From: root Date: Wed, 18 Jan 2012 14:03:11 +0000 (+0100) Subject: First version of my ArchLinux Laptop AppArmor profiles X-Git-Url: https://git.harvie.cz/?p=mirrors%2FAppArmor-Profiles.git;a=commitdiff_plain;h=92bc371701e71fecbdba531d0ee8855a35653534 First version of my ArchLinux Laptop AppArmor profiles --- 92bc371701e71fecbdba531d0ee8855a35653534 diff --git a/bin.netstat b/bin.netstat new file mode 100644 index 0000000..e9198a0 --- /dev/null +++ b/bin.netstat @@ -0,0 +1,41 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# evolution, amongst other things, calls this program. I didn't want to +# give evolution access to significant chunks of /proc +# + +#include + +/bin/netstat { + #include + #include + #include + + capability dac_override, + capability dac_read_search, + deny capability sys_ptrace, + + /bin/netstat rmix, + /etc/networks r, + @{PROC} r, + @{PROC}/[0-9]*/cmdline r, + @{PROC}/[0-9]*/fd r, + @{PROC}/net r, + @{PROC}/net/* r, + @{PROC}/*/fd/ r, + owner @{PROC}/*/net/raw r, + owner @{PROC}/*/net/raw6 r, + owner @{PROC}/*/net/tcp r, + owner @{PROC}/*/net/tcp6 r, + owner @{PROC}/*/net/udp r, + owner @{PROC}/*/net/udp6 r, + owner @{PROC}/*/net/unix r, +} diff --git a/home.harvie.private.dotfiles..purple.answerscripts b/home.harvie.private.dotfiles..purple.answerscripts new file mode 100644 index 0000000..9c72ec7 --- /dev/null +++ b/home.harvie.private.dotfiles..purple.answerscripts @@ -0,0 +1,17 @@ +# Last Modified: Wed Jan 18 12:35:39 2012 +#include + +/home/harvie/private/dotfiles/.purple/answerscripts flags=(complain) { + #include + #include + #include + #include + + + + /** rix, + /home/*/private/dotfiles/.purple/* rwix, + /home/*/private/dotfiles/.purple/answerscripts.d/ r, + /home/*/{,private/dotfiles/.purple/}answerscripts.d/* rix, + +} diff --git a/sbin.dhclient b/sbin.dhclient new file mode 100644 index 0000000..df17e88 --- /dev/null +++ b/sbin.dhclient @@ -0,0 +1,73 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# Note that this profile doesn't include any NetDomain rules; dhclient uses +# raw sockets, and thus cannot be confined with NetDomain +# +# Should these programs have their own domains? +# /bin/ps mrix, +# /sbin/arp mrix, +# /usr/bin/dig mrix, +# /usr/bin/uptime mrix, +# /usr/bin/vmstat mrix, +# /usr/bin/w mrix, + +#include + +/sbin/dhclient { + #include + #include + #include + + network packet packet, + network packet raw, + + /sbin/dhclient mrix, + + /bin/bash mrix, + /bin/df mrix, + /bin/netstat Px, + /bin/ps mrix, + /dev/random r, + /etc/dhclient.conf r, + @{PROC}/ r, + @{PROC}/interrupts r, + @{PROC}/*/net/dev r, + @{PROC}/rtc r, + # following rule shouldn't work, self is a symlink + @{PROC}/self/status r, + /sbin/arp mrix, + /usr/bin/dig mrix, + /usr/bin/uptime mrix, + /usr/bin/vmstat mrix, + /usr/bin/w mrix, + /var/lib/dhcp/dhclient.leases rw, + /var/lib/dhcp/dhclient-*.leases rw, + /var/log/lastlog r, + /var/log/messages r, + /var/log/wtmp r, + /{,var/}run/dhclient.pid rw, + /{,var/}run/dhclient-*.pid rw, + /var/spool r, + /var/spool/mail r, + + # This one will need to be fleshed out depending on what the user is doing + /sbin/dhclient-script mrpix, + + /bin/grep mrix, + /bin/sleep mrix, + /etc/sysconfig/network/dhcp r, + /etc/sysconfig/network/scripts/functions.common r, + /etc/sysconfig/network/scripts/functions r, + /sbin/ip mrix, + /usr/lib/NetworkManager/nm-dhcp-client.action mrix, + /var/lib/dhcp/* rw, + /{,var/}run/nm-dhclient-*.conf r, + +} diff --git a/sbin.dhclient-script b/sbin.dhclient-script new file mode 100644 index 0000000..a86c5ab --- /dev/null +++ b/sbin.dhclient-script @@ -0,0 +1,21 @@ +# Last Modified: Tue Jan 25 16:48:30 2011 +#include + +# dhclient-script will call plugins from /etc/netconfig.d, so this +# will need to be extended on a per-site basis. + +/sbin/dhclient-script { + #include + #include + #include + + /bin/bash rix, + /bin/grep rix, + /bin/sleep rix, + /bin/touch rix, + /dev/.sysconfig/network/** r, + /etc/netconfig.d/* mrix, + /etc/sysconfig/network/** r, + /sbin/dhclient-script r, + /sbin/ip rix, +} diff --git a/sbin.dhcpcd b/sbin.dhcpcd new file mode 100644 index 0000000..de62b13 --- /dev/null +++ b/sbin.dhcpcd @@ -0,0 +1,50 @@ +# Last Modified: Wed Jan 18 14:06:39 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# +# If you wish to use /etc/sysconfig/network/scripts/dhcpcd-hook, be sure +# to configure a subdomain profile for it. +# +# Note that dhcpcd (at least as distributed by SuSE) offers to rewrite +# ntp.conf and yp.conf in addition to resolv.conf. +# + +#include + +/sbin/dhcpcd { + #include + #include + + capability dac_override, + capability net_admin, + capability net_raw, + capability sys_admin, + + + + /bin/bash mrix, + /bin/touch mrix, + /dev/tty rw, + /etc/* r, + /etc/dhcpc/* rwl, + /etc/init.d/syslog Ux, + /etc/ntp.conf{,.sv} rwl, + /etc/resolv.conf{,.sv} rwl, + /etc/sysconfig/network/scripts/dhcpcd-hook mrix, + /etc/yp.conf{,.sv} rwl, + /proc/sys/** w, + /sbin/dhcpcd mrix, + /sbin/ifup Ux, + /sbin/modify_resolvconf mrix, + /usr/lib/networkmanager/nm-dhcp-client.action rix, + /var/lib/dhcpcd/* rw, + /{,var/}run/dhcpcd-*.pid rwlk, + +} diff --git a/sbin.portmap b/sbin.portmap new file mode 100644 index 0000000..e90e8ef --- /dev/null +++ b/sbin.portmap @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/portmap { + #include + #include + + capability net_bind_service, + capability setuid, + capability setgid, + + /etc/bindresvport.blacklist r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /sbin/portmap rmix, +} diff --git a/sbin.resmgrd b/sbin.resmgrd new file mode 100644 index 0000000..a069711 --- /dev/null +++ b/sbin.resmgrd @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Mon Mar 13 15:55:30 2006 + +#include + +/sbin/resmgrd { + #include + #include + + capability fowner, + capability chown, + + /dev/** rw, + /etc/resmgr.conf r, + /etc/resmgr.conf.d/ r, + /etc/resmgr.conf.d/*.conf r, + /sbin/resmgrd r, + /{,var/}run/.resmgr_socket lrw, + /{,var/}run/resmgr.pid lrw, + /{,var/}run/fence* lrw, + /{,var/}run/resmgr/classes/** wl, + /{run,var}/lock/LCK* lrw, +} diff --git a/sbin.rpc.lockd b/sbin.rpc.lockd new file mode 100644 index 0000000..410c3d4 --- /dev/null +++ b/sbin.rpc.lockd @@ -0,0 +1,16 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/rpc.lockd { + #include + /sbin/rpc.lockd rmix, +} diff --git a/sbin.rpc.statd b/sbin.rpc.statd new file mode 100644 index 0000000..a54689e --- /dev/null +++ b/sbin.rpc.statd @@ -0,0 +1,29 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/sbin/rpc.statd { + #include + #include + /etc/rpc r, + /sbin/rpc.statd rmix, + /sm rw, + /sm.bak rw, + /state rw, + /var/lib/nfs/sm/* rw, + /var/lib/nfs/statd rw, + /var/lib/nfs/statd/sm r, + /var/lib/nfs/statd/sm/* rwl, + /var/lib/nfs/statd/state rw, + /var/lib/nfs/statd/sm.bak r, + /var/lib/nfs/statd/sm.bak/* rwl, + /{,var/}run/rpc.statd.pid w, +} diff --git a/usr.bin.acroread b/usr.bin.acroread new file mode 100644 index 0000000..e89754a --- /dev/null +++ b/usr.bin.acroread @@ -0,0 +1,60 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Wed Aug 24 16:21:32 2005 + +#include + +/usr/X11R6/bin/acroread { + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + + /bin/basename mixr, + /bin/bash mix, + /bin/cat mixr, + /bin/grep mixr, + /bin/uname mixr, + /etc/** r, + + @{HOME}/.adobe/** rw, + @{HOME}/Desktop/** rw, + @{HOME}/Documents/* rw, + @{HOME}/.fonts.cache-* r, + @{HOME}/.gconfd/saved_state lrw, + @{HOME}/.gconfd/saved_state.orig lw, + @{HOME}/.gconfd/saved_state.tmp lrw, + @{HOME}/.gconf r, + @{HOME}/.gconf/.testing.writeability lw, + @{HOME}/* rw, + + /usr/bin/acroread Pxr, + /usr/bin/gconftool-2 mixr, + /usr/lib/firefox/firefox.sh Pxr, + /usr/lib/GConf/** r, + /usr/lib/GConf/2/gconfd-2 Pxr, + /usr/share/icons r, + /usr/share/icons/hicolor/icon-theme.cache r, + /usr/share/pixmaps r, + /usr/lib/Acrobat7/Reader/intellinux/lib/**so* mixr, + /usr/bin/cut mixr, + /usr/bin/dirname mixr, + /usr/bin/which mixr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/share/icons r, +} diff --git a/usr.bin.apropos b/usr.bin.apropos new file mode 100644 index 0000000..0a26cdc --- /dev/null +++ b/usr.bin.apropos @@ -0,0 +1,26 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/apropos { + #include + #include + #include + /bin/basename mixr, + /bin/bash mixr, + /bin/grep mixr, + /etc/manpath.config r, + /usr/bin/apropos rmix, + /usr/bin/man Px, + /usr/bin/tr mixr, + /var/cache/man/whatis r, + /var/cache/man/** r, +} diff --git a/usr.bin.epiphany b/usr.bin.epiphany new file mode 100644 index 0000000..3805910 --- /dev/null +++ b/usr.bin.epiphany @@ -0,0 +1,31 @@ +# Last Modified: Wed Jan 18 09:14:15 2012 +#include + +/usr/bin/epiphany { + #include + #include + #include + #include + #include + #include + + + + / r, + /dev/ r, + /dev/**/ r, + /etc/** r, + /home/*/ r, + /home/*/** rw, + /home/*/.gnome2/epiphany/** rwk, + /home/*/.local/share/** rwk, + /opt/java/** mr, + /opt/kde/share/** r, + /proc/**/ r, + /sys/devices/system/cpu/online r, + owner /tmp/** rwlk, + /tmp/** m, + /usr/include/** r, + /usr/share/** r, + +} diff --git a/usr.bin.evolution-2.10 b/usr.bin.evolution-2.10 new file mode 100644 index 0000000..f5e9d5e --- /dev/null +++ b/usr.bin.evolution-2.10 @@ -0,0 +1,156 @@ +# vim:syntax=apparmor +# Last Modified: Wed Sep 7 21:32:52 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ---------------------------------------------------------------------- +# +# +# Profile for Evolution 2.4: +# +# Covered scenarios: +# +# Receive Mail: +# IMAP/POP/Local +# Mark mail as junk mail +# Print mail message with lpr local +# Print mail message with cups remote +# View pdf attachements +# Decrypt using gpg +# +# Send Mail: +# SMTP/Sendmail +# Encrypt/Sign using gpg +# +# Contacts: +# Add/Edit/Delete local contacts +# +# Calendaring: +# Add Local calendar +# Add|Edit|Delete event to|in|from local calendar +# Publish free/busy information to webdav server +# Subscribe to webcal:// calendar +# +# + +#include + +/usr/bin/evolution-2.10 { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability ipc_lock, + capability setuid, + + /bin/basename mixr, + /bin/bash mix, + /bin/grep mixr, + /bin/netstat mixr, + /dev/random r, + /etc/cups/client.conf r, + /etc/cups/lpoptions r, + /etc/cups/printcap r, + /etc/mail/spamassassin r, + /etc/mail/spamassassin/* r, + /etc/mtab r, + /etc/gnome-vfs-*/modules r, + /etc/gnome-vfs-*/modules/*.conf r, + /etc/pango/*.modules r, + /etc/opt/kde3/share/applications r, + /etc/opt/kde3/share/applications/kde r, + /etc/opt/kde3/share/applications/kde/*.desktop r, + /etc/opt/kde3/share/applications/mimeinfo.cache r, + /etc/rpc r, + /etc/xdg/menus/*.menu r, + /etc/xdg/menus/applications-merged r, + /etc/xdg/menus/applications-merged/*.menu r, + /etc/xml/*.xml r, + /etc/xml/catalog r, + + @{HOMEDIRS} r, + @{HOMEDIRS}/* r, + @{HOME}* r, + @{HOME}/.AbiSuite/* r, + @{HOME}/.AbiSuite/AbiWord.Profile rw, + @{HOME}/.camel_certs/* rw, + @{HOME}/.evolution-composer.autosave-* lrw, + @{HOME}/.evolution/*.db rw, + @{HOME}/.evolution/cache/tmp r, + @{HOME}/.evolution/cache/tmp/** lrw, + @{HOME}/.evolution/calendar/config/** lrw, + @{HOME}/.evolution/calendar/local/** lrw, + @{HOME}/.evolution/camel-cert.db~ lrw, + @{HOME}/.evolution/mail/** lrw, + @{HOME}/.evolution/tasks/local/system/*.ics rw, + @{HOME}/.evolution/tasks/local/system/*.ics~ lrw, + @{HOME}/.gaim/blist.xml r, + @{HOME}/.gnome2/evolution-* lw, + @{HOME}/.gnome2/gnome-pilot.d/gpilotd rw, + @{HOME}/.gnome2/yelp rw, + @{HOME}/.gnome2/yelp.d/mozilla/** lrw, + @{HOME}/.gnome2_private w, + @{HOME}/.gnome2_private/Evolution rw, + @{HOME}/.kde/share/config/gtkrc-2.0 r, + @{HOME}/.mozilla/pluginreg.dat r, + @{HOME}/.qt/** lrw, + @{HOME}/.recently-used rw, + + /usr/bin/evolution-2.10 mixr, + /usr/bin/firefox Pxr, + /usr/lib/** r, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/lib64/GConf/2/gconfd-2 Px, + /usr/lib/evolution-data-server*/* r, + /usr/lib/evolution-data-server*/evolution-data-server-* Pxr, + /usr/lib/evolution/** r, + /usr/lib/evolution/*/evolution-alarm-notify mixr, + /usr/lib/gnome-** r, + /usr/lib/gnome-spell/libgnome-spell-component-*.so mr, + /usr/lib/gtk-** r, + /usr/lib/gtkhtml/libgnome-gtkhtml-editor-*.so mr, + /usr/lib/libgnomeui/gnome_segv2 mixr, + /usr/lib/pango/** r, + /usr/share/** r, + /opt/kde3/share/** r, + /opt/mozilla/bin/mozilla.sh Pxr, + @{PROC}/*/cmdline r, + @{PROC}/net r, + @{PROC}/net/* r, + /tmp r, + /tmp/* lrw, + /tmp/.ICE-unix/* w, + /tmp/gconfd-** r, + /tmp/orbit** lrw, + /usr/lib/aspell-** r, + /usr/lib/enchant r, + /usr/lib/enchant/*.* mr, + /usr/lib/jvm/java-*/jre/lib/fonts r, + /usr/lib/jvm/java-*/jre/lib/fonts/* r, + /usr/lib/ooo-2.0/share/fonts r, + /usr/lib/ooo-2.0/share/fonts/** r, + /usr/share/applications r, + /usr/share/applications/*.desktop r, + /usr/share/applications/mimeinfo.cache r, + /usr/share/icons r, + /usr/share/mime/** r, + /usr/share/spamassassin r, + /usr/share/spamassassin/*.cf r, + /usr/share/spamassassin/triplets.txt r, + /usr/share/xml/docbook/schema/** r, + /usr/X11R6/lib/Acrobat7/Resource/Font r, + /usr/X11R6/lib/Acrobat7/Resource/Font/** r, + /var/tmp r, +} diff --git a/usr.bin.fam b/usr.bin.fam new file mode 100644 index 0000000..1c435b1 --- /dev/null +++ b/usr.bin.fam @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/fam { + #include + #include + /tmp/.fam* wl, + /etc/mtab rw, + /usr/bin/fam rmix, + # it makes some level of sense for FAM to read all files on the + # filesystem, even if this is a little unfortunate. + /** r, +} diff --git a/usr.bin.freshclam b/usr.bin.freshclam new file mode 100644 index 0000000..5eec8bd --- /dev/null +++ b/usr.bin.freshclam @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/freshclam { + #include + #include + #include + + capability setgid, + capability setuid, + + /etc/clamd.conf r, + /etc/freshclam.conf r, + /usr/bin/freshclam mr, + /var/lib/clamav/clamav-* rw, + /var/lib/clamav/daily.cvd rw, + /var/lib/clamav/main.cvd rw, +} diff --git a/usr.bin.gaim b/usr.bin.gaim new file mode 100644 index 0000000..fd59397 --- /dev/null +++ b/usr.bin.gaim @@ -0,0 +1,67 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Fri Sep 2 19:07:43 2005 + +#include + +/usr/bin/gaim { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + /bin/bash mixr, + /dev/random r, + /etc/esd.conf r, + /etc/pango/pango.modules r, + /etc/pango/pango64.modules r, + + @{HOME}/.fonts r, + @{HOME}/.gaim r, + @{HOME}/.gaim/** lrw, + @{HOME}/.gnome2/nautilus-sendto/* rw, + @{HOME}/.gtk_qt_engine_rc r, + @{HOME}/.icons/** r, + @{HOME}/.mcop/random-seed rw, + @{HOME}/.mcoprc r, + @{HOME}/.kde/share/config/gtkrc-* r, + @{HOME}/.themes/** r, + + /opt/MozillaFirefox/bin/firefox.sh Px, + /usr/bin/gaim mixr, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/share/icons r, + /usr/share/icons/** r, + /usr/share/pixmaps r, + /usr/share/pixmaps/gaim/** r, + /usr/share/sounds/gaim/* r, + /usr/share/themes/** r, + /opt/kde3/bin/kde-config mixr, + @{PROC}/*/cmdline r, + /usr/X11R6/lib/Acrobat*/Resource/Font/* r, + /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r, + /usr/lib/ao/plugins-* r, + /usr/lib/aspell-** mr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/lib/tcl*/encoding/* r, + /usr/lib64/ao/plugins-* r, + /usr/lib64/aspell-* r, + /usr/share/alsa/alsa.conf r, + /usr/share/icons r, + /usr/share/tcl/tcl*/encoding/* r, + /{,var/}run/.resmgr_socket w, +} diff --git a/usr.bin.man b/usr.bin.man new file mode 100644 index 0000000..f3333e7 --- /dev/null +++ b/usr.bin.man @@ -0,0 +1,43 @@ +# Last Modified: Wed Jan 18 10:55:22 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# + +#include + +/usr/bin/man flags=(complain) { + #include + #include + #include + + capability setgid, + capability setuid, + + + + /etc/man_db.conf r, + /opt/java/jre/man/ r, + /opt/java/jre/man/* rk, + /opt/java/man/ r, + /opt/java/man/* rk, + /opt/java/man/*/ r, + /opt/kde/man/ r, + /opt/kde/man/*/ r, + /opt/qt/man/ r, + /opt/qt/man/* r, + /opt/qt/man/*/ r, + /root/.lesshst w, + /usr/lib/man-db/man Px, + /usr/local/man/ r, + /usr/man/ r, + /usr/share/man/ r, + /var/cache/man/** rk, + +} diff --git a/usr.bin.netsurf b/usr.bin.netsurf new file mode 100644 index 0000000..8af7c54 --- /dev/null +++ b/usr.bin.netsurf @@ -0,0 +1,21 @@ +# Last Modified: Wed Jan 18 10:06:57 2012 +#include + +/usr/bin/netsurf { + #include + #include + #include + + + + /etc/* r, + /home/*/.Xauthority r, + /home/*/.gtkrc-2.0 r, + /home/*/.icons/** r, + /home/*/.netsurf/* rw, + /home/*/.themes/** r, + /opt/kde/share/** r, + /sys/** r, + /usr/share/** r, + +} diff --git a/usr.bin.opera b/usr.bin.opera new file mode 100644 index 0000000..5bb664a --- /dev/null +++ b/usr.bin.opera @@ -0,0 +1,76 @@ +# Last Modified: Wed Jan 18 09:29:55 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/opera { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + + + + /bin/true mrix, + /bin/uname rix, + /etc/SuSE-release r, + /etc/X11/.qt_plugins_3.3rc.lock rw, + /etc/X11/.qtrc.lock rw, + /etc/cups/client.conf r, + /etc/mailcap r, + /etc/opera6rc rw, + /etc/opera6rc.fixed rw, + /etc/pkcs11/modules/ r, + /home/*/** mrk, + /opt/ r, + /opt/java/** r, + /opt/kde/share/** r, + /opt/kde3/lib/kde3/plugins/integration/*.so mr, + /proc/*/cmdline r, + /proc/*/fd/ r, + /sys/devices/system/cpu/online r, + owner /tmp/** rwlk, + /tmp/** m, + /usr/ r, + /usr/bin/acroread rPx, + /usr/bin/opera mr, + /usr/lib r, + /usr/lib/RealPlayer10/realplay rPx, + /usr/lib/RealPlayer10/realplay.bin rPx, + /usr/lib/opera/** mrix, + /usr/lib/opera/*/opera ix, + /usr/lib/opera/*/works rix, + /usr/local r, + /usr/share/** rk, + /var/spool/cups/tmp/* rwl, + /{,var/}run/.resmgr_socket w, + @{HOME} r, + @{HOME}/.fonts r, + @{HOME}/.kde/share/** r, + @{HOME}/.opera r, + @{HOME}/.opera/** rwl, + @{HOME}/OperaDownloads/* rw, + @{HOME}/tux/.fonts/ r, + @{HOME}/tux/.opera/ w, + @{HOME}/tux/.qt/.qtrx.lock k, + @{PROC}/[0-9]*/stat r, + @{PROC}/net/if_inet6 r, + @{PROC}/sys/vm/heap-stack-gap r, + +} diff --git a/usr.bin.passwd b/usr.bin.passwd new file mode 100644 index 0000000..e17f636 --- /dev/null +++ b/usr.bin.passwd @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# Last Modified: Sat Jan 6 09:35:33 2007 +# ------------------------------------------------------------------ +# +# Copyright (C) 2006 Volker Kuhlmann +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/passwd { + #include + #include + #include + #include + + capability chown, + capability sys_resource, + + /etc/.pwd.lock w, + /etc/pwdutils/logging r, + /etc/shadow rwl, + /etc/shadow.old rwl, + /etc/shadow.tmp?????? rwl, + /usr/bin/passwd mr, + /usr/lib/pwdutils/lib*.so* mr, + /usr/lib64/pwdutils/lib*.so* mr, + /usr/share/cracklib/pw_dict.hwm r, + /usr/share/cracklib/pw_dict.pwd r, + /usr/share/cracklib/pw_dict.pwi r, +} diff --git a/usr.bin.perl b/usr.bin.perl new file mode 100644 index 0000000..f7a72c9 --- /dev/null +++ b/usr.bin.perl @@ -0,0 +1,17 @@ +# Last Modified: Wed Jan 18 14:45:09 2012 +#include + +/usr/bin/perl flags=(complain) { + #include + #include + #include + #include + + + + /** mr, + /bin/bash rix, + /home/*/private/dotfiles/.purple/* rw, + /usr/bin/head rix, + +} diff --git a/usr.bin.php-cgi b/usr.bin.php-cgi new file mode 100644 index 0000000..f8a8ac0 --- /dev/null +++ b/usr.bin.php-cgi @@ -0,0 +1,7 @@ +# Last Modified: Wed Jan 18 10:23:46 2012 +#include + +/usr/bin/php-cgi flags=(complain) { + #include + +} diff --git a/usr.bin.pidgin b/usr.bin.pidgin new file mode 100644 index 0000000..feef7bf --- /dev/null +++ b/usr.bin.pidgin @@ -0,0 +1,80 @@ +# Last Modified: Wed Jan 18 12:29:15 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/pidgin { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + deny capability sys_ptrace, + + + deny /usr/share/enchant/enchant.ordering r, + + /bin/bash rix, + /dev/random r, + /etc/esd.conf r, + /etc/pango/pango.modules r, + /etc/pango/pango64.modules r, + /home/** mrwk, + /home/harvie/private/dotfiles/.purple/answerscripts px, + /opt/MozillaFirefox/bin/firefox.sh Px, + /opt/kde/share/** r, + /opt/kde3/bin/kde-config mrix, + owner /tmp/** rwlk, + /tmp/** m, + /usr/X11R6/lib/Acrobat*/Resource/Font/* r, + /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r, + /usr/bin/pidgin mrix, + /usr/bin/purple-remote r, + /usr/lib/GConf/2/gconfd-2 Px, + /usr/lib/ao/plugins-* r, + /usr/lib/aspell-** mr, + /usr/lib/jvm/java-*/jre/lib/fonts/** r, + /usr/lib/ooo-*/share/fonts/** r, + /usr/lib/tcl*/encoding/* r, + /usr/lib64/ao/plugins-* r, + /usr/lib64/aspell-* r, + /usr/lib{,32,64}/** mr, + /usr/share/*/ r, + /usr/share/alsa/alsa.conf r, + /usr/share/icons r, + /usr/share/icons/** r, + /usr/share/pixmaps r, + /usr/share/pixmaps/pidgin/** r, + /usr/share/sounds/pidgin/* r, + /usr/share/tcl/tcl*/encoding/* r, + /usr/share/themes/** r, + /var/db/nscd/* r, + /{,var/}run/.resmgr_socket w, + @{HOME}/.fonts r, + @{HOME}/.gnome2/nautilus-sendto/* rw, + @{HOME}/.gtk_qt_engine_rc r, + @{HOME}/.icons/** r, + @{HOME}/.kde/share/config/gtkrc-* r, + @{HOME}/.mcop/random-seed rw, + @{HOME}/.mcoprc r, + @{HOME}/.purple r, + @{HOME}/.purple/** rwl, + @{HOME}/.themes/** r, + @{HOME}/private/dotfiles/.purple r, + @{HOME}/private/dotfiles/.purple/** rwl, + @{PROC}/*/cmdline r, + +} diff --git a/usr.bin.skype b/usr.bin.skype new file mode 100644 index 0000000..dc6e696 --- /dev/null +++ b/usr.bin.skype @@ -0,0 +1,40 @@ +# Last Modified: Mon Oct 26 13:29:13 2009 +# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 +# Additional profiling based on work by Андрей Калинин, LP: #226624 +#include +/usr/bin/skype { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # are these needed? + /proc/*/cmdline r, + /dev/video* mrw, + /var/cache/libx11/compose/* r, + + # should this be in a separate KDE abstraction? + @{HOME}/.kde/share/config/kioslaverc r, + + /usr/bin/skype mr, + /usr/share/skype/** kr, + /usr/share/skype/sounds/*.wav kr, + + @{HOME}/.Skype/ rw, + @{HOME}/.Skype/** krw, + @{HOME}/.config/* kr, + + @{HOME}/.mozilla/ r, + @{HOME}/.mozilla/*/ r, + @{HOME}/.mozilla/*/*/ r, + @{HOME}/.mozilla/*/*/bookmarkbackups/ r, + @{HOME}/.mozilla/*/*/chrome/ r, + @{HOME}/.mozilla/*/*/extensions/ r, + @{HOME}/.mozilla/*/*/prefs.js r, +} + diff --git a/usr.bin.wireshark b/usr.bin.wireshark new file mode 100644 index 0000000..85f342f --- /dev/null +++ b/usr.bin.wireshark @@ -0,0 +1,44 @@ +# vim:syntax=apparmor +# Last Modified: Thu Aug 25 13:37:56 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/bin/wireshark { + #include + #include + #include + #include + #include + #include + #include + #include + + capability net_raw, + + /etc/ethers r, + + @{HOME}/.wireshark/* rw, + @{HOME}/.fonts.cache-* r, + + /etc/pango/pango.modules r, + /usr/lib/gtk-*/*/loaders/* mr, + /usr/share/* r, + /usr/share/icons/** r, + /usr/share/mime/* r, + /usr/lib/firefox/firefox.sh rPx, + /usr/bin/wireshark mixr, + /usr/share/icons r, + /usr/share/mime/* r, + /usr/share/snmp/mibs r, + /usr/share/snmp/mibs/* r, + /usr/share/snmp/mibs/.index rw, +} diff --git a/usr.lib.GConf.2.gconfd-2 b/usr.lib.GConf.2.gconfd-2 new file mode 100644 index 0000000..54ca37b --- /dev/null +++ b/usr.lib.GConf.2.gconfd-2 @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# Last Modified: Thu Sep 1 16:16:34 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/GConf/2/gconfd-2 { + #include + #include + #include + + /etc/gconf/2/path r, + /etc/gconf/gconf.xml.defaults r, + /etc/gconf/gconf.xml.defaults/** r, + /etc/gconf/gconf.xml.defaults/schemas/** r, + /etc/gconf/gconf.xml.mandatory r, + + @{HOME}/.gconf r, + @{HOME}/.gconf/** lrw, + @{HOME}/.gconfd/** lrw, + + /usr/lib/GConf/2/gconfd-2 rmix, + /usr/lib/GConf/2/libgconfbackend-xml.so mr, + /usr/lib64/GConf/2/libgconfbackend-xml.so mr, + /usr/share/locale/** r, +} diff --git a/usr.lib.bonobo.bonobo-activation-server b/usr.lib.bonobo.bonobo-activation-server new file mode 100644 index 0000000..5cec99e --- /dev/null +++ b/usr.lib.bonobo.bonobo-activation-server @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Mon Aug 29 10:49:30 2005 + +#include + +/usr/lib/bonobo/bonobo-activation-server { + #include + #include + #include + + /etc/bonobo-activation/bonobo-activation-config.xml r, + /usr/lib/bonobo/bonobo-activation-server rmix, + /usr/lib/bonobo/servers r, + /usr/lib/bonobo/servers/*.server r, + /usr/lib/evolution-data-server-*/evolution-data-server-* Px, +} diff --git a/usr.lib.chromium.chromium b/usr.lib.chromium.chromium new file mode 100644 index 0000000..77f55a4 --- /dev/null +++ b/usr.lib.chromium.chromium @@ -0,0 +1,52 @@ +# Last Modified: Wed Jan 18 09:53:41 2012 +# Author: Thomas Mudrunka + +#include + +/usr/lib/chromium/chromium { + #include + #include + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + + + + /bin/ps r, + /dev/shm/* rw, + /etc/** r, + /home/*/* r, + /home/*/.adobe/**/ rw, + /home/*/.cache/chromium/** rw, + /home/*/.cups/* r, + /home/*/.icons/** r, + /home/*/.macromedia/** rw, + /home/*/.mozilla/** r, + /home/*/.pki/** rwk, + /home/*/.themes/** r, + /home/*/Work/GIT/plugins/chrome-extensions/** r, + /home/*/private/dotfiles/.config/chromium/** rwk, + /opt/java/** r, + /opt/kde/share/** r, + /proc/ r, + /proc/** rw, + /sys/** r, + /tmp/* r, + /usr/lib/chromium/chromium rix, + /usr/lib/chromium/chromium-sandbox rix, + /usr/lib/lib*so* mr, + /var/tmp/* rw, + +} diff --git a/usr.lib.evolution-data-server.evolution-data-server-1.10 b/usr.lib.evolution-data-server.evolution-data-server-1.10 new file mode 100644 index 0000000..477fc0c --- /dev/null +++ b/usr.lib.evolution-data-server.evolution-data-server-1.10 @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# Last Modified: Wed Sep 7 07:44:21 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/evolution-data-server/evolution-data-server-1.10 { + #include + #include + #include + + /etc/mtab r, + /etc/** r, + + @{HOME}/.evolution/addressbook/local/** lrw, + @{HOME}/.evolution/cache/calendar/** lrw, + @{HOME}/.evolution/calendar/local/** lrw, + @{HOME}/.evolution/tasks/local/** lrw, + @{HOME}/.gconf r, + @{HOME}/.gconf/** lrw, + @{HOME}/.gnome2_private w, + + /usr/lib/GConf/**.so mr, + /usr/lib/GConf/2/gconfd-2 Pxr, + /usr/lib64/GConf/2/gconfd-2 Pxr, + /usr/lib/evolution-data-server/evolution-data-server-* rmix, + /usr/lib/evolution-data-server*/extensions r, + /usr/lib/evolution-data-server*/extensions/lib*.so r, + /usr/lib/gnome-vfs** mr, + /usr/share/evolution-data-server*/** mr, + +} diff --git a/usr.lib.firefox.firefox b/usr.lib.firefox.firefox new file mode 100644 index 0000000..ee10a31 --- /dev/null +++ b/usr.lib.firefox.firefox @@ -0,0 +1,36 @@ +# Last Modified: Wed Jan 18 14:47:08 2012 +#include + +/usr/lib/firefox/firefox { + #include + #include + #include + #include + + + deny /dev/tty rw, + + /bin/ps r, + /etc/** r, + /home/*/.Xauthority r, + /home/*/.adobe/**/ rw, + /home/*/.asoundrc.asoundconf r, + /home/*/.icons/** r, + /home/*/.local/share/ r, + /home/*/.local/share/**/ r, + /home/*/.macromedia/** rw, + /home/*/.mozilla/**/ r, + /home/*/.mozilla/firefox/** mrwk, + /opt/java/** r, + /opt/kde/share/** r, + /proc/** r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/* r, + owner /tmp/** rlk, + /tmp/** w, + /usr/lib/firefox/plugin-container rix, + /usr/share/ r, + /usr/share/** r, + /var/db/nscd/* r, + +} diff --git a/usr.lib.firefox.firefox.sh b/usr.lib.firefox.firefox.sh new file mode 100644 index 0000000..65344b7 --- /dev/null +++ b/usr.lib.firefox.firefox.sh @@ -0,0 +1,19 @@ +# Last Modified: Wed Nov 5 03:32:59 2008 +#include + +/usr/lib/firefox/firefox.sh { + #include + #include + #include + + deny capability sys_ptrace, + + /bin/basename rix, + /bin/bash rix, + /bin/grep rix, + /etc/magic r, + /usr/bin/file rix, + /usr/lib/firefox/firefox px, + /usr/share/misc/magic.mgc r, + +} diff --git a/usr.lib.firefox.mozilla-xremote-client b/usr.lib.firefox.mozilla-xremote-client new file mode 100644 index 0000000..516adbd --- /dev/null +++ b/usr.lib.firefox.mozilla-xremote-client @@ -0,0 +1,21 @@ +# vim:syntax=apparmor +# Last Modified: Thu Sep 1 23:02:44 2005 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/firefox/mozilla-xremote-client { + #include + #include + + /usr/lib/mozilla/lib*so* mr, + /usr/lib/firefox/mozilla-xremote-client rmix, +} diff --git a/usr.lib.man-db.man b/usr.lib.man-db.man new file mode 100644 index 0000000..21402c2 --- /dev/null +++ b/usr.lib.man-db.man @@ -0,0 +1,68 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +#include + +/usr/lib/man-db/man flags=(complain) { + #include + #include + #include + #include + + /bin/bash rmix, + /bin/cat rmix, + /bin/gunzip rmix, + /bin/mktemp rmix, + /bin/more rmix, + /bin/rm rmix, + + /etc/groff/man.local r, + /etc/lesskey.bin r, + /etc/manpath.config r, + /etc/man.config r, + /etc/papersize r, + /etc/termcap r, + + /tmp/nroff.** rw, + + /usr/man/** r, + /usr/bin/apropos Px, + /usr/bin/cmp rmix, + /usr/bin/getopt rmix, + /usr/bin/groff rmix, + /usr/bin/grops rmix, + /usr/bin/grotty rmix, + /usr/bin/iconv rmix, + /{usr/,}bin/less rmix, + /usr/bin/locale rmix, + /usr/bin/man rmix, + /usr/bin/nroff rmix, + /usr/bin/preconv rmix, + /usr/bin/tbl rmix, + /usr/bin/troff rmix, + /usr/bin/zsoelim rmix, + /usr/lib/man-db/man rmix, + /usr/lib/man-db/manconv rmix, + /usr/local/man/ r, + /usr/local/man/** r, + /usr/local/share/man/ r, + /usr/local/share/man/** r, + /usr/share/groff/** r, + /usr/share/locale-bundle/** r, + /usr/share/man/ r, + /usr/share/man/** r, + /usr/share/terminfo/** r, + /usr/share/texmf/teTeX/man/** r, + + /var/cache/man/** rk, + + owner @{HOME}/.lesshst rw, +} diff --git a/usr.sbin.cupsd b/usr.sbin.cupsd new file mode 100644 index 0000000..91260d4 --- /dev/null +++ b/usr.sbin.cupsd @@ -0,0 +1,61 @@ +# Last Modified: Wed Jan 18 14:45:09 2012 +#include + +/usr/sbin/cupsd { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability net_bind_service, + capability setgid, + capability setuid, + + + + /bin/bash rix, + /bin/cat ix, + /dev/lp0 rw, + /dev/tty rw, + /dev/ttyS? w, + /etc/** r, + /etc/cups rw, + /etc/cups/*.conf* rw, + /etc/cups/certs w, + /etc/cups/certs/* w, + /etc/cups/ppd rw, + /etc/cups/printcap rw, + /etc/cups/ssl rw, + /etc/cups/yes/* rw, + /etc/printcap rw, + /proc/meminfo r, + /proc/sys/dev/parport/** r, + /sys/class/usb r, + /usr/bin/foomatic-rip rix, + /usr/bin/gs ix, + /usr/bin/perl ix, + /usr/bin/smbspool rix, + /usr/lib/cups/backend/* rix, + /usr/lib/cups/filter/* rix, + /usr/lib/ghostscript/** m, + /usr/lib64/ghostscript/** m, + /usr/lib{,32,64}/** mr, + /usr/sbin/cupsd mrix, + /usr/share/cups/** r, + /usr/share/ghostscript/** r, + /var/cache/cups/ rw, + /var/cache/cups/** rw, + /var/log/cups/* rw, + /var/spool/cups rw, + /var/spool/cups/** rw, + /var/spool/cups/tmp w, + /var/spool/cups/tmp/ r, + /{,var/}run/cups/ rw, + /{,var/}run/cups/** rw, + +} diff --git a/usr.sbin.dhcpd b/usr.sbin.dhcpd new file mode 100644 index 0000000..d54da0f --- /dev/null +++ b/usr.sbin.dhcpd @@ -0,0 +1,37 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/dhcpd { + #include + #include + + capability dac_override, + capability net_bind_service, + capability net_raw, + capability setgid, + capability setuid, + capability sys_chroot, + + network inet raw, + network packet raw, + + /db/dhcpd.leases* lrw, + /etc/dhcpd.conf r, + /etc/named.d/* r, + /etc/hosts.allow r, + /etc/hosts.deny r, + @{PROC}/net/dev r, + /usr/sbin/dhcpd rmix, + /var/lib/dhcp/{db/,}dhcpd.leases* rwl, + /var/lib/dhcp/etc/dhcpd.conf r, + /{,var/}run/dhcpd.pid wl, +} diff --git a/usr.sbin.in.fingerd b/usr.sbin.in.fingerd new file mode 100644 index 0000000..5f18bd0 --- /dev/null +++ b/usr.sbin.in.fingerd @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/in.fingerd { + #include + #include + + @{HOME}/.plan r, + @{HOME}/.project r, + + /usr/bin/finger mix, + /var/log/lastlog r, + /{,var/}run/utmp r, +} diff --git a/usr.sbin.lighttpd b/usr.sbin.lighttpd new file mode 100644 index 0000000..8c783b1 --- /dev/null +++ b/usr.sbin.lighttpd @@ -0,0 +1,77 @@ +# Last Modified: Wed Jan 18 10:48:17 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/lighttpd { + #include + #include + #include + #include + #include + #include + + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + + deny /usr/bin/pacman r, + + /bin/bash mix, + /bin/cat mix, + /bin/egrep r, + /bin/zsh mix, + /etc/lighttpd r, + /etc/lighttpd/*.conf r, + /etc/lighttpd/auth.d/* r, + /etc/lighttpd/conf.d/*.conf r, + /etc/lighttpd/vhosts.d r, + /etc/lighttpd/vhosts.d/* r, + /etc/php/conf.d/ r, + /etc/php/php.ini r, + /etc/ssl/private/*.pem r, + /run/lighttpd/* w, + /srv/http/ r, + /srv/http/** r, + /tmp/* rw, + /usr/bin/php-cgi Cx, + /usr/lib/lighttpd/*.so mr, + /usr/lib64/lighttpd/*.so mr, + /usr/sbin/lighttpd mix, + /var/cache/lighttpd/ r, + /var/cache/lighttpd/** rwl, + /var/lib/lighttpd/ r, + /var/lib/lighttpd/** rwl, + /var/log/lighttpd/*.log rw, + /{,var/}run/lighttpd.pid rwl, + + + profile /usr/bin/php-cgi { + #include + + + + /etc/* r, + /etc/php/** r, + /lib/lib*so* mr, + /srv/http/ r, + /srv/http/** r, + /tmp/* rwk, + /usr/bin/php-cgi r, + /usr/lib/lib*so* mr, + /usr/lib{,32,64}/** mr, + + } +} diff --git a/usr.sbin.minidlna b/usr.sbin.minidlna new file mode 100644 index 0000000..6130ac4 --- /dev/null +++ b/usr.sbin.minidlna @@ -0,0 +1,18 @@ +# Last Modified: Wed Jan 18 14:01:31 2012 +#include + +/usr/sbin/minidlna { + #include + #include + + + + /bin/bash rix, + /etc/minidlna.conf r, + /home/*/** r, + /proc/sys/** r, + /run/minidlna.pid rw, + /sys/devices/system/** r, + /tmp/** rwk, + +} diff --git a/usr.sbin.mysqld b/usr.sbin.mysqld new file mode 100644 index 0000000..1fde992 --- /dev/null +++ b/usr.sbin.mysqld @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor +# Last Modified: Wed Aug 17 14:28:07 2005 + +#include + +/usr/sbin/mysqld { + #include + #include + #include + + capability dac_override, + capability setgid, + capability setuid, + + /etc/my.cnf r, + /usr/sbin/mysqld r, + /usr/share/mysql/** r, + /var/lib/mysql/** lrw, +} diff --git a/usr.sbin.squid b/usr.sbin.squid new file mode 100644 index 0000000..4f46f29 --- /dev/null +++ b/usr.sbin.squid @@ -0,0 +1,63 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2006 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +#include + +/usr/sbin/squid { + #include + #include + #include + #include + + capability setgid, + capability setuid, + + /usr/lib/squid/* rmix, + /usr/sbin/squid rmix, + /usr/sbin/unlinkd mixr, + + /var/cache/squid/** lrw, + + /dev/tty rw, + /etc/mtab r, + /etc/squid/* r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/mounts r, + /usr/share/squid/** r, + /var/log/squid/access.log w, + /var/log/squid/cache.log rw, + /var/log/squid/store.log w, + /{,var/}run/squid.pid lrw, + + /usr/sbin/digest_pw_auth rmix, + /usr/sbin/diskd rmix, + /usr/sbin/getpwname_auth rmix, + /usr/sbin/ip_user_check rmix, + /usr/sbin/msnt_auth rmix, + /usr/sbin/ncsa_auth rmix, + /usr/sbin/no_check.pl rmix, + /usr/sbin/ntlm_auth rmix, + /usr/sbin/pam_auth rmix, + /usr/sbin/rcsquid rmix, + /usr/sbin/smb_auth rmix, + /usr/sbin/smb_auth.pl rmix, + /usr/sbin/smb_auth.sh rmix, + /usr/sbin/squid rmix, + /usr/sbin/squid_ldap_auth rmix, + /usr/sbin/squid_ldap_group rmix, + /usr/sbin/squid_ldapauth rmix, + /usr/sbin/squid_unix_group rmix, + /usr/sbin/squidclient rmix, + /usr/sbin/unlinkd rmix, + /usr/sbin/wbinfo_group.pl rmix, + /usr/sbin/yp_auth rmix, + +} diff --git a/usr.sbin.sshd b/usr.sbin.sshd new file mode 100644 index 0000000..69599a9 --- /dev/null +++ b/usr.sbin.sshd @@ -0,0 +1,139 @@ +# Last Modified: Wed Jan 18 10:55:22 2012 +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# will need to revalidate this profile once we finish re-architecting +# the change_hat patch. +# + +#include + +/usr/sbin/sshd { + #include + #include + #include + #include + #include + + + capability audit_control, + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + capability sys_tty_config, + + + /bin/ash rUx, + /bin/bash rUx, + /bin/bash2 rUx, + /bin/bsh rUx, + /bin/csh rUx, + /bin/ksh rUx, + /bin/sh rUx, + /bin/tcsh rUx, + /bin/zsh rUx, + /dev/ptmx rw, + /dev/pts/[0-9]* rw, + /dev/urandom r, + /etc/** r, + /proc/*/oom_adj rw, + /proc/*/oom_score_adj rw, + /sbin/nologin rUx, + /tmp/ssh-*/agent.[0-9]* rwl, + /tmp/ssh-*[0-9]*/ w, + /usr/sbin/sshd mrix, + /var/log/* rw, + /{,var/}run w, + /{,var/}run/sshd{,.init}.pid wl, + @{HOME}/.ssh/authorized_keys{,2} r, + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/loginuid w, + @{PROC}/[0-9]*/mounts r, + + + ^AUTHENTICATED { + #include + #include + #include + #include + + capability setgid, + capability setuid, + capability sys_tty_config, + + + /dev/log w, + /dev/ptmx rw, + /etc/default/passwd r, + /etc/localtime r, + /etc/login.defs r, + /etc/motd r, + /tmp/ssh-*/agent.[0-9]* rwl, + /tmp/ssh-*[0-9]*/ w, + + } + + ^EXEC { + #include + + + /bin/ash Ux, + /bin/bash Ux, + /bin/bash2 Ux, + /bin/bsh Ux, + /bin/csh Ux, + /bin/ksh Ux, + /bin/sh Ux, + /bin/tcsh Ux, + /bin/zsh Ux, + /sbin/nologin Ux, + + } + + ^PRIVSEP { + #include + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + + + } + + ^PRIVSEP_MONITOR { + #include + #include + #include + #include + + capability chown, + capability setgid, + capability setuid, + + + /dev/ptmx rw, + /dev/pts/[0-9]* rw, + /dev/urandom r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ssh/moduli r, + @{HOME}/.ssh/authorized_keys{,2} r, + @{PROC}/[0-9]*/mounts r, + + } +} diff --git a/usr.sbin.useradd b/usr.sbin.useradd new file mode 100644 index 0000000..4c9eb8b --- /dev/null +++ b/usr.sbin.useradd @@ -0,0 +1,50 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/useradd { + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability fowner, + capability fsetid, + capability sys_resource, + + /bin/bash mixr, + /etc/.pwd.lock rwk, + /etc/default/useradd r, + /etc/group* rwl, + /etc/gshadow* rwl, + /etc/login.defs r, + /etc/passwd* rwl, + /etc/shadow* rwl, + /etc/pwdutils/logging r, + /etc/skel r, + /etc/skel/** r, + @{HOMEDIRS}** rw, + @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + /usr/lib*/pwdutils/*so* mr, + /usr/sbin/adduser rmix, + /usr/sbin/useradd rmix, + /usr/sbin/useradd.local rmix, + /var/log/faillog rw, + /{,var/}run/nscd.pid rw, + /var/spool/mail/* rw, +} diff --git a/usr.sbin.userdel b/usr.sbin.userdel new file mode 100644 index 0000000..6103388 --- /dev/null +++ b/usr.sbin.userdel @@ -0,0 +1,51 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/userdel { + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability sys_resource, + + /bin/cat rmix, + /bin/bash rmix, + /dev/log w, + /etc/.pwd.lock rw, + /etc/cron.deny r, + /etc/default/useradd r, + /etc/group* rwl, + /etc/gshadow* rwl, + /etc/login.defs r, + /etc/passwd* rwl, + /etc/shadow* rwl, + /etc/pwdutils/logging r, + @{HOMEDIRS}** rwl, + @{PROC}/[0-9]*/mounts r, + /usr/bin/crontab rmix, + /usr/lib*/pwdutils/*.so.* mr, + /usr/sbin/userdel rmix, + /usr/sbin/userdel-post.local rmix, + /usr/sbin/userdel-pre.local rmix, + /usr/sbin/userdel rmix, + # XXX + /{,var/}run/nscd.pid r, + /var/spool/mail/* wl, +} diff --git a/usr.sbin.vsftpd b/usr.sbin.vsftpd new file mode 100644 index 0000000..0a8a9c7 --- /dev/null +++ b/usr.sbin.vsftpd @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/vsftpd { + #include + #include + #include + + /dev/urandom r, + /etc/fstab r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/mtab r, + /etc/shells r, + /etc/vsftpd.* r, + /etc/vsftpd/* r, + /usr/sbin/vsftpd rmix, + /var/log/vsftpd.log w, + /var/log/xferlog w, + # anon chroots + / r, + /pub r, + /pub/** r, + @{HOMEDIRS} r, + @{HOME}/** rwl, +} diff --git a/usr.sbin.xinetd b/usr.sbin.xinetd new file mode 100644 index 0000000..bbec8ab --- /dev/null +++ b/usr.sbin.xinetd @@ -0,0 +1,71 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/xinetd { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/xinetd.conf r, + /etc/xinetd.d r, + /etc/xinetd.d/* r, + /usr/sbin/xinetd rmix, + /var/log/xinetd.log w, + /{,var/}run/xinetd.pid rwl, + + /bin/netstat Px, + /bin/ps mix, + /sbin/linuxconf Px, + /usr/bin/cvs Px, + /usr/bin/fam Px, + /usr/bin/kotalkd Px, + /usr/bin/ktalkd Px, + /usr/bin/nrpe Px, + /usr/bin/rsync Px, + /usr/kerberos/sbin/ftpd Px, + /usr/kerberos/sbin/klogind Px, + /usr/kerberos/sbin/kshd Px, + /usr/kerberos/sbin/telnetd Px, + /usr/lib/amanda/amandad Px, + /usr/lib/amanda/amidxtaped Px, + /usr/lib/amanda/amindexd Px, + + /usr/lib64/cups/daemon/cups-lpd Px, + /usr/lib/cups/daemon/cups-lpd Px, + + /usr/sbin/dbskkd-cdb Px, + /usr/sbin/imapd Px, + /usr/sbin/in.comsat Px, + /usr/sbin/in.fingerd Px, + /usr/sbin/in.ftpd Px, + /usr/sbin/in.httpd-redir Px, + /usr/sbin/in.ntalkd Px, + /usr/sbin/in.rexecd Px, + /usr/sbin/in.rlogind Px, + /usr/sbin/in.rshd Px, + /usr/sbin/in.telnetd Px, + /usr/sbin/in.tftpd Px, + /usr/sbin/ipop2d Px, + /usr/sbin/ipop3d Px, + /usr/sbin/popper Px, + /usr/sbin/rsyncd Px, + /usr/sbin/swat Px, + /usr/sbin/tcpd Px, + /usr/sbin/vsftpd Px, + /usr/X11R6/bin/vnc_inetd_httpd Px, + /usr/X11R6/bin/Xvnc Px, +}