cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hilfe mein git ist komisch

Browse Source
This commit is contained in:
cutemeli
2026-01-08 18:34:49 +01:00
parent 710537a25d
commit b2d2dce845
4644 changed files with 94994 additions and 1763 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
etc/apparmor.d/1password Normal file
View File

@@ -0,0 +1,12 @@
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile 1password /opt/1Password/1password flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/1password>
}

12
etc/apparmor.d/Discord Normal file
View File

@@ -0,0 +1,12 @@
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile Discord /usr/share/discord/Discord flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/Discord>
}

12
etc/apparmor.d/MongoDB_Compass Normal file
View File

@@ -0,0 +1,12 @@
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/MongoDB_Compass>
}

12
etc/apparmor.d/QtWebEngineProcess Normal file
View File

@@ -0,0 +1,12 @@
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/QtWebEngineProcess>
}

78
etc/apparmor.d/abi/3.0 Normal file
View File

@@ -0,0 +1,78 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

91
etc/apparmor.d/abi/4.0 Normal file
View File

@@ -0,0 +1,91 @@
capability {0xffffff
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
}
}
dbus {mask {acquire send receive
}
}
domain {attach_conditions {xattr {yes
}
}
change_hat {yes
}
change_hatv {yes
}
change_onexec {yes
}
change_profile {yes
}
computed_longest_left {yes
}
fix_binfmt_elf_mmap {yes
}
post_nnp_subset {yes
}
stack {yes
}
version {1.2
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
ipc {posix_mqueue {create read write open delete setattr getattr
}
}
mount {mask {mount umount pivot_root
}
}
namespaces {mask {userns_create
}
pivot_root {no
}
profile {yes
}
}
network {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
}
af_unix {yes
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
}
}
policy {outofband {0x000001
}
permstable32 {allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
}
permstable32_version {0x000002
}
set_load {yes
}
versions {v5 {yes
}
v6 {yes
}
v7 {yes
}
v8 {yes
}
v9 {yes
}
}
}
ptrace {mask {read trace
}
}
query {label {data {yes
}
multi_transaction {yes
}
perms {allow deny audit quiet
}
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}

76
etc/apparmor.d/abi/kernel-5.4-outoftree-network Normal file
View File

@@ -0,0 +1,76 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

68
etc/apparmor.d/abi/kernel-5.4-vanilla Normal file
View File

@@ -0,0 +1,68 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

66
etc/apparmor.d/abstractions/X Normal file
View File

@@ -0,0 +1,66 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dri-common>
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
owner @{HOME}/.local/share/sddm/.Xauthority r,
owner @{run}/gdm{,3}/*/database r,
owner @{run}/lightdm/authority/[0-9]* r,
owner @{run}/lightdm/*/xauthority r,
owner @{run}/user/*/gdm/Xauthority r,
owner @{run}/user/*/X11/Xauthority r,
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
# The X tree changes and is large -- grant read access to the whole thing
/usr/X11R6/** r,
/usr/share/X11/ r,
/usr/share/X11/** r,
/usr/X11R6/**.so* mr,
# EGL
/usr/lib/@{multiarch}/egl/*.so* mr,
# Xcompose
owner @{HOME}/.XCompose r,
/var/cache/libx11/compose/* r,
deny /var/cache/libx11/compose/* wlk,
# mouse themes
/etc/X11/cursors/ r,
/etc/X11/cursors/** r,
# Xwayland
owner @{run}/user/*/.mutter-Xwaylandauth.* r,
# Include additions to the abstraction
include if exists <abstractions/X.d>

43
etc/apparmor.d/abstractions/apache2-common Normal file
View File

@@ -0,0 +1,43 @@
# vim:syntax=apparmor
# This file contains basic permissions for Apache and every vHost
abi <abi/4.0>,
include <abstractions/nameservice>
# Allow other processes to read our /proc entries
ptrace (readby),
# Allow other processes to trace us by default
ptrace (tracedby),
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow apache to send us signals by default
signal (receive) peer=apache2,
# Allow other hats to signal by default
signal peer=apache2//*,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Apache
network inet stream,
network inet6 stream,
# apache manual, error pages and icons
/usr/share/apache2/** r,
# changehat itself
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
# htaccess files - for what ever it is worth
/**/.htaccess r,
/dev/urandom r,
# sasl-auth
@{run}/saslauthd/mux rw,
# OCSP stapling
@{run}/lock/apache2/stapling-cache* rw,
# Include additions to the abstraction
include if exists <abstractions/apache2-common.d>

13
etc/apparmor.d/abstractions/apparmor_api/change_profile Normal file
View File

@@ -0,0 +1,13 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,

14
etc/apparmor.d/abstractions/apparmor_api/examine Normal file
View File

@@ -0,0 +1,14 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
abi <abi/4.0>,
@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

16
etc/apparmor.d/abstractions/apparmor_api/find_mountpoint Normal file
View File

@@ -0,0 +1,16 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
#permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{pids}/mounts r,

14
etc/apparmor.d/abstractions/apparmor_api/introspect Normal file
View File

@@ -0,0 +1,14 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,

20
etc/apparmor.d/abstractions/apparmor_api/is_enabled Normal file
View File

@@ -0,0 +1,20 @@
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global
# when using this abstraction
include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
@{sys}/module/apparmor/parameters/available r,
# TODO: add alternate apparmorfs interface for enabled

18
etc/apparmor.d/abstractions/aspell Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# aspell permissions
abi <abi/4.0>,
# per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk,
# system libraries and dictionaries
/usr/lib/aspell/ r,
/usr/lib/aspell/* r,
/usr/lib/aspell/*.so m,
/usr/share/aspell/ r,
/usr/share/aspell/* r,
/var/lib/aspell/* r,
# Include additions to the abstraction
include if exists <abstractions/aspell.d>

93
etc/apparmor.d/abstractions/audio Normal file
View File

@@ -0,0 +1,93 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/dev/admmidi* rw,
/dev/adsp* rw,
/dev/aload* rw,
/dev/amidi* rw,
/dev/audio* rw,
/dev/dmfm* rw,
/dev/dmmidi* rw,
/dev/dsp* rw,
/dev/midi* rw,
/dev/mixer* rw,
/dev/mpu401data rw,
/dev/mpu401stat rw,
/dev/patmgr* rw,
/dev/phone* rw,
/dev/radio* rw,
/dev/rmidi* rw,
/dev/sequencer rw,
/dev/sequencer2 rw,
/dev/smpte* rw,
/dev/snd/* rw,
/dev/sound/* rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,
/usr/share/sounds/ r,
/usr/share/sounds/** r,
owner @{HOME}/.esd_auth r,
/etc/asound.conf r,
owner @{HOME}/.asoundrc r,
/etc/esound/esd.conf r,
# libao
/etc/libao.conf r,
owner @{HOME}/.libao r,
# libcanberra
owner @{HOME}/.cache/event-sound-cache.* rwk,
# pulse
/etc/pulse/ r,
/etc/pulse/** r,
/dev/shm/ r,
@{run}/shm/ r,
owner /dev/shm/pulse-shm* rwk,
owner @{run}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner @{run}/user/*/pulse/ rw,
owner @{run}/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/*.conf r,
owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
# libgnome2
/etc/sound/ r,
/etc/sound/** r,
# openal
/etc/alsa/conf.d/{,*} r,
/etc/openal/alsoft.conf r,
owner @{HOME}/.alsoftrc r,
/usr/{,local/}share/openal/hrtf/{,**} r,
owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
# pipewire
/usr/share/pipewire/client{,-rt}.conf r,
# Include additions to the abstraction
include if exists <abstractions/audio.d>

74
etc/apparmor.d/abstractions/authentication Normal file
View File

@@ -0,0 +1,74 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd
# Copyright (C) 2019-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Some services need to perform authentication of users
# Such authentication almost certainly needs access to the local users
# databases containing passwords, PAM configuration files, PAM libraries
@{etc_ro}/nologin r,
@{etc_ro}/pam.d/* r,
@{etc_ro}/securetty r,
@{etc_ro}/security/* r,
@{etc_ro}/shadow r,
@{etc_ro}/gshadow r,
@{etc_ro}/pwdb.conf r,
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
/{usr/,}lib{,32,64}/security/pam_*.so mr,
/{usr/,}lib{,32,64}/security/ r,
/{usr/,}lib/@{multiarch}/security/pam_filter/* mr,
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
/{usr/,}lib/@{multiarch}/security/ r,
# pam_unix
owner /proc/@{pid}/loginuid r,
/{,usr/}{,s}bin/unix_chkpwd Px,
# pam_env
@{etc_ro}/environment r,
# pam_limit
@{etc_ro}/security/limits.d/ r,
@{etc_ro}/security/limits.d/*.conf r,
# gssapi
@{etc_ro}/gss/mech r,
@{etc_ro}/gss/mech.d/ r,
@{etc_ro}/gss/mech.d/*.conf r,
# kerberos
include <abstractions/kerberosclient>
# SuSE's pwdutils are different:
@{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/ r,
@{etc_ro}/login.defs.d/*.defs r,
# nis
include <abstractions/nis>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# smbpass
include <abstractions/smbpass>
# p11-kit (PKCS#11 modules configuration)
include <abstractions/p11-kit>
# Include additions to the abstraction
include if exists <abstractions/authentication.d>

182
etc/apparmor.d/abstractions/base Normal file
View File

@@ -0,0 +1,182 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/crypto>
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_rw}/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo{,-icu}/ r,
/usr/share/zoneinfo{,-icu}/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
/{usr/,}lib{,32,64}/** r,
/{usr/,}lib{,32,64}/**.so* mr,
/{usr/,}lib/@{multiarch}/** r,
/{usr/,}lib/@{multiarch}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
owner @{HOME}/.Private/ r,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>

49
etc/apparmor.d/abstractions/bash Normal file
View File

@@ -0,0 +1,49 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# user-specific bash files
@{HOMEDIRS} r,
@{HOME}/.bashrc r,
@{HOME}/.profile r,
@{HOME}/.bash_profile r,
@{HOME}/.bash_history rw,
# system-wide bash configuration
/etc/profile.dos r,
/etc/profile r,
/etc/profile.d/ r,
/etc/profile.d/* r,
/etc/bashrc r,
/etc/bash.bashrc r,
/etc/bash.bashrc.local r,
/etc/bash_completion r,
/etc/bash_completion.d/ r,
/etc/bash_completion.d/* r,
# bash relies on system-wide readline configuration
/etc/inputrc r,
# bash inspects filesystems at startup
/etc/mtab r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
# probably readline wants to know terminal capabilities
/usr/share/terminfo/** r,
# run out of /etc/bash.bashrc
/etc/DIR_COLORS r,
/{usr/,}bin/ls mix,
/usr/bin/dircolors mix,
# Include additions to the abstraction
include if exists <abstractions/bash.d>

27
etc/apparmor.d/abstractions/consoles Normal file
View File

@@ -0,0 +1,27 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# there are three common ways to refer to consoles
/dev/console rw,
/dev/tty rw,
# this next entry is a tad unfortunate; /dev/tty will always be
# associated with the controlling terminal by the kernel, but if a
# program uses the /dev/pts/ interface, it actually has access to
# -all- xterm, sshd, etc, terminals on the system.
/dev/pts/[0-9]* rw,
/dev/pts/ r,
# Include additions to the abstraction
include if exists <abstractions/consoles.d>

34
etc/apparmor.d/abstractions/crypto Normal file
View File

@@ -0,0 +1,34 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Global config of openssl
include <abstractions/openssl>
@{etc_ro}/gcrypt/hwf.deny r,
@{etc_ro}/gcrypt/random.conf r,
@{PROC}/sys/crypto/fips_enabled r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# crypto policies used by various libraries
/etc/crypto-policies/*/*.txt r,
/usr/share/crypto-policies/*/*.txt r,
# Global gnutls config
@{etc_ro}/gnutls/config r,
@{etc_ro}/gnutls/pkcs11.conf r,
include if exists <abstractions/crypto.d>

23
etc/apparmor.d/abstractions/cups-client Normal file
View File

@@ -0,0 +1,23 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd
@{run}/cups/cups.sock rw,
# client should be able to read user-specified cups configuration
owner @{HOME}/.cups/client.conf r,
owner @{HOME}/.cups/lpoptions r,
# Include additions to the abstraction
include if exists <abstractions/cups-client.d>

21
etc/apparmor.d/abstractions/dbus Normal file
View File

@@ -0,0 +1,21 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-strict>
dbus bus=system,
# Include additions to the abstraction
include if exists <abstractions/dbus.d>

21
etc/apparmor.d/abstractions/dbus-accessibility Normal file
View File

@@ -0,0 +1,21 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-accessibility-strict>
dbus bus=accessibility,
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility.d>

22
etc/apparmor.d/abstractions/dbus-accessibility-strict Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
dbus send
bus=accessibility
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-accessibility-strict.d>

47
etc/apparmor.d/abstractions/dbus-network-manager-strict Normal file
View File

@@ -0,0 +1,47 @@
# vim:syntax=apparmor
abi <abi/4.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member={GetDevices,ListConnections}
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
include if exists <abstractions/dbus-network-manager-strict.d>

22
etc/apparmor.d/abstractions/dbus-session Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation.
include <abstractions/dbus-session-strict>
/usr/bin/dbus-launch ix,
dbus bus=session,
# Include additions to the abstraction
include if exists <abstractions/dbus-session.d>

39
etc/apparmor.d/abstractions/dbus-session-strict Normal file
View File

@@ -0,0 +1,39 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# unique per-machine identifier
/etc/machine-id r,
/var/lib/dbus/machine-id r,
unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
# dbus with systemd and --enable-user-session
owner @{run}/user/[0-9]*/bus rw,
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
# Include additions to the abstraction
include if exists <abstractions/dbus-session-strict.d>

24
etc/apparmor.d/abstractions/dbus-strict Normal file
View File

@@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
@{run}/dbus/system_bus_socket rw,
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
# Include additions to the abstraction
include if exists <abstractions/dbus-strict.d>

13
etc/apparmor.d/abstractions/dconf Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.
/etc/dconf/** r,
owner @{run}/user/*/dconf/user r,
owner @{HOME}/.config/dconf/user r,
# Include additions to the abstraction
include if exists <abstractions/dconf.d>

24
etc/apparmor.d/abstractions/dovecot-common Normal file
View File

@@ -0,0 +1,24 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2014 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with dovecot/*
abi <abi/4.0>,
capability setgid,
deny capability block_suspend,
# dovecot's master can send us signals
signal receive peer=dovecot,
owner @{run}/dovecot/config rw,
# Include additions to the abstraction
include if exists <abstractions/dovecot-common.d>

19
etc/apparmor.d/abstractions/dri-common Normal file
View File

@@ -0,0 +1,19 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).
/usr/lib{,32,64}/dri/** mr,
/usr/lib/@{multiarch}/dri/** mr,
/usr/lib/fglrx/dri/** mr,
/dev/dri/ r,
/dev/dri/** rw,
/etc/drirc r,
/usr/share/drirc.d/{,*.conf} r,
owner @{HOME}/.drirc r,
# Include additions to the abstraction
include if exists <abstractions/dri-common.d>

13
etc/apparmor.d/abstractions/dri-enumerate Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).
@{sys}/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
# Include additions to the abstraction
include if exists <abstractions/dri-enumerate.d>

64
etc/apparmor.d/abstractions/enchant Normal file
View File

@@ -0,0 +1,64 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r,
/usr/share/enchant-2/ r,
/usr/share/enchant-2/enchant.ordering r,
# aspell
include <abstractions/aspell>
/var/lib/dictionaries-common/aspell/ r,
/var/lib/dictionaries-common/aspell/* r,
# hspell
/usr/share/hspell/ r,
/usr/share/hspell/*.wgz.* r,
# hunspell
/usr/share/hunspell/ r,
/usr/share/hunspell/* r,
# ispell
/usr/lib/ispell/ r,
/usr/lib/ispell/*.hash r,
/usr/share/dict/ r,
/usr/share/dict/* r,
/var/lib/dictionaries-common/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/ r,
/var/lib/dictionaries-common/{ispell,wordlist}/* r,
# myspell
/usr/share/myspell/ r,
/usr/share/myspell/** r,
# voikko
/usr/lib/voikko/ r,
/usr/lib/voikko/2/ r,
/usr/lib/voikko/2/mor-standard/ r,
/usr/lib/voikko/2/mor-standard/voikko* r,
# zemberek
/usr/share/java/ r,
/usr/share/java/zemberek-[0-9]*.jar r,
/usr/share/java/zemberek-tr-[0-9]*.jar r,
# per-user dictionaries
owner @{HOME}/.config/enchant/ rw,
owner @{HOME}/.config/enchant/* rwk,
# Include additions to the abstraction
include if exists <abstractions/enchant.d>

69
etc/apparmor.d/abstractions/exo-open Normal file
View File

@@ -0,0 +1,69 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accessibility access is considered as required
# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
include if exists <abstractions/exo-open.d>

18
etc/apparmor.d/abstractions/fcitx Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/fcitx-strict>
dbus bus=fcitx,
# Include additions to the abstraction
include if exists <abstractions/fcitx.d>

26
etc/apparmor.d/abstractions/fcitx-strict Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dbus-session-strict>
dbus send
bus=fcitx
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
# Include additions to the abstraction
include if exists <abstractions/fcitx-strict.d>

68
etc/apparmor.d/abstractions/fonts Normal file
View File

@@ -0,0 +1,68 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr,
/usr/share/fonts/{,**} r,
/usr/share/fonts-*/{,**} r,
/etc/fonts/** r,
# Debian, openSUSE paths are different
/usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
/usr/share/ghostscript/fonts/{,**} r,
/opt/kde3/share/fonts/** r,
/usr/lib{,32,64}/openoffice/share/fonts/** r,
/var/cache/fonts/** r,
/var/cache/fontconfig/** mr,
/var/lib/defoma/** mr,
/usr/share/a2ps/fonts/** r,
/usr/share/xfce/fonts/** r,
/usr/share/ghostscript/fonts/** r,
/usr/share/javascript/*/fonts/** r,
/usr/share/texmf/{,*/}fonts/** r,
/usr/share/texlive/texmf-dist/fonts/** r,
/var/lib/ghostscript/** r,
owner @{HOME}/.fonts.conf r,
owner @{HOME}/.fonts/ r,
owner @{HOME}/.fonts/** r,
owner @{HOME}/.local/share/fonts/ r,
owner @{HOME}/.local/share/fonts/** r,
owner @{HOME}/.fonts.cache-2 mr,
owner @{HOME}/.{,cache/}fontconfig/ rw,
owner @{HOME}/.{,cache/}fontconfig/** mrwkl,
owner @{HOME}/.fonts.conf.d/ r,
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
owner @{HOME}/.config/fontconfig/** r,
owner @{HOME}/.Fontmatrix/Activated/ r,
owner @{HOME}/.Fontmatrix/Activated/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
# poppler CMap tables
/usr/share/poppler/cMap/** r,
# data files for LibThai
/usr/share/libthai/thbrk.tri r,
# Include additions to the abstraction
include if exists <abstractions/fonts.d>

49
etc/apparmor.d/abstractions/freedesktop.org Normal file
View File

@@ -0,0 +1,49 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# system configuration
@{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/*ubuntu/applications/{**,} r,
@{system_share_dirs}/gnome/applications/{**,} r,
@{system_share_dirs}/xfce4/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r,
@{system_share_dirs}/pixmaps/{**,} r,
# communitheme snap
/snap/communitheme/*/share/icons/ r,
/snap/communitheme/*/share/icons/** r,
# mimeinfo and desktop files for snaps
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/{,*.desktop} r,
# this should probably go elsewhere
@{system_share_dirs}/mime/** r,
@{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
/etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r,
# per-user configurations
owner @{HOME}/.icons/{,**} r,
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
owner @{HOME}/.config/mimeapps.list r,
owner @{user_share_dirs}/applications/{**,} r,
owner @{user_share_dirs}/icons/{**,} r,
owner @{user_share_dirs}/mime/{**,} r,
# Include additions to the abstraction
include if exists <abstractions/freedesktop.org.d>

59
etc/apparmor.d/abstractions/gio-open Normal file
View File

@@ -0,0 +1,59 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>

121
etc/apparmor.d/abstractions/gnome Normal file
View File

@@ -0,0 +1,121 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
/usr/lib{,32,64}/gtk-[0-9]*/** mr,
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
# communitheme snap
/snap/communitheme/*/share/themes/ r,
/snap/communitheme/*/share/themes/** r,
# for gnome 1 applications
/etc/orbitrc r,
# gtk-2 needed some new rights
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
# per-user gtk configuration
owner @{HOME}/.config/gtk-3.0/ w,
owner @{HOME}/.config/gtk-3.0/* r,
owner @{HOME}/.gnome/Gnome r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.themes/ r,
owner @{HOME}/.themes/** r,
owner @{user_share_dirs}/themes/ r,
owner @{user_share_dirs}/themes/** r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ w,
owner @{HOME}/.config/gtk-2.0/** r,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# from evolution-mail
owner @{HOME}/.gconfd/lock/* r,
owner @{HOME}/.gnome/application-info r,
# per-user font business
owner @{HOME}/.fonts.cache-* rwl,
# GtkComposeTable
owner @{HOME}/.cache/gtk-3.0/** r,
# icon caches
/var/cache/**/icon-theme.cache r,
/usr/share/**/icon-theme.cache r,
# GLib schemas
/usr/{local/,}share/glib-[0-9]*/schemas/ r,
/usr/{local/,}share/glib-[0-9]*/schemas/** r,
# gnome VFS modules
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
# printing
/etc/papersize r,
/etc/cups/lpoptions r,
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner @{run}/gdm/auth*/database r,
# mime-types
/etc/gnome/defaults.list r,
/etc/xdg/{,*-}mimeapps.list r,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
unix (send, receive, connect)
type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>

16
etc/apparmor.d/abstractions/gnupg Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
# gnupg sub-process running permissions
abi <abi/4.0>,
# user configurations
owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r,
owner @{HOME}/.gnupg/pubring.kbx r,
owner @{HOME}/.gnupg/random_seed rw,
owner @{HOME}/.gnupg/secring.gpg r,
owner @{HOME}/.gnupg/so/*.x86_64 mr,
owner @{HOME}/.gnupg/trustdb.gpg rw,
# Include additions to the abstraction
include if exists <abstractions/gnupg.d>

67
etc/apparmor.d/abstractions/groff Normal file
View File

@@ -0,0 +1,67 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
# Copyright (C) 2023 SUSE LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note: executing groff and nroff themself is not included in this abstraction
# so that you can choose to ix, Px or Cx them in your profile
# groff/nroff helpers, preprocessors, and postprocessors
/usr/bin/addftinfo mrix,
/usr/bin/afmtodit mrix,
/usr/bin/chem mrix,
/usr/bin/eqn mrix,
/usr/bin/eqn2graph mrix,
/usr/bin/gdiffmk mrix,
/usr/bin/geqn mrix,
/usr/bin/grap2graph mrix,
/usr/bin/grn mrix,
/usr/bin/grodvi mrix,
/usr/bin/groffer mrix,
/usr/bin/grog mrix,
/usr/bin/grolbp mrix,
/usr/bin/grolj4 mrix,
/usr/bin/gropdf mrix,
/usr/bin/grops mrix,
/usr/bin/grotty mrix,
/usr/bin/gtbl mrix,
/usr/bin/hpftodit mrix,
/usr/bin/indxbib mrix,
/usr/bin/lkbib mrix,
/usr/bin/lookbib mrix,
/usr/bin/mmroff mrix,
/usr/bin/neqn mrix,
/usr/bin/pdfmom mrix,
/usr/bin/pdfroff mrix,
/usr/bin/pfbtops mrix,
/usr/bin/pic mrix,
/usr/bin/pic2graph mrix,
/usr/bin/post-grohtml mrix,
/usr/bin/pre-grohtml mrix,
/usr/bin/preconv mrix,
/usr/bin/refer mrix,
/usr/bin/roff2dvi mrix,
/usr/bin/roff2html mrix,
/usr/bin/roff2pdf mrix,
/usr/bin/roff2ps mrix,
/usr/bin/roff2text mrix,
/usr/bin/roff2x mrix,
/usr/bin/soelim mrix,
/usr/bin/tbl mrix,
/usr/bin/tfmtodit mrix,
/usr/bin/troff mrix,
/usr/bin/xtotroff mrix,
# at least its macros and fonts
/usr/libexec/groff/** r,
/usr/share/groff/** r,
# Include additions to the abstraction
include if exists <abstractions/groff.d>

58
etc/apparmor.d/abstractions/gtk Normal file
View File

@@ -0,0 +1,58 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/share/themes/{,**} r,
/usr/share/gtksourceview-[0-9]*/{,**} r,
/usr/share/gtk-2.0/ r,
/usr/share/gtk-2.0/gtkrc r,
/usr/share/gtk-{3,4}.0/ r,
/usr/share/gtk-{3,4}.0/settings.ini r,
/etc/gtk-2.0/ r,
/etc/gtk-2.0/gtkrc r,
/etc/gtk-{3,4}.0/ r,
/etc/gtk-{3,4}.0/*.conf r,
/etc/gtk-{3,4}.0/settings.ini r,
/etc/gtk/gtkrc r,
owner @{HOME}/.themes/{,**} r,
owner @{HOME}/.local/share/themes/{,**} r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.config/gtkrc r,
owner @{HOME}/.config/gtkrc-2.0 r,
owner @{HOME}/.config/gtk-{3,4}.0/ rw,
owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
owner @{HOME}/.config/gtk-{3,4}.0/colors.css r,
owner @{HOME}/.config/gtk-{3,4}.0/servers r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ rw,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# .Xauthority file required for X connections
owner @{HOME}/.Xauthority r,
# Xsession errors file
owner @{HOME}/.xsession-errors w,
# Include additions to the abstraction
include if exists <abstractions/gtk.d>

47
etc/apparmor.d/abstractions/gvfs-open Normal file
View File

@@ -0,0 +1,47 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# Include additions to the abstraction
include if exists <abstractions/gvfs-open.d>

17
etc/apparmor.d/abstractions/hosts_access Normal file
View File

@@ -0,0 +1,17 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/hosts.deny r,
/etc/hosts.allow r,
include if exists <abstractions/hosts_access.d>

29
etc/apparmor.d/abstractions/ibus Normal file
View File

@@ -0,0 +1,29 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
# type=stream
# peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-*"),
# Include additions to the abstraction
include if exists <abstractions/ibus.d>

88
etc/apparmor.d/abstractions/kde Normal file
View File

@@ -0,0 +1,88 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/qt5>
/etc/qt3/kstylerc r,
/etc/qt3/qt_plugins_3.3rc r,
/etc/qt3/qtrc r,
/etc/kderc r,
/etc/kde3/* r,
/etc/kde4rc r,
/etc/xdg/kdeglobals r,
/etc/xdg/Trolltech.conf r,
/usr/share/desktop-base/kf5-settings/baloofilerc r,
/usr/share/desktop-base/kf5-settings/kdeglobals r,
/usr/share/desktop-base/kf5-settings/kscreenlockerrc r,
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
/usr/share/kubuntu-default-settings/kf5-settings/* r,
owner @{HOME}/.DCOPserver_* r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.fonts.* lrw,
owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
owner @{HOME}/.qt/** rw,
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,
# kde3
/usr/lib*/kde3/plugins/styles/ r,
/usr/lib*/kde3/plugins/styles/* mr,
/usr/lib*/kde3/lib*so* mr,
/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
/usr/lib/@{multiarch}/kde3/lib*so* mr,
/usr/lib*/qt3/lib*/lib*so* mr,
/usr/lib*/qt3/plugins/** mr,
/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt3/plugins/** mr,
/usr/lib*/libqt-mt*so* mr,
/usr/lib*/libqui*so* mr,
/usr/lib/@{multiarch}/libqt-mt*so* mr,
/usr/lib/@{multiarch}/libqui*so* mr,
/usr/share/qt3/lib*/libqt-mt*so* mr,
/usr/share/qt3/lib*/libqui*so* mr,
# kde4
/usr/lib*/kde4/plugins/*/*.so mr,
/usr/lib*/kde4/plugins/*/ r,
/usr/lib*/kde4/lib*so* mr,
/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
/usr/lib/@{multiarch}/kde4/plugins/*/ r,
/usr/lib/@{multiarch}/kde4/lib*so* mr,
/usr/lib*/qt4/lib*/lib*so* mr,
/usr/lib*/qt4/plugins/** mr,
/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
/usr/lib/@{multiarch}/qt4/plugins/** mr,
/usr/share/qt4/** r,
# Include additions to the abstraction
include if exists <abstractions/kde.d>

15
etc/apparmor.d/abstractions/kde-globals-write Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other).
abi <abi/4.0>,
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-globals-write.d>

12
etc/apparmor.d/abstractions/kde-icon-cache-write Normal file
View File

@@ -0,0 +1,12 @@
# vim:syntax=apparmor
# Rules for writing KDE icon cache
abi <abi/4.0>,
# User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Include additions to the abstraction
include if exists <abstractions/kde-icon-cache-write.d>

18
etc/apparmor.d/abstractions/kde-language-write Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file.
# User files
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/klanguageoverridesrc rw,
owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/kde-language-write.d>

105
etc/apparmor.d/abstractions/kde-open5 Normal file
View File

@@ -0,0 +1,105 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accessibility access is considered as required
# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>

44
etc/apparmor.d/abstractions/kerberosclient Normal file
View File

@@ -0,0 +1,44 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
/usr/lib{,32,64}/krb5/plugins/preauth/ r,
/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
/usr/lib{,32,64}/krb5/plugins/authdata/ r,
/usr/lib{,32,64}/krb5/plugins/authdata/* mr,
/usr/lib/@{multiarch}/krb5/plugins/authdata/ r,
/usr/lib/@{multiarch}/krb5/plugins/authdata/* mr,
/etc/krb5.keytab rk,
/etc/krb5.conf r,
/etc/krb5.conf.d/ r,
/etc/krb5.conf.d/* r,
# config files found via strings on libs
/etc/krb.conf r,
/etc/krb.realms r,
/etc/srvtab r,
# credential caches
/tmp/krb5cc* r,
# Include additions to the abstraction
include if exists <abstractions/kerberosclient.d>

29
etc/apparmor.d/abstractions/ldapclient Normal file
View File

@@ -0,0 +1,29 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r,
/etc/ldap.secret r,
/etc/openldap/* r,
/etc/openldap/cacerts/* r,
# SASL plugins and config
/etc/sasl2/* r,
/usr/lib{,32,64}/sasl2/* r,
# local LDAP name service daemon
@{run}/nslcd/socket rw,
include <abstractions/ssl_certs>
# Include additions to the abstraction
include if exists <abstractions/ldapclient.d>

24
etc/apparmor.d/abstractions/libpam-systemd Normal file
View File

@@ -0,0 +1,24 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015-2016 Simon Deziel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
dbus send
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession},
# Include additions to the abstraction
include if exists <abstractions/libpam-systemd.d>

18
etc/apparmor.d/abstractions/likewise Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,
# Include additions to the abstraction
include if exists <abstractions/likewise.d>

19
etc/apparmor.d/abstractions/mdns Normal file
View File

@@ -0,0 +1,19 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# mdnsd
/etc/mdns.allow r,
/etc/nss_mdns.conf r,
@{run}/mdnsd w,
# Include additions to the abstraction
include if exists <abstractions/mdns.d>

31
etc/apparmor.d/abstractions/mesa Normal file
View File

@@ -0,0 +1,31 @@
# vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API
abi <abi/4.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
# Needed to check if the kernel supports the i915 perf interface
# (src/intel/perf/gen_perf.c, load_oa_metrics())
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
@{sys}/devices/@{pci_bus}/**/{revision,config} r,
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Fallback location when @{HOME}/.cache is not available
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>

22
etc/apparmor.d/abstractions/mir Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# mir libraries sometimes do not have a lib prefix
# see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr,
/usr/lib/@{multiarch}/mir/**/*.so* mr,
# unprivileged mir socket for clients
# Include additions to the abstraction
include if exists <abstractions/mir.d>

17
etc/apparmor.d/abstractions/mozc Normal file
View File

@@ -0,0 +1,17 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction
include if exists <abstractions/mozc.d>

20
etc/apparmor.d/abstractions/mysql Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
# Include additions to the abstraction
include if exists <abstractions/mysql.d>

141
etc/apparmor.d/abstractions/nameservice Normal file
View File

@@ -0,0 +1,141 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/gai.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
# On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
@{etc_ro}/authselect/nsswitch.conf r,
# libtirpc (used for NIS/YP login) needs this
@{etc_ro}/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/initgroups r,
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
@{etc_ro}/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
@{etc_ro}/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
/mnt/wsl/resolv.conf r,
@{etc_ro}/samba/lmhosts r,
@{etc_ro}/services r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
@{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
@{etc_ro}/default/nss r,
# avahi-daemon is used for mdns4 resolution
@{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
@{etc_ro}/libnl-*/classid r,
# nis
include <abstractions/nis>
# ldap
include <abstractions/ldapclient>
# winbind
include <abstractions/winbind>
# likewise
include <abstractions/likewise>
# mdnsd
include <abstractions/mdns>
# kerberos
include <abstractions/kerberosclient>
#libnss-systemd
include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# resolve
#
# Allow access to the safe members of the systemd-resolved D-Bus API:
#
# https://www.freedesktop.org/wiki/Software/systemd/resolved/
#
# This API may be used directly over the D-Bus system bus or it may be used
# indirectly via the nss-resolve plugin:
#
# https://www.freedesktop.org/software/systemd/man/nss-resolve.html
#
#include <abstractions/dbus-strict>
dbus send
bus=system
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager"
member="Resolve{Address,Hostname,Record,Service}"
peer=(name="org.freedesktop.resolve1"),
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
# interface details
@{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
include if exists <abstractions/nameservice.d>

20
etc/apparmor.d/abstractions/nis Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# NIS rules
/var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports
capability net_bind_service,
# Include additions to the abstraction
include if exists <abstractions/nis.d>

31
etc/apparmor.d/abstractions/nss-systemd Normal file
View File

@@ -0,0 +1,31 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{PROC}/sys/kernel/random/boot_id r,
include if exists <abstractions/nss-systemd.d>

40
etc/apparmor.d/abstractions/nvidia Normal file
View File

@@ -0,0 +1,40 @@
# vim:syntax=apparmor
# nvidia access requirements
abi <abi/4.0>,
# configuration queries
capability ipc_lock,
/etc/nvidia/nvidia-application-profiles* r,
/usr/share/nvidia/nvidia-application-profiles* r,
# libvdpau config file for nvidia workarounds
/etc/vdpau_wrapper.cfg r,
# device files
/dev/nvidiactl rw,
/dev/nvidia-modeset rw,
/dev/nvidia[0-9]* rw,
@{PROC}/interrupts r,
@{PROC}/sys/vm/max_map_count r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
@{sys}/devices/system/memory/block_size_bytes r,
owner @{HOME}/.cache/nvidia/ w,
owner @{HOME}/.cache/nvidia/GLCache/ rw,
owner @{HOME}/.cache/nvidia/GLCache/** rwk,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
owner @{HOME}/.nv/GLCache/** rwk,
owner @{HOME}/.nv/nvidia-application-profiles* r,
owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
# Include additions to the abstraction
include if exists <abstractions/nvidia.d>

15
etc/apparmor.d/abstractions/opencl Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements
# TODO: use conditionals to select allowed implementations
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/opencl-pocl>
# Include additions to the abstraction
include if exists <abstractions/opencl.d>

16
etc/apparmor.d/abstractions/opencl-common Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# implementation-independent OpenCL access requirements
# System files
/etc/OpenCL/** r,
@{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
@{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
@{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
# Include additions to the abstraction
include if exists <abstractions/opencl-common.d>

23
etc/apparmor.d/abstractions/opencl-intel Normal file
View File

@@ -0,0 +1,23 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for Intel implementation
include <abstractions/opencl-common>
# for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
include <abstractions/X>
# for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
include <abstractions/dri-enumerate>
# System files
/dev/dri/card[0-9]* rw, # beignet/libcl.so
@{sys}/devices/@{pci_bus}/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
/usr/lib/@{multiarch}/beignet/** r,
# Include additions to the abstraction
include if exists <abstractions/opencl-intel.d>

26
etc/apparmor.d/abstractions/opencl-mesa Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for Mesa implementation
include <abstractions/opencl-common>
# Additional libraries
/usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
/usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
# System files
/dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
/dev/dri/render* rw, # libMesaOpenCL.so
/etc/drirc r, # libMesaOpenCL.so
# User files
owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
# Include additions to the abstraction
include if exists <abstractions/opencl-mesa.d>

36
etc/apparmor.d/abstractions/opencl-nvidia Normal file
View File

@@ -0,0 +1,36 @@
# vim:syntax=apparmor
abi <abi/4.0>,
# OpenCL access requirements for NVIDIA implementation
include <abstractions/nvidia>
include <abstractions/opencl-common>
# Executables
# https://github.com/NVIDIA/nvidia-modprobe
# This setuid executable is used to create various device files and load the
# the nvidia kernel module.
/usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
# System files
# libnvidia-opencl.so rules:
/dev/nvidia-uvm rw,
/dev/nvidia-uvm-tools rw,
@{sys}/devices/@{pci_bus}/**/config r,
@{sys}/devices/system/memory/block_size_bytes r,
/usr/share/nvidia/** r,
@{PROC}/devices r,
@{PROC}/sys/vm/mmap_min_addr r,
# User files
owner @{HOME}/.nv/ComputeCache/ w,
owner @{HOME}/.nv/ComputeCache/** rw,
owner @{HOME}/.nv/ComputeCache/index rwk,
# Include additions to the abstraction
include if exists <abstractions/opencl-nvidia.d>

81
etc/apparmor.d/abstractions/opencl-pocl Normal file
View File

@@ -0,0 +1,81 @@
# vim:syntax=apparmor
# OpenCL access requirements for POCL implementation
abi <abi/4.0>,
include <abstractions/opencl-common>
# Executables
/usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
# System files
/ r, # libpocl.so -> libhwloc.so
@{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
@{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
@{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/ r, # for libpocl -> hwloc_linux_lookup_block_class() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
@{sys}/devices/@{pci_bus}/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
@{sys}/devices/@{pci_bus}/*/net/*/address r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
@{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
@{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
@{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
@{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
@{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
@{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
@{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
/usr/share/pocl/** r,
@{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
# User files
owner @{HOME}/.cache/pocl/ w,
owner @{HOME}/.cache/pocl/kcache/ w,
owner @{HOME}/.cache/pocl/kcache/** rw,
owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
# Child profiles
profile opencl_pocl_ld {
include <abstractions/base>
# Main executables
/usr/bin/{,@{multiarch}-}ld.bfd mr,
# User files
owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
owner @{HOME}/.cache/pocl/kcache/**.so.o r,
}
profile opencl_pocl_clang {
include <abstractions/base>
# Main executables
/usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
# Additional executables
/usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
# System files
/etc/debian-version r,
/etc/lsb-release r,
# User files
owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
}
# Include additions to the abstraction
include if exists <abstractions/opencl-pocl.d>

20
etc/apparmor.d/abstractions/openssl Normal file
View File

@@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r,
/etc/ssl/{engdef*,engines*}.d/ r,
/etc/ssl/{engdef*,engines*}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,
# Include additions to the abstraction
include if exists <abstractions/openssl.d>

10
etc/apparmor.d/abstractions/orbit2 Normal file
View File

@@ -0,0 +1,10 @@
# vim:syntax=apparmor
# orbit2 permissions
abi <abi/4.0>,
# system library
/usr/lib/orbit-2.0/*.so mr,
# Include additions to the abstraction
include if exists <abstractions/orbit2.d>

32
etc/apparmor.d/abstractions/p11-kit Normal file
View File

@@ -0,0 +1,32 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/pkcs11/ r,
/etc/pkcs11/pkcs11.conf r,
/etc/pkcs11/modules/ r,
/etc/pkcs11/modules/* r,
/usr/lib{,32,64}/pkcs11/*.so mr,
/usr/lib/@{multiarch}/pkcs11/*.so mr,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
# gnome-keyring pkcs11 module
owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
# p11-kit also supports reading user configuration from ~/.pkcs11 depending
# on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
# included in this abstraction.
# Include additions to the abstraction
include if exists <abstractions/p11-kit.d>

28
etc/apparmor.d/abstractions/perl Normal file
View File

@@ -0,0 +1,28 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# a few files typically required for perl scripts
/usr/bin/perl rmix,
/usr/bin/perl[0-9].[0-9].[0-9] rmix,
/usr/lib{,32,64}/perl5/** r,
/usr/lib{,32,64}/perl{,5}/**.so* mr,
/usr/lib/@{multiarch}/perl{,5,-base}/** r,
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
/usr/share/perl/** r,
/usr/share/perl5/** r,
/etc/perl/** r,
# Include additions to the abstraction
include if exists <abstractions/perl.d>

43
etc/apparmor.d/abstractions/php Normal file
View File

@@ -0,0 +1,43 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# shared snippets for config files
/etc/php{,5,7,8}/** r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
# php extensions
/usr/lib{64,}/php{,5,7,8}/*/*.so mr,
# ICU (unicode support) data tables
/usr/share/icu/*/*.dat r,
# php session mmap socket
/var/lib/php{,5,7,8}/session_mm_* rwlk,
# file based session handler
/var/lib/php{,5,7,8}/sess_* rwlk,
/var/lib/php{,5,7,8}/sessions/* rwlk,
# php libraries
/usr/share/php{,5,7,8}/ r,
/usr/share/php{,5,7,8}/** mr,
# MySQL extension
/usr/share/mysql/** r,
# Zend opcache
/tmp/.ZendSem.* rwlk,
# Include additions to the abstraction
include if exists <abstractions/php.d>

22
etc/apparmor.d/abstractions/php-worker Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
# This file contains basic permissions for php-fpm workers
abi <abi/4.0>,
# load common libraries and their support files
include <abstractions/base>
# common php files and support files that php needs
include <abstractions/php>
signal (receive) peer=php-fpm,
# This is some php opcaching file
/tmp/.ZendSem.* rwk,
# I think this is adaptive memory management
/sys/devices/system/node/* r,
/sys/devices/system/node/*/meminfo r,
/sys/devices/system/node/ r,
include if exists <abstractions/php-worker.d>

8
etc/apparmor.d/abstractions/php5 Normal file
View File

@@ -0,0 +1,8 @@
#backwards compatibility include, actual abstraction moved from php5 to php
abi <abi/4.0>,
include <abstractions/php>
# Include additions to the abstraction
include if exists <abstractions/php5.d>

45
etc/apparmor.d/abstractions/postfix-common Normal file
View File

@@ -0,0 +1,45 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015-2018 Canonical, Ltd.
# Copyright (C) 2020-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# used with postfix/*
abi <abi/4.0>,
capability setuid,
capability setgid,
capability sys_chroot,
# postfix's master can send us signals
signal receive peer=postfix-master,
unix (send, receive) peer=(label=postfix-master),
/etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db rk,
/etc/postfix/*.lmdb rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,
/usr/lib{,32,64}/sasl2/ r,
/usr/lib/@{multiarch}/sasl2/* mr,
/usr/lib/@{multiarch}/sasl2/ r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/var/spool/postfix/etc/* r,
/var/spool/postfix/lib/lib*.so* mr,
/var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
/etc/postfix/dynamicmaps.cf.d/ r,
# Include additions to the abstraction
include if exists <abstractions/postfix-common.d>

52
etc/apparmor.d/abstractions/private-files Normal file
View File

@@ -0,0 +1,52 @@
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access
abi <abi/4.0>,
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*.bak mrwkl,
# special attention to (potentially) executable files
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/autostart/{,**} wl,
audit deny @{HOME}/.config/upstart/{,**} wl,
audit deny @{HOME}/.init/{,**} wl,
audit deny @{HOME}/.kde{,4}/ w,
audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
audit deny @{HOME}/.kde{,4}/env/{,**} wl,
audit deny @{HOME}/.local/{,share/} w,
audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
audit deny @{HOME}/.pki/ w,
audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
# sh/dash/csh/tcsh/pdksh/zsh
deny @{HOME}/.{,z}profile* mrk,
audit deny @{HOME}/.{,z}profile* wl,
deny @{HOME}/.{,z}log{in,out} mrk,
audit deny @{HOME}/.{,z}log{in,out} wl,
deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl,
# Include additions to the abstraction
include if exists <abstractions/private-files.d>

30
etc/apparmor.d/abstractions/private-files-strict Normal file
View File

@@ -0,0 +1,30 @@
# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access
abi <abi/4.0>,
include <abstractions/private-files>
# potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl,
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny @{run}/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>

49
etc/apparmor.d/abstractions/python Normal file
View File

@@ -0,0 +1,49 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/{usr/,}bin/ r,
/{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
/usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
# Include additions to the abstraction
include if exists <abstractions/python.d>

27
etc/apparmor.d/abstractions/qt5 Normal file
View File

@@ -0,0 +1,27 @@
# vim:syntax=apparmor
# Common rules for Qt5-based applications
abi <abi/4.0>,
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
# User files
owner @{HOME}/.config/QtProject/qtlogging.ini r,
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# Include additions to the abstraction
include if exists <abstractions/qt5.d>

13
etc/apparmor.d/abstractions/qt5-compose-cache-write Normal file
View File

@@ -0,0 +1,13 @@
# vim:syntax=apparmor
# Allow writing cache for Qt5 "platforminputcontexts" plugins
abi <abi/4.0>,
# User files
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Include additions to the abstraction
include if exists <abstractions/qt5-compose-cache-write.d>

16
etc/apparmor.d/abstractions/qt5-settings-write Normal file
View File

@@ -0,0 +1,16 @@
# vim:syntax=apparmor
# Allow writing shared settings for Qt-based applications
abi <abi/4.0>,
# User files
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
# for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/qt5-settings-write.d>

15
etc/apparmor.d/abstractions/recent-documents-write Normal file
View File

@@ -0,0 +1,15 @@
# vim:syntax=apparmor
# Allow updating recent documents
abi <abi/4.0>,
# User files
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# Include additions to the abstraction
include if exists <abstractions/recent-documents-write.d>

26
etc/apparmor.d/abstractions/ruby Normal file
View File

@@ -0,0 +1,26 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
/usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/ r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/**.rb r,
/usr/{,local/}lib{,32,64}/ruby/{site,vendor}_ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
/usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
# Include additions to the abstraction
include if exists <abstractions/ruby.d>

42
etc/apparmor.d/abstractions/samba Normal file
View File

@@ -0,0 +1,42 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/samba/* r,
/etc/gnutls/config r,
/usr/lib*/ldb/*.so mr,
/usr/lib*/ldb2/*.so mr,
/usr/lib*/ldb2/modules/ldb/*.so mr,
/usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
/var/cache/samba/lck/* rwk,
/var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/* rw,
@{run}/{,lock/}samba/ w,
@{run}/{,lock/}samba/*.tdb rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
/var/cache/samba/*.tdb rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,
# required for clustering
/var/lib/ctdb/** rwk,
deny capability net_admin, # noisy setsockopt() calls from systemd
# Include additions to the abstraction
include if exists <abstractions/samba.d>

30
etc/apparmor.d/abstractions/samba-rpcd Normal file
View File

@@ -0,0 +1,30 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2022 SUSE LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# This file contains basic permissions for samba rpcd_xyz services
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/samba>
capability setgid,
capability setuid,
signal receive set=term peer=smbd,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/samba-rpcd.d>

18
etc/apparmor.d/abstractions/smbpass Normal file
View File

@@ -0,0 +1,18 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# libpam-smbpass/pam_smbpass.so permissions
/var/lib/samba/*.[lt]db rwk,
# Include additions to the abstraction
include if exists <abstractions/smbpass.d>

39
etc/apparmor.d/abstractions/snap_browsers Normal file
View File

@@ -0,0 +1,39 @@
profile snap_browsers {
include if exists <abstractions/snap_browsers.d>
include <abstractions/base>
include <abstractions/dbus-session-strict>
/etc/passwd r,
/etc/nsswitch.conf r,
/etc/fstab r,
# noisy
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
/var/lib/snapd/system-key r,
/run/snapd.socket rw,
@{PROC}/version r,
@{PROC}/cmdline r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{HOME}/.snap/auth.json r, # if exists, required
dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
/sys/kernel/security/apparmor/features/ r,
# allow launching official browser snaps.
/snap/{brave,chromium,firefox,opera}/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{brave,chromium,firefox,opera}.json r,
/var/lib/snapd/inhibit/{brave,chromium,firefox,opera}.lock rk,
}

46
etc/apparmor.d/abstractions/ssl_certs Normal file
View File

@@ -0,0 +1,46 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2010-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/ca-certificates/{,**} r,
/etc/{,libre}ssl/ r,
/etc/{,libre}ssl/cert.pem r,
/etc/{,libre}ssl/certs/{,**} r,
/{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
/{etc,usr/share}/pki/trust/{,*} r,
/{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
/usr/share/ca-certificates/{,**} r,
/usr/share/ssl/certs/ca-bundle.crt r,
/usr/local/share/ca-certificates/{,**} r,
/var/lib/ca-certificates/{,**} r,
# acmetool
/var/lib/acme/certs/*/chain r,
/var/lib/acme/certs/*/cert r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
/{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
/{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
# certbot
/etc/letsencrypt/archive/*/cert*.pem r,
/etc/letsencrypt/archive/*/chain*.pem r,
/etc/letsencrypt/archive/*/fullchain*.pem r,
/etc/certbot/archive/*/cert*.pem r,
/etc/certbot/archive/*/chain*.pem r,
/etc/certbot/archive/*/fullchain*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_certs.d>

35
etc/apparmor.d/abstractions/ssl_keys Normal file
View File

@@ -0,0 +1,35 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# private ssl permissions
# Just include the whole /etc/ssl directory if we should have access to
# private keys too
/etc/ssl/ r,
/etc/ssl/** r,
# acmetool
/var/lib/acme/live/* r,
/var/lib/acme/certs/** r,
/var/lib/acme/keys/** r,
# dehydrated
/{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
# certbot / letsencrypt
/etc/letsencrypt/archive/*/privkey*.pem r,
/etc/certbot/archive/*/privkey*.pem r,
# Include additions to the abstraction
include if exists <abstractions/ssl_keys.d>

57
etc/apparmor.d/abstractions/svn-repositories Normal file
View File

@@ -0,0 +1,57 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# This little snippet should abstract the read/write access to a repository.
# it is intended to be included in profiles for svnserve/apache2 and maybe
# some repository viewers like trac/viewvc
# no hooks exec by default; please define whatever you need explicitly.
/srv/svn/**/conf/* r,
/srv/svn/**/format r,
/srv/svn/**/db/fs-type r,
/srv/svn/**/db/format r,
# FSFS
/srv/svn/**/db/ r,
/srv/svn/**/db/uuid r,
/srv/svn/**/db/write-lock rwl,
/srv/svn/**/db/current rwl,
/srv/svn/**/db/current*.tmp rwl,
/srv/svn/**/db/revs/ r,
/srv/svn/**/db/revs/* rw,
/srv/svn/**/db/revprops/ r,
/srv/svn/**/db/revprops/* rw,
/srv/svn/**/db/transactions/** rw,
# BDB
/srv/svn/**/db/DB_CONFIG r,
/srv/svn/**/db/__db.[0-9]* rwl,
/srv/svn/**/db/log.[0-9]* rwl,
/srv/svn/**/db/nodes rwl,
/srv/svn/**/db/revisions rwl,
/srv/svn/**/db/transactions rwl,
/srv/svn/**/db/copies rwl,
/srv/svn/**/db/changes rwl,
/srv/svn/**/db/representations rwl,
/srv/svn/**/db/strings rwl,
/srv/svn/**/db/uuids rwl,
/srv/svn/**/db/locks rwl,
/srv/svn/**/db/lock-tokens rwl,
# temp files
/tmp/apr* rwl,
/var/tmp/apr* rwl,
/tmp/report*.tmp rwl,
# Include additions to the abstraction
include if exists <abstractions/svn-repositories.d>

153
etc/apparmor.d/abstractions/transmission-common Normal file
View File

@@ -0,0 +1,153 @@
# vim:syntax=apparmor
# LOGPROF-SUGGEST: no
# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
include <abstractions/openssl>
network inet dgram,
network inet6 dgram,
network netlink dgram,
network inet stream,
network inet6 stream,
dbus (bind)
bus=session
name=com.transmissionbt.Transmission,
dbus (bind)
bus=session
name=com.transmissionbt.transmission_*,
dbus (receive)
bus=session
path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Notify,
dbus (send)
bus=session
path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member=Change
peer=(name=ca.desrt.dconf),
dbus (receive)
bus=accessibility
path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set,
dbus (send)
bus=accessibility
path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus=accessibility
path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry
member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus=accessibility
path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController
member={GetDeviceEventListeners,GetKeystrokeListeners}
peer=(name=org.a11y.atspi.Registry),
dbus (send)
bus={accessibility,session}
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Introspectable
path=/StatusNotifierWatcher
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/StatusNotifierWatcher
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/a11y/bus
member=Get
peer=(name=org.a11y.Bus),
dbus (send)
bus=system
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/hostname1
member=GetAll,
dbus (send)
bus=session
interface=org.freedesktop.Notifications
path=/org/freedesktop/Notifications
member={GetCapabilities,Notify},
dbus (send)
bus=session
path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List},
dbus (send)
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member={GetConnection,ListMonitorImplementations},
dbus (send)
bus=session
path=/org/gtk/vfs/mount/[1-9]*
interface=org.gtk.vfs.Mount
member={CreateFileMonitor,Enumerate,QueryInfo},
dbus (receive)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted,
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member={ListMountableInfo,ListMounts2,LookupMount},
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
@{etc_ro}/fstab r,
@{system_share_dirs}/hwdata/** r,
@{system_share_dirs}/lxqt/** r,
owner /tmp/tr_session_id_* rwk,
# allow a top-level directory listing
@{HOME}/ r,
owner @{HOME}/.cache/transmission/ w,
owner @{HOME}/.cache/transmission/** rw,
owner @{HOME}/.config/transmission/ w,
owner @{HOME}/.config/transmission/** rw,
owner @{HOME}/.config/lxqt/lxqt.conf r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rw,
# exclude these for now
deny /usr/share/thumbnailers/ r,
deny @{HOME}/.local/share/gvfs-metadata/** r,
deny @{HOME}/.config/lxqt/** rw,
include if exists <abstractions/transmission-common.d>

75
etc/apparmor.d/abstractions/trash Normal file
View File

@@ -0,0 +1,75 @@
abi <abi/4.0>,
# requires <tunables/home>
owner @{HOME}/.config/trashrc rw,
owner @{HOME}/.config/trashrc.lock rwk,
owner @{HOME}/.config/#[0-9]*[0-9] rwk,
owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
# Home trash location
owner @{HOME}/.local/share/Trash/ rw,
owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
owner @{HOME}/.local/share/Trash/files/{,**} rw,
owner @{HOME}/.local/share/Trash/info/ rw,
owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
owner @{HOME}/.local/share/Trash/expunged/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]*/ rw,
owner @{HOME}/.local/share/Trash/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/.Trash/ rw,
owner /media/*/.Trash/@{uid}/ rw,
owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9],
owner /media/*/.Trash/@{uid}/files/{,**} rw,
owner /media/*/.Trash/@{uid}/info/ rw,
owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash/@{uid}/expunged/ rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
# Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/.Trash-@{uid}/ rw,
owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9],
owner /media/*/.Trash-@{uid}/files/{,**} rw,
owner /media/*/.Trash-@{uid}/info/ rw,
owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/.Trash-@{uid}/expunged/ rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
owner /media/*/*/.Trash/ rw,
owner /media/*/*/.Trash/@{uid}/ rw,
owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9],
owner /media/*/*/.Trash/@{uid}/files/{,**} rw,
owner /media/*/*/.Trash/@{uid}/info/ rw,
owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/*/.Trash/@{uid}/expunged/ rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
# Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
owner /media/*/*/.Trash-@{uid}/ rw,
owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9],
owner /media/*/*/.Trash-@{uid}/files/{,**} rw,
owner /media/*/*/.Trash-@{uid}/info/ rw,
owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
owner /media/*/*/.Trash-@{uid}/expunged/ rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
include if exists <abstractions/trash.d>

22
etc/apparmor.d/abstractions/ubuntu-bittorrent-clients Normal file
View File

@@ -0,0 +1,22 @@
# vim:syntax=apparmor
#
# abstraction for allowing graphical bittorrent clients in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
/usr/bin/azureus Cxr -> sanitized_helper,
/usr/bin/bitstormlite Cxr -> sanitized_helper,
/usr/bin/btmaketorrentgui Cxr -> sanitized_helper,
/usr/bin/deluge{,-gtk,-console} Cxr -> sanitized_helper,
/usr/bin/gnome-btdownload Cxr -> sanitized_helper,
/usr/bin/kget Cxr -> sanitized_helper,
/usr/bin/ktorrent Cxr -> sanitized_helper,
/usr/bin/qbittorrent Cxr -> sanitized_helper,
/usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
# Include additions to the abstraction
include if exists <abstractions/ubuntu-bittorrent-clients.d>

41
etc/apparmor.d/abstractions/ubuntu-browsers Normal file
View File

@@ -0,0 +1,41 @@
# vim:syntax=apparmor
#
# abstraction for allowing access to graphical browsers in Ubuntu
#
# Users of this abstraction need to include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# include <abstractions/ubuntu-helpers>
abi <abi/4.0>,
/usr/bin/arora Cx -> sanitized_helper,
/usr/bin/dillo Cx -> sanitized_helper,
/usr/bin/Dooble Cx -> sanitized_helper,
/usr/bin/epiphany Cx -> sanitized_helper,
/usr/bin/epiphany-browser Cx -> sanitized_helper,
/usr/bin/epiphany-webkit Cx -> sanitized_helper,
/usr/lib/fennec-*/fennec Cx -> sanitized_helper,
/usr/bin/kazehakase Cx -> sanitized_helper,
/usr/bin/konqueror Cx -> sanitized_helper,
/usr/bin/midori Cx -> sanitized_helper,
/usr/bin/netsurf Cx -> sanitized_helper,
/usr/bin/seamonkey Cx -> sanitized_helper,
/usr/bin/sensible-browser Pixr,
/usr/bin/chromium{,-browser} Cx -> sanitized_helper,
/usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Cx -> sanitized_helper,
# this should cover all firefox browsers and versions (including shiretoko
# and abrowser)
/usr/bin/firefox Cxr -> sanitized_helper,
/usr/lib{,64}/firefox*/firefox* Cx -> sanitized_helper,
# Iceweasel
/usr/bin/iceweasel Cxr -> sanitized_helper,
/usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
# some unpackaged, but popular browsers
/usr/lib/icecat-*/icecat Cx -> sanitized_helper,
/usr/bin/opera Cx -> sanitized_helper,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
/opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,

26
etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser Normal file
View File

@@ -0,0 +1,26 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Author: Jamie Strandboge <jamie@canonical.com>
# For site-specific adjustments, please see:
# /etc/apparmor.d/local/chromium-browser
abi <abi/4.0>,
include <abstractions/ubuntu-browsers.d/plugins-common>
include <abstractions/ubuntu-browsers.d/mailto>
include <abstractions/ubuntu-browsers.d/multimedia>
include <abstractions/ubuntu-browsers.d/productivity>
include <abstractions/ubuntu-browsers.d/java>
include <abstractions/ubuntu-browsers.d/kde>
include <abstractions/ubuntu-browsers.d/text-editors>
include <abstractions/ubuntu-browsers.d/ubuntu-integration>
include <abstractions/ubuntu-browsers.d/user-files>

Some files were not shown because too many files have changed in this diff Show More