib/pw_dict.pwd r, + /usr/share/cracklib/pw_dict.pwi r, +} diff --git a/usr.bin.perl b/usr.bin.perl new file mode 100644 index 0000000..f7a72c9 --- /dev/null +++ b/usr.bin.perl @@ -0,0 +1,17 @@ +# Last Modified: Wed Jan 18 14:45:09 2012 +#include + +/usr/bin/perl flags=(complain) { + #include + #include + #include + #include + + + + /** mr, + /bin/bash rix, + /home/*/private/dotfiles/.purple/* rw, + /usr/bin/head rix, + +} diff --git a/usr.bin.php-cgi b/usr.bin.php-cgi new file mode 100644 index 0000000..f8a8ac0 --- /dev/null +++ b/usr.bin.php-cgi @@ -0,0 +1,7 @@ +# Last Modified: Wed Jan 18 10:23:46 2012 +#include + +/usr/bin/php-cgi flags=(complain) { + #include + +} diff --git a/usr.bin.pidgin b/usr.bin.pidgin new file mode 100644 index 0000000..feef7bf --- /dev/null +++ b/usr.bin.pidgin @@ -0,0 +1,80 @@ +# Last Modified: Wed Jan 18 12:29:15 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/pidgin { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + deny capability sys_ptrace, + + + deny /usr/share/enchant/enchant.ordering r, + + /bin/bash rix, + /dev/random r, + /etc/esd.conf r, + /etc/pango/pango.modules r, + /etc/pango/pango64.modules r, + /home/** mrwk, + /home/harvie/private/dotfiles/.purple/answerscripts px, + /opt/MozillaFirefox/bin/firefox.sh Px, + /opt/kde/share/** r, + /opt/kde3/bin/kde-config mrix, + owner /tmp/** rwlk, + /tmp/** m, + /usr/X11R6/lib/Acrobat*/Resource/Font/* r, + /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r, + /usr/bin/pidgin mrix, + /usr/bin/purple-remote r, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/lib/ao/plugins-* r, + /usr/lib/aspell-** mr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/lib/tcl*/encoding/* r, + /usr/lib64/ao/plugins-* r, + /usr/lib64/aspell-* r, + /usr/lib{,32,64}/** mr, + /usr/share/*/ r, + /usr/share/alsa/alsa.conf r, + /usr/share/icons r, + /usr/share/icons/** r, + /usr/share/pixmaps r, + /usr/share/pixmaps/pidgin/** r, + /usr/share/sounds/pidgin/* r, + /usr/share/tcl/tcl*/encoding/* r, + /usr/share/themes/** r, + /var/db/nscd/* r, + /{,var/}run/.resmgr_socket w, + @{HOME}/.fonts r, + @{HOME}/.gnome2/nautilus-sendto/* rw, + @{HOME}/.gtk_qt_engine_rc r, + @{HOME}/.icons/** r, + @{HOME}/.kde/share/config/gtkrc-* r, + @{HOME}/.mcop/random-seed rw, + @{HOME}/.mcoprc r, + @{HOME}/.purple r, + @{HOME}/.purple/** rwl, + @{HOME}/.themes/** r, + @{HOME}/private/dotfiles/.purple r, + @{HOME}/private/dotfiles/.purple/** rwl, + @{PROC}/*/cmdline r, + +} diff --git a/usr.bin.skype b/usr.bin.skype new file mode 100644 index 0000000..dc6e696 --- /dev/null +++ b/usr.bin.skype @@ -0,0 +1,40 @@ +# Last Modified: Mon Oct 26 13:29:13 2009 +# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 +# Additional profiling based on work by Андрей Калинин, LP: #226624 +#include +/usr/bin/skype { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # are these needed? + /proc/*/cmdline r, + /dev/video* mrw, + /var/cache/libx11/compose/* r, + + # should this be in a separate KDE abstraction? + @{HOME}/.kde/share/config/kioslaverc r, + + /usr/bin/skype mr, + /usr/share/skype/** kr, + /usr/share/skype/sounds/*.wav kr, + + @{HOME}/.Skype/ rw, + @{HOME}/.Skype/** krw, + @{HOME}/.config/* kr, + + @{HOME}/.mozilla/ r, + @{HOME}/.mozilla/*/ r, + @{HOME}/.mozilla/*/*/ r, + @{HOME}/.mozilla/*/*/bookmarkbackups/ r, + @{HOME}/.mozilla/*/*/chrome/ r, + @{HOME}/.mozilla/*/*/extensions/ r, + @{HOME}/.mozilla/*/*/prefs.js r, +} + diff --git a/usr.bin.wireshark b/usr.bin.wireshark new file mode 100644 index 0000000..85f342f --- /dev/null +++ b/usr.bin.wireshark @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# Last Modified: Thu Aug 25 13:37:56 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/wireshark { + #include + #include + #include + #include + #include + #include + #include + #include + + capability net_raw, + + /etc/ethers r, + + @{HOME}/.wireshark/* rw, + @{HOME}/.fonts.cache-* r, + + /etc/pango/pango.modules r, + /usr/lib/gtk-*/*/loaders/* mr, + /usr/share/* r, + /usr/share/icons/** r, + /usr/share/mime/* r, + /usr/lib/firefox/firefox.sh rPx, + /usr/bin/wireshark mixr, + /usr/share/icons r, + /usr/share/mime/* r, + /usr/share/snmp/mibs r, + /usr/share/snmp/mibs/* r, + /usr/share/snmp/mibs/.index rw, +} diff --git a/usr.lib.GConf.2.gconfd-2 b/usr.lib.GConf.2.gconfd-2 new file mode 100644 index 0000000..54ca37b --- /dev/null +++ b/usr.lib.GConf.2.gconfd-2 @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# Last Modified: Thu Sep 1 16:16:34 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/GConf/2/gconfd-2 { + #include + #include + #include + + /etc/gconf/2/path r, + /etc/gconf/gconf.xml.defaults r, + /etc/gconf/gconf.xml.defaults/** r, + /etc/gconf/gconf.xml.defaults/schemas/** r, + /etc/gconf/gconf.xml.mandatory r, + + @{HOME}/.gconf r, + @{HOME}/.gconf/** lrw, + @{HOME}/.gconfd/** lrw, + + /usr/lib/GConf/2/gconfd-2 rmix, + /usr/lib/GConf/2/libgconfbackend-xml.so mr, + /usr/lib64/GConf/2/libgconfbackend-xml.so mr, + /usr/share/locale/** r, +} diff --git a/usr.lib.bonobo.bonobo-activation-server b/usr.lib.bonobo.bonobo-activation-server new file mode 100644 index 0000000..5cec99e --- /dev/null +++ b/usr.lib.bonobo.bonobo-activation-server @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Mon Aug 29 10:49:30 2005 + +#include + +/usr/lib/bonobo/bonobo-activation-server { + #include + #include + #include + + /etc/bonobo-activation/bonobo-activation-config.xml r, + /usr/lib/bonobo/bonobo-activation-server rmix, + /usr/lib/bonobo/servers r, + /usr/lib/bonobo/servers/*.server r, + /usr/lib/evolution-data-server-*/evolution-data-server-* Px, +} diff --git a/usr.lib.chromium.chromium b/usr.lib.chromium.chromium new file mode 100644 index 0000000..77f55a4 --- /dev/null +++ b/usr.lib.chromium.chromium @@ -0,0 +1,52 @@ +# Last Modified: Wed Jan 18 09:53:41 2012 +# Author: Thomas Mudrunka + +#include + +/usr/lib/chromium/chromium { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + + + + /bin/ps r, + /dev/shm/* rw, + /etc/** r, + /home/*/* r, + /home/*/.adobe/**/ rw, + /home/*/.cache/chromium/** rw, + /home/*/.cups/* r, + /home/*/.icons/** r, + /home/*/.macromedia/** rw, + /home/*/.mozilla/** r, + /home/*/.pki/** rwk, + /home/*/.themes/** r, + /home/*/Work/GIT/plugins/chrome-extensions/** r, + /home/*/private/dotfiles/.config/chromium/** rwk, + /opt/java/** r, + /opt/kde/share/** r, + /proc/ r, + /proc/** rw, + /sys/** r, + /tmp/* r, + /usr/lib/chromium/chromium rix, + /usr/lib/chromium/chromium-sandbox rix, + /usr/lib/lib*so* mr, + /var/tmp/* rw, + +} diff --git a/usr.lib.evolution-data-server.evolution-data-server-1.10 b/usr.lib.evolution-data-server.evolution-data-server-1.10 new file mode 100644 index 0000000..477fc0c --- /dev/null +++ b/usr.lib.evolution-data-server.evolution-data-server-1.10 @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# Last Modified: Wed Sep 7 07:44:21 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/evolution-data-server/evolution-data-server-1.10 { + #include + #include + #include + + /etc/mtab r, + /etc/** r, + + @{HOME}/.evolution/addressbook/local/** lrw, + @{HOME}/.evolution/cache/calendar/** lrw, + @{HOME}/.evolution/calendar/local/** lrw, + @{HOME}/.evolution/tasks/local/** lrw, + @{HOME}/.gconf r, + @{HOME}/.gconf/** lrw, + @{HOME}/.gnome2_private w, + + /usr/lib/GConf/**.so mr, + /usr/lib/GConf/2/gconfd-2 Pxr, + /usr/lib64/GConf/2/gconfd-2 Pxr, + /usr/lib/evolution-data-server/evolution-data-server-* rmix, + /usr/lib/evolution-data-server*/extensions r, + /usr/lib/evolution-data-server*/extensions/lib*.so r, + /usr/lib/gnome-vfs** mr, + /usr/share/evolution-data-server*/** mr, + +} diff --git a/usr.lib.firefox.firefox b/usr.lib.firefox.firefox new file mode 100644 index 0000000..ee10a31 --- /dev/null +++ b/usr.lib.firefox.firefox @@ -0,0 +1,36 @@ +# Last Modified: Wed Jan 18 14:47:08 2012 +#include + +/usr/lib/firefox/firefox { + #include + #include + #include + #include + + + deny /dev/tty rw, + + /bin/ps r, + /etc/** r, + /home/*/.Xauthority r, + /home/*/.adobe/**/ rw, + /home/*/.asoundrc.asoundconf r, + /home/*/.icons/** r, + /home/*/.local/share/ r, + /home/*/.local/share/**/ r, + /home/*/.macromedia/** rw, + /home/*/.mozilla/**/ r, + /home/*/.mozilla/firefox/** mrwk, + /opt/java/** r, + /opt/kde/share/** r, + /proc/** r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/* r, + owner /tmp/** rlk, + /tmp/** w, + /usr/lib/firefox/plugin-container rix, + /usr/share/ r, + /usr/share/** r, + /var/db/nscd/* r, + +} diff --git a/usr.lib.firefox.firefox.sh b/usr.lib.firefox.firefox.sh new file mode 100644 index 0000000..65344b7 --- /dev/null +++ b/usr.lib.firefox.firefox.sh @@ -0,0 +1,19 @@ +# Last Modified: Wed Nov 5 03:32:59 2008 +#include + +/usr/lib/firefox/firefox.sh { + #include + #include + #include + + deny capability sys_ptrace, + + /bin/basename rix, + /bin/bash rix, + /bin/grep rix, + /etc/magic r, + /usr/bin/file rix, + /usr/lib/firefox/firefox px, + /usr/share/misc/magic.mgc r, + +} diff --git a/usr.lib.firefox.mozilla-xremote-client b/usr.lib.firefox.mozilla-xremote-client new file mode 100644 index 0000000..516adbd --- /dev/null +++ b/usr.lib.firefox.mozilla-xremote-client @@ -0,0 +1,21 @@ +# vim:syntax=apparmor +# Last Modified: Thu Sep 1 23:02:44 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/firefox/mozilla-xremote-client { + #include + #include + + /usr/lib/mozilla/lib*so* mr, + /usr/lib/firefox/mozilla-xremote-client rmix, +} diff --git a/usr.lib.man-db.man b/usr.lib.man-db.man new file mode 100644 index 0000000..21402c2 --- /dev/null +++ b/usr.lib.man-db.man @@ -0,0 +1,68 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +#include + +/usr/lib/man-db/man flags=(complain) { + #include + #include + #include + #include + + /bin/bash rmix, + /bin/cat rmix, + /bin/gunzip rmix, + /bin/mktemp rmix, + /bin/more rmix, + /bin/rm rmix, + + /etc/groff/man.local r, + /etc/lesskey.bin r, + /etc/manpath.config r, + /etc/man.config r, + /etc/papersize r, + /etc/termcap r, + + /tmp/nroff.** rw, + + /usr/man/** r, + /usr/bin/apropos Px, + /usr/bin/cmp rmix, + /usr/bin/getopt rmix, + /usr/bin/groff rmix, + /usr/bin/grops rmix, + /usr/bin/grotty rmix, + /usr/bin/iconv rmix, + /{usr/,}bin/less rmix, + /usr/bin/locale rmix, + /usr/bin/man rmix, + /usr/bin/nroff rmix, + /usr/bin/preconv rmix, + /usr/bin/tbl rmix, + /usr/bin/troff rmix, + /usr/bin/zsoelim rmix, + /usr/lib/man-db/man rmix, + /usr/lib/man-db/manconv rmix, + /usr/local/man/ r, + /usr/local/man/** r, + /usr/local/share/man/ r, + /usr/local/share/man/** r, + /usr/share/groff/** r, + /usr/share/locale-bundle/** r, + /usr/share/man/ r, + /usr/share/man/** r, + /usr/share/terminfo/** r, + /usr/share/texmf/teTeX/man/** r, + + /var/cache/man/** rk, + + owner @{HOME}/.lesshst rw, +} diff --git a/usr.sbin.cupsd b/usr.sbin.cupsd new file mode 100644 index 0000000..91260d4 --- /dev/null +++ b/usr.sbin.cupsd @@ -0,0 +1,61 @@ +# Last Modified: Wed Jan 18 14:45:09 2012 +#include + +/usr/sbin/cupsd { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability net_bind_service, + capability setgid, + capability setuid, + + + + /bin/bash rix, + /bin/cat ix, + /dev/lp0 rw, + /dev/tty rw, + /dev/ttyS? w, + /etc/** r, + /etc/cups rw, + /etc/cups/*.conf* rw, + /etc/cups/certs w, + /etc/cups/certs/* w, + /etc/cups/ppd rw, + /etc/cups/printcap rw, + /etc/cups/ssl rw, + /etc/cups/yes/* rw, + /etc/printcap rw, + /proc/meminfo r, + /proc/sys/dev/parport/** r, + /sys/class/usb r, + /usr/bin/foomatic-rip rix, + /usr/bin/gs ix, + /usr/bin/perl ix, + /usr/bin/smbspool rix, + /usr/lib/cups/backend/* rix, + /usr/lib/cups/filter/* rix, + /usr/lib/ghostscript/** m, + /usr/lib64/ghostscript/** m, + /usr/lib{,32,64}/** mr, + /usr/sbin/cupsd mrix, + /usr/share/cups/** r, + /usr/share/ghostscript/** r, + /var/cache/cups/ rw, + /var/cache/cups/** rw, + /var/log/cups/* rw, + /var/spool/cups rw, + /var/spool/cups/** rw, + /var/spool/cups/tmp w, + /var/spool/cups/tmp/ r, + /{,var/}run/cups/ rw, + /{,var/}run/cups/** rw, + +} diff --git a/usr.sbin.dhcpd b/usr.sbin.dhcpd new file mode 100644 index 0000000..d54da0f --- /dev/null +++ b/usr.sbin.dhcpd @@ -0,0 +1,37 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/dhcpd { + #include + #include + + capability dac_override, + capability net_bind_service, + capability net_raw, + capability setgid, + capability setuid, + capability sys_chroot, + + network inet raw, + network packet raw, + + /db/dhcpd.leases* lrw, + /etc/dhcpd.conf r, + /etc/named.d/* r, + /etc/hosts.allow r, + /etc/hosts.deny r, + @{PROC}/net/dev r, + /usr/sbin/dhcpd rmix, + /var/lib/dhcp/{db/,}dhcpd.leases* rwl, + /var/lib/dhcp/etc/dhcpd.conf r, + /{,var/}run/dhcpd.pid wl, +} diff --git a/usr.sbin.in.fingerd b/usr.sbin.in.fingerd new file mode 100644 index 0000000..5f18bd0 --- /dev/null +++ b/usr.sbin.in.fingerd @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/in.fingerd { + #include + #include + + @{HOME}/.plan r, + @{HOME}/.project r, + + /usr/bin/finger mix, + /var/log/lastlog r, + /{,var/}run/utmp r, +} diff --git a/usr.sbin.lighttpd b/usr.sbin.lighttpd new file mode 100644 index 0000000..8c783b1 --- /dev/null +++ b/usr.sbin.lighttpd @@ -0,0 +1,77 @@ +# Last Modified: Wed Jan 18 10:48:17 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/lighttpd { + #include + #include + #include + #include + #include + #include + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + + deny /usr/bin/pacman r, + + /bin/bash mix, + /bin/cat mix, + /bin/egrep r, + /bin/zsh mix, + /etc/lighttpd r, + /etc/lighttpd/*.conf r, + /etc/lighttpd/auth.d/* r, + /etc/lighttpd/conf.d/*.conf r, + /etc/lighttpd/vhosts.d r, + /etc/lighttpd/vhosts.d/* r, + /etc/php/conf.d/ r, + /etc/php/php.ini r, + /etc/ssl/private/*.pem r, + /run/lighttpd/* w, + /srv/http/ r, + /srv/http/** r, + /tmp/* rw, + /usr/bin/php-cgi Cx, + /usr/lib/lighttpd/*.so mr, + /usr/lib64/lighttpd/*.so mr, + /usr/sbin/lighttpd mix, + /var/cache/lighttpd/ r, + /var/cache/lighttpd/** rwl, + /var/lib/lighttpd/ r, + /var/lib/lighttpd/** rwl, + /var/log/lighttpd/*.log rw, + /{,var/}run/lighttpd.pid rwl, + + + profile /usr/bin/php-cgi { + #include + + + + /etc/* r, + /etc/php/** r, + /lib/lib*so* mr, + /srv/http/ r, + /srv/http/** r, + /tmp/* rwk, + /usr/bin/php-cgi r, + /usr/lib/lib*so* mr, + /usr/lib{,32,64}/** mr, + + } +} diff --git a/usr.sbin.minidlna b/usr.sbin.minidlna new file mode 100644 index 0000000..6130ac4 --- /dev/null +++ b/usr.sbin.minidlna @@ -0,0 +1,18 @@ +# Last Modified: Wed Jan 18 14:01:31 2012 +#include + +/usr/sbin/minidlna { + #include + #include + + + + /bin/bash rix, + /etc/minidlna.conf r, + /home/*/** r, + /proc/sys/** r, + /run/minidlna.pid rw, + /sys/devices/system/** r, + /tmp/** rwk, + +} diff --git a/usr.sbin.mysqld b/usr.sbin.mysqld new file mode 100644 index 0000000..1fde992 --- /dev/null +++ b/usr.sbin.mysqld @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Wed Aug 17 14:28:07 2005 + +#include + +/usr/sbin/mysqld { + #include + #include + #include + + capability dac_override, + capability setgid, + capability setuid, + + /etc/my.cnf r, + /usr/sbin/mysqld r, + /usr/share/mysql/** r, + /var/lib/mysql/** lrw, +} diff --git a/usr.sbin.squid b/usr.sbin.squid new file mode 100644 index 0000000..4f46f29 --- /dev/null +++ b/usr.sbin.squid @@ -0,0 +1,63 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +#include + +/usr/sbin/squid { + #include + #include + #include + #include + + capability setgid, + capability setuid, + + /usr/lib/squid/* rmix, + /usr/sbin/squid rmix, + /usr/sbin/unlinkd mixr, + + /var/cache/squid/** lrw, + + /dev/tty rw, + /etc/mtab r, + /etc/squid/* r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/mounts r, + /usr/share/squid/** r, + /var/log/squid/access.log w, + /var/log/squid/cache.log rw, + /var/log/squid/store.log w, + /{,var/}run/squid.pid lrw, + + /usr/sbin/digest_pw_auth rmix, + /usr/sbin/diskd rmix, + /usr/sbin/getpwname_auth rmix, + /usr/sbin/ip_user_check rmix, + /usr/sbin/msnt_auth rmix, + /usr/sbin/ncsa_auth rmix, + /usr/sbin/no_check.pl rmix, + /usr/sbin/ntlm_auth rmix, + /usr/sbin/pam_auth rmix, + /usr/sbin/rcsquid rmix, + /usr/sbin/smb_auth rmix, + /usr/sbin/smb_auth.pl rmix, + /usr/sbin/smb_auth.sh rmix, + /usr/sbin/squid rmix, + /usr/sbin/squid_ldap_auth rmix, + /usr/sbin/squid_ldap_group rmix, + /usr/sbin/squid_ldapauth rmix, + /usr/sbin/squid_unix_group rmix, + /usr/sbin/squidclient rmix, + /usr/sbin/unlinkd rmix, + /usr/sbin/wbinfo_group.pl rmix, + /usr/sbin/yp_auth rmix, + +} diff --git a/usr.sbin.sshd b/usr.sbin.sshd new file mode 100644 index 0000000..69599a9 --- /dev/null +++ b/usr.sbin.sshd @@ -0,0 +1,139 @@ +# Last Modified: Wed Jan 18 10:55:22 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# will need to revalidate this profile once we finish re-architecting +# the change_hat patch. +# + +#include + +/usr/sbin/sshd { + #include + #include + #include + #include + #include + + + capability audit_control, + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + capability sys_tty_config, + + + /bin/ash rUx, + /bin/bash rUx, + /bin/bash2 rUx, + /bin/bsh rUx, + /bin/csh rUx, + /bin/ksh rUx, + /bin/sh rUx, + /bin/tcsh rUx, + /bin/zsh rUx, + /dev/ptmx rw, + /dev/pts/[0-9]* rw, + /dev/urandom r, + /etc/** r, + /proc/*/oom_adj rw, + /proc/*/oom_score_adj rw, + /sbin/nologin rUx, + /tmp/ssh-*/agent.[0-9]* rwl, + /tmp/ssh-*[0-9]*/ w, + /usr/sbin/sshd mrix, + /var/log/* rw, + /{,var/}run w, + /{,var/}run/sshd{,.init}.pid wl, + @{HOME}/.ssh/authorized_keys{,2} r, + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/loginuid w, + @{PROC}/[0-9]*/mounts r, + + + ^AUTHENTICATED { + #include + #include + #include + #include + + capability setgid, + capability setuid, + capability sys_tty_config, + + + /dev/log w, + /dev/ptmx rw, + /etc/default/passwd r, + /etc/localtime r, + /etc/login.defs r, + /etc/motd r, + /tmp/ssh-*/agent.[0-9]* rwl, + /tmp/ssh-*[0-9]*/ w, + + } + + ^EXEC { + #include + + + /bin/ash Ux, + /bin/bash Ux, + /bin/bash2 Ux, + /bin/bsh Ux, + /bin/csh Ux, + /bin/ksh Ux, + /bin/sh Ux, + /bin/tcsh Ux, + /bin/zsh Ux, + /sbin/nologin Ux, + + } + + ^PRIVSEP { + #include + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + + + } + + ^PRIVSEP_MONITOR { + #include + #include + #include + #include + + capability chown, + capability setgid, + capability setuid, + + + /dev/ptmx rw, + /dev/pts/[0-9]* rw, + /dev/urandom r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ssh/moduli r, + @{HOME}/.ssh/authorized_keys{,2} r, + @{PROC}/[0-9]*/mounts r, + + } +} diff --git a/usr.sbin.useradd b/usr.sbin.useradd new file mode 100644 index 0000000..4c9eb8b --- /dev/null +++ b/usr.sbin.useradd @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/useradd { + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability sys_resource, + + /bin/bash mixr, + /etc/.pwd.lock rwk, + /etc/default/useradd r, + /etc/group* rwl, + /etc/gshadow* rwl, + /etc/login.defs r, + /etc/passwd* rwl, + /etc/shadow* rwl, + /etc/pwdutils/logging r, + /etc/skel r, + /etc/skel/** r, + @{HOMEDIRS}** rw, + @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + /usr/lib*/pwdutils/*so* mr, + /usr/sbin/adduser rmix, + /usr/sbin/useradd rmix, + /usr/sbin/useradd.local rmix, + /var/log/faillog rw, + /{,var/}run/nscd.pid rw, + /var/spool/mail/* rw, +} diff --git a/usr.sbin.userdel b/usr.sbin.userdel new file mode 100644 index 0000000..6103388 --- /dev/null +++ b/usr.sbin.userdel @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/userdel { + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability sys_resource, + + /bin/cat rmix, + /bin/bash rmix, + /dev/log w, + /etc/.pwd.lock rw, + /etc/cron.deny r, + /etc/default/useradd r, + /etc/group* rwl, + /etc/gshadow* rwl, + /etc/login.defs r, + /etc/passwd* rwl, + /etc/shadow* rwl, + /etc/pwdutils/logging r, + @{HOMEDIRS}** rwl, + @{PROC}/[0-9]*/mounts r, + /usr/bin/crontab rmix, + /usr/lib*/pwdutils/*.so.* mr, + /usr/sbin/userdel rmix, + /usr/sbin/userdel-post.local rmix, + /usr/sbin/userdel-pre.local rmix, + /usr/sbin/userdel rmix, + # XXX + /{,var/}run/nscd.pid r, + /var/spool/mail/* wl, +} diff --git a/usr.sbin.vsftpd b/usr.sbin.vsftpd new file mode 100644 index 0000000..0a8a9c7 --- /dev/null +++ b/usr.sbin.vsftpd @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/vsftpd { + #include + #include + #include + + /dev/urandom r, + /etc/fstab r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/mtab r, + /etc/shells r, + /etc/vsftpd.* r, + /etc/vsftpd/* r, + /usr/sbin/vsftpd rmix, + /var/log/vsftpd.log w, + /var/log/xferlog w, + # anon chroots + / r, + /pub r, + /pub/** r, + @{HOMEDIRS} r, + @{HOME}/** rwl, +} diff --git a/usr.sbin.xinetd b/usr.sbin.xinetd new file mode 100644 index 0000000..bbec8ab --- /dev/null +++ b/usr.sbin.xinetd @@ -0,0 +1,71 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/xinetd { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/xinetd.conf r, + /etc/xinetd.d r, + /etc/xinetd.d/* r, + /usr/sbin/xinetd rmix, + /var/log/xinetd.log w, + /{,var/}run/xinetd.pid rwl, + + /bin/netstat Px, + /bin/ps mix, + /sbin/linuxconf Px, + /usr/bin/cvs Px, + /usr/bin/fam Px, + /usr/bin/kotalkd Px, + /usr/bin/ktalkd Px, + /usr/bin/nrpe Px, + /usr/bin/rsync Px, + /usr/kerberos/sbin/ftpd Px, + /usr/kerberos/sbin/klogind Px, + /usr/kerberos/sbin/kshd Px, + /usr/kerberos/sbin/telnetd Px, + /usr/lib/amanda/amandad Px, + /usr/lib/amanda/amidxtaped Px, + /usr/lib/amanda/amindexd Px, + + /usr/lib64/cups/daemon/cups-lpd Px, + /usr/lib/cups/daemon/cups-lpd Px, + + /usr/sbin/dbskkd-cdb Px, + /usr/sbin/imapd Px, + /usr/sbin/in.comsat Px, + /usr/sbin/in.fingerd Px, + /usr/sbin/in.ftpd Px, + /usr/sbin/in.httpd-redir Px, + /usr/sbin/in.ntalkd Px, + /usr/sbin/in.rexecd Px, + /usr/sbin/in.rlogind Px, + /usr/sbin/in.rshd Px, + /usr/sbin/in.telnetd Px, + /usr/sbin/in.tftpd Px, + /usr/sbin/ipop2d Px, + /usr/sbin/ipop3d Px, + /usr/sbin/popper Px, + /usr/sbin/rsyncd Px, + /usr/sbin/swat Px, + /usr/sbin/tcpd Px, + /usr/sbin/vsftpd Px, + /usr/X11R6/bin/vnc_inetd_httpd Px, + /usr/X11R6/bin/Xvnc Px, +} -- 2.30.2