hilfe mein git ist komisch

etc/apparmor.d/tunables/alias

@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Alias rules can be used to rewrite paths and are done after variable
+# resolution. For example, if '/usr' is on removable media:
+# alias /usr/ -> /mnt/usr/,
+#
+# Or if mysql databases are stored in /home:
+# alias /var/lib/mysql/ -> /home/mysql/,
+
+# Also, include files in tunables/alias.d for site-specific adjustments
+include if exists <tunables/alias.d>

etc/apparmor.d/tunables/apparmorfs

@@ -0,0 +1,14 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/securityfs>
+
+@{apparmorfs}=@{securityfs}/apparmor/
+
+# Also, include files in tunables/apparmorfs.d for site-specific adjustments
+include if exists <tunables/apparmorfs.d>

etc/apparmor.d/tunables/dovecot

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:ft=apparmor
+
+# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
+# where dovecot is allowed to store and read mails
+# 
+# The default value is quite broad to avoid breaking existing setups.
+# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
+# you use, and remove everything else.
+
+@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
+
+# Also, include files in tunables/dovecot.d for site-specific adjustments
+include if exists <tunables/dovecot.d>

etc/apparmor.d/tunables/etc

@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{etc_ro} contains a space-separated list of the system configuration directories.
+# Traditionally this means /etc/, but when using a read-only / filesystem and/or
+# with the goal of having only user-modified config files in /etc/, directories
+# like /usr/etc/ get introduced for storing the default config.
+
+# @{etc_ro} contains directories with configuration files, including read-only directories.
+# Do not use @{etc_ro} in rules that allow write access.
+@{etc_ro}=/etc/ /usr/etc/
+
+# @{etc_rw} contains directories where writing to configuration files is allowed.
+# @{etc_rw} should always be a subset of @{etc_ro}.
+#
+# Only use @{etc_rw} if the profile allows writing to a configuration file.
+# For rules that only allows read access, use @{etc_ro}.
+@{etc_rw}=/etc/
+
+# Also, include files in tunables/etc.d for site-specific adjustments
+include if exists <tunables/etc.d>

etc/apparmor.d/tunables/global

@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2006-2009 Novell/SUSE
+#    Copyright (C) 2010-2014 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# All the tunables definitions that should be available to every profile
+# should be included here
+
+include <tunables/home>
+include <tunables/multiarch>
+include <tunables/proc>
+include <tunables/alias>
+include <tunables/kernelvars>
+include <tunables/system>
+include <tunables/xdg-user-dirs>
+include <tunables/share>
+include <tunables/etc>
+include <tunables/run>
+
+# Also, include files in tunables/global.d for site-specific adjustments
+include if exists <tunables/global.d>

etc/apparmor.d/tunables/home

@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2006-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{HOMEDIRS} is a space-separated list of where user home directories
+# are stored, for programs that must enumerate all home directories on a
+# system.
+@{HOMEDIRS}=/home/
+
+# @{HOME} is a space-separated list of all user home directories. While
+# it doesn't refer to a specific home directory (AppArmor doesn't
+# enforce discretionary access controls) it can be used as if it did
+# refer to a specific home directory
+@{HOME}=@{HOMEDIRS}/*/ /root/
+
+# Also, include files in tunables/home.d for site-specific adjustments
+include if exists <tunables/home.d>

etc/apparmor.d/tunables/home.d/site.local

@@ -0,0 +1,13 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Canonical Ltd.
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional user home
+# directories are stored, each must have a trailing '/'. Directories added
+# here are appended to @{HOMEDIRS}.  See tunables/home for details. Eg:
+#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/

etc/apparmor.d/tunables/home.d/ubuntu

@@ -0,0 +1,7 @@
+# This file is auto-generated. It is recommended you update it using:
+# $ sudo dpkg-reconfigure apparmor
+#
+# The following is a space-separated list of where additional user home
+# directories are stored, each must have a trailing '/'. Directories added
+# here are appended to @{HOMEDIRS}.  See tunables/home for details.
+#@{HOMEDIRS}+=

etc/apparmor.d/tunables/kernelvars

@@ -0,0 +1,36 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# This file should contain declarations to kernel vars or variables
+# that will become kernel vars at some point
+
+# until kernel vars are implemented
+# and until the parser supports nested groupings like
+#   @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
+# use
+@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{pid} for now
+@{tid}=@{pid}
+
+#A pattern for pids that can appear
+@{pids}=@{pid}
+
+# Placeholder for user id until kernel var is implemented to match
+# current user of the confined application.
+# Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).
+@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+#same pattern as @{uid} for now
+@{uids}=@{uid}
+
+# until kernel var is implemented
+@{sys}=/sys/
+
+# Also, include files in tunables/kernelvars.d for site-specific adjustments
+include if exists <tunables/kernelvars.d>

etc/apparmor.d/tunables/multiarch

@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{multiarch} is the set of patterns matching multi-arch library
+# install prefixes.
+@{multiarch}=*-linux-gnu*
+
+# Also, include files in tunables/multiarch.d for site-specific adjustments
+include if exists <tunables/multiarch.d>

etc/apparmor.d/tunables/multiarch.d/site.local

@@ -0,0 +1,14 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional multipath
+# prefixes are stored, each should not have a trailing '/'. Directories
+# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
+#@{multiarch}+=*-freebsd* s390-hurd-zomg

etc/apparmor.d/tunables/proc

@@ -0,0 +1,15 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2006 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{PROC} is the location where procfs is mounted.
+@{PROC}=/proc/
+
+# Also, include files in tunables/proc.d for site-specific adjustments
+include if exists <tunables/proc.d>

etc/apparmor.d/tunables/run

@@ -0,0 +1,4 @@
+@{run}=/run/ /var/run/
+
+# Also, include files in tunables/run.d for site-specific adjustments
+include if exists <tunables/run.d>

etc/apparmor.d/tunables/securityfs

@@ -0,0 +1,13 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{securityfs} is the location where securityfs is mounted.
+@{securityfs}=@{sys}/kernel/security/
+
+# Also, include files in tunables/securityfs.d for site-specific adjustments
+include if exists <tunables/securityfs.d>

etc/apparmor.d/tunables/share

@@ -0,0 +1,18 @@
+@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}
+
+# System-wide directories with behaviour analogous to /usr/share
+# in patterns like the freedesktop.org basedir spec. These are
+# owned by root or a system user, appear in XDG_DATA_DIRS, and
+# are the parent directory for `applications`, `themes`,
+# `dbus-1/services`, etc.
+@{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share
+
+# Per-user/personal directories with behaviour analogous to
+# ~/.local/share in patterns like the freedesktop.org basedir spec.
+# These are owned by the user running an application, appear in
+# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
+# for the same subdirectories as @{system_share_dirs}
+@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
+
+# Also, include files in tunables/share.d for site-specific adjustments
+include if exists <tunables/share.d>

etc/apparmor.d/tunables/sys

@@ -0,0 +1,9 @@
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now.

etc/apparmor.d/tunables/system

@@ -0,0 +1,102 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Any digit
+@{d}=[0-9]
+
+# Any letter
+@{l}=[a-zA-Z]
+
+# Single alphanumeric character
+@{c}=[0-9a-zA-Z]
+
+# Word character: matches any letter, digit or underscore.
+@{w}=[a-zA-Z0-9_]
+
+# Single hexadecimal character
+@{h}=[0-9a-fA-F]
+
+# Integer up to 10 digits (0-9999999999)
+@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
+
+# hexadecimal, alphanumeric and word up to 64 characters
+@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
+@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
+@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
+
+# Unsigned integer over 8 bits (0...255)
+@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
+
+# Unsigned integer over 16 bits (0...65,535 5 digits)
+@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 32 bits (0...4,294,967,295 10 digits)
+@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits).
+@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
+# Any x digits characters
+@{int2}=@{d}@{d}
+@{int4}=@{int2}@{int2}
+@{int6}=@{int4}@{int2}
+@{int8}=@{int4}@{int4}
+@{int9}=@{int8}@{d}
+@{int10}=@{int8}@{int2}
+@{int12}=@{int8}@{int4}
+@{int15}=@{int8}@{int4}@{int2}@{d}
+@{int16}=@{int8}@{int8}
+@{int32}=@{int16}@{int16}
+@{int64}=@{int32}@{int32}
+
+# Any x hexadecimal characters
+@{hex2}=@{h}@{h}
+@{hex4}=@{hex2}@{hex2}
+@{hex6}=@{hex4}@{hex2}
+@{hex8}=@{hex4}@{hex4}
+@{hex9}=@{hex8}@{h}
+@{hex10}=@{hex8}@{hex2}
+@{hex12}=@{hex8}@{hex4}
+@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
+@{hex16}=@{hex8}@{hex8}
+@{hex32}=@{hex16}@{hex16}
+@{hex38}=@{hex32}@{hex6}
+@{hex64}=@{hex32}@{hex32}
+
+# Any x alphanumeric characters
+@{rand2}=@{c}@{c}
+@{rand4}=@{rand2}@{rand2}
+@{rand6}=@{rand4}@{rand2}
+@{rand8}=@{rand4}@{rand4}
+@{rand9}=@{rand8}@{c}
+@{rand10}=@{rand8}@{rand2}
+@{rand12}=@{rand8}@{rand4}
+@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
+@{rand16}=@{rand8}@{rand8}
+@{rand32}=@{rand16}@{rand16}
+@{rand64}=@{rand32}@{rand32}
+
+# Any x word characters
+@{word2}=@{w}@{w}
+@{word4}=@{word2}@{word2}
+@{word6}=@{word4}@{word2}
+@{word8}=@{word4}@{word4}
+@{word9}=@{word8}@{w}
+@{word10}=@{word8}@{word2}
+@{word12}=@{word8}@{word4}
+@{word15}=@{word8}@{word4}@{word2}@{w}
+@{word16}=@{word8}@{word8}
+@{word32}=@{word16}@{word16}
+@{word64}=@{word32}@{word32}
+
+# Shortcut for PCI bus (e.g., /sys/devices/@{pci_bus}/**)
+@{pci_bus}=pci@{hex4}:@{hex2}
+
+include if exists <tunables/system.d>

etc/apparmor.d/tunables/xdg-user-dirs

@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2014 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Define the common set of XDG user directories (usually defined in
+# /etc/xdg/user-dirs.defaults)
+@{XDG_DESKTOP_DIR}="Desktop"
+@{XDG_DOWNLOAD_DIR}="Downloads"
+@{XDG_TEMPLATES_DIR}="Templates"
+@{XDG_PUBLICSHARE_DIR}="Public"
+@{XDG_DOCUMENTS_DIR}="Documents"
+@{XDG_MUSIC_DIR}="Music"
+@{XDG_PICTURES_DIR}="Pictures"
+@{XDG_VIDEOS_DIR}="Videos"
+
+# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
+include if exists <tunables/xdg-user-dirs.d>

etc/apparmor.d/tunables/xdg-user-dirs.d/site.local

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2014 Canonical Ltd.
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following may be used to add additional entries such as for
+# translations. See tunables/xdg-user-dirs for details. Eg:
+#@{XDG_MUSIC_DIR}+="Musique"
+
+#@{XDG_DESKTOP_DIR}+=""
+#@{XDG_DOWNLOAD_DIR}+=""
+#@{XDG_TEMPLATES_DIR}+=""
+#@{XDG_PUBLICSHARE_DIR}+=""
+#@{XDG_DOCUMENTS_DIR}+=""
+#@{XDG_MUSIC_DIR}+=""
+#@{XDG_PICTURES_DIR}+=""
+#@{XDG_VIDEOS_DIR}+=""