maybe chmod 0644 'apparmor.d/abstractions/ubuntu-bittorrent-clients'
maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers'
maybe chmod 0755 'apparmor.d/abstractions/ubuntu-browsers.d'
+maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser'
maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/firefox'
maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/java'
maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/kde'
maybe chmod 0644 'apparmor.d/abstractions/wutmp'
maybe chmod 0644 'apparmor.d/abstractions/xad'
maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop'
+maybe chmod 0755 'apparmor.d/apache2.d'
+maybe chmod 0644 'apparmor.d/apache2.d/phpsysinfo'
+maybe chmod 0644 'apparmor.d/bin.ping'
maybe chmod 0755 'apparmor.d/cache'
maybe chmod 0755 'apparmor.d/disable'
maybe chmod 0755 'apparmor.d/force-complain'
maybe chmod 0644 'apparmor.d/lightdm-guest-session'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/README'
+maybe chmod 0644 'apparmor.d/local/bin.ping'
maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
+maybe chmod 0644 'apparmor.d/local/sbin.klogd'
+maybe chmod 0644 'apparmor.d/local/sbin.syslog-ng'
+maybe chmod 0644 'apparmor.d/local/sbin.syslogd'
+maybe chmod 0644 'apparmor.d/local/usr.bin.chromium-browser'
maybe chmod 0644 'apparmor.d/local/usr.bin.evince'
maybe chmod 0644 'apparmor.d/local/usr.bin.firefox'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.anvil'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.auth'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.config'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.deliver'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dict'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dovecot-auth'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dovecot-lda'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.imap'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.imap-login'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.lmtp'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.log'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.managesieve'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.managesieve-login'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.pop3'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.pop3-login'
+maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.ssl-params'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.oosplash'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport'
maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine.real'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.avahi-daemon'
maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.dnsmasq'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.dovecot'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.identd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.mdnsd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.nmbd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.nscd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.smbd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.smbldap-useradd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.traceroute'
maybe chmod 0644 'apparmor.d/sbin.dhclient'
+maybe chmod 0644 'apparmor.d/sbin.klogd'
+maybe chmod 0644 'apparmor.d/sbin.syslog-ng'
+maybe chmod 0644 'apparmor.d/sbin.syslogd'
maybe chmod 0755 'apparmor.d/tunables'
maybe chmod 0644 'apparmor.d/tunables/alias'
maybe chmod 0644 'apparmor.d/tunables/apparmorfs'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs'
maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local'
+maybe chmod 0644 'apparmor.d/usr.bin.chromium-browser'
maybe chmod 0644 'apparmor.d/usr.bin.evince'
maybe chmod 0644 'apparmor.d/usr.bin.firefox'
maybe chmod 0644 'apparmor.d/usr.bin.man'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.anvil'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.auth'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.config'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.deliver'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dict'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dovecot-auth'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dovecot-lda'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.imap'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.imap-login'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.lmtp'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.log'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.managesieve'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.managesieve-login'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.pop3'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.pop3-login'
+maybe chmod 0644 'apparmor.d/usr.lib.dovecot.ssl-params'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.oosplash'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport'
maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/usr.lib.snapd.snap-confine.real'
+maybe chmod 0644 'apparmor.d/usr.sbin.avahi-daemon'
maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
+maybe chmod 0644 'apparmor.d/usr.sbin.dnsmasq'
+maybe chmod 0644 'apparmor.d/usr.sbin.dovecot'
+maybe chmod 0644 'apparmor.d/usr.sbin.identd'
maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd'
maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd'
+maybe chmod 0644 'apparmor.d/usr.sbin.mdnsd'
maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
+maybe chmod 0644 'apparmor.d/usr.sbin.nmbd'
+maybe chmod 0644 'apparmor.d/usr.sbin.nscd'
maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd'
+maybe chmod 0644 'apparmor.d/usr.sbin.smbd'
+maybe chmod 0644 'apparmor.d/usr.sbin.smbldap-useradd'
maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump'
+maybe chmod 0644 'apparmor.d/usr.sbin.traceroute'
maybe chmod 0755 'apparmor/init'
maybe chmod 0755 'apparmor/init/network-interface-security'
+maybe chmod 0644 'apparmor/logprof.conf'
maybe chmod 0644 'apparmor/parser.conf'
+maybe chmod 0644 'apparmor/severity.db'
maybe chmod 0644 'apparmor/subdomain.conf'
maybe chmod 0755 'apport'
maybe chmod 0755 'apport/blacklist.d'
--- /dev/null
+# This file is updated currently not managed by the package but in the future
+# will be overwritten on upgrades.
+#
+# For site-specific adjustments, please see:
+# /etc/apparmor.d/local/usr.bin.chromium-browser
+
+#include <abstractions/ubuntu-browsers.d/plugins-common>
+#include <abstractions/ubuntu-browsers.d/mailto>
+#include <abstractions/ubuntu-browsers.d/multimedia>
+#include <abstractions/ubuntu-browsers.d/productivity>
+#include <abstractions/ubuntu-browsers.d/java>
+#include <abstractions/ubuntu-browsers.d/kde>
+#include <abstractions/ubuntu-browsers.d/text-editors>
+#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+#include <abstractions/ubuntu-browsers.d/user-files>
--- /dev/null
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+ ^phpsysinfo {
+ #include <abstractions/apache2-common>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/php5>
+ #include <abstractions/python>
+
+ /{,usr/}bin/dash ixr,
+ /{,usr/}bin/df ixr,
+ /{,usr/}bin/mount ixr,
+ /{,usr/}bin/uname ixr,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+ /etc/debian_version r,
+ /etc/lsb-release r,
+ /etc/mtab r,
+ /etc/phpsysinfo/config.php r,
+ /etc/udev/udev.conf r,
+ @{PROC}/** r,
+ /sys/bus/ r,
+ /sys/bus/pci/devices/ r,
+ /sys/bus/pci/slots/ r,
+ /sys/bus/pci/slots/** r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/ r,
+ /sys/devices/** r,
+ /usr/bin/ r,
+ /usr/bin/apt-cache ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/bin/lsb_release ixr,
+ /usr/bin/lspci ixr,
+ /usr/bin/who ixr,
+ /usr/{,s}bin/lsusb ixr,
+ /usr/share/phpsysinfo/** r,
+ /var/lib/dpkg/arch r,
+ /var/lib/dpkg/available r,
+ /var/lib/dpkg/status r,
+ /var/lib/dpkg/triggers/* r,
+ /var/lib/dpkg/updates/ r,
+ /var/lib/{misc,usbutils}/usb.ids r,
+ /var/log/apache2/access.log w,
+ /var/log/apache2/error.log w,
+ /{,var/}run/utmp rk,
+ /usr/share/misc/pci.ids r,
+ }
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+profile ping /{usr/,}bin/ping flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability net_raw,
+ capability setuid,
+ network inet raw,
+ network inet6 raw,
+
+ /{,usr/}bin/ping mixr,
+ /etc/modules.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/bin.ping>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile klogd /{usr/,}sbin/klogd flags=(complain) {
+ #include <abstractions/base>
+
+ capability sys_admin, # for backward compatibility with kernel <= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /{usr/,}sbin/klogd rmix,
+ /var/log/boot.msg rwl,
+ /{,var/}run/klogd.pid krwl,
+ /{,var/}run/klogd/klogd.pid krwl,
+ /{,var/}run/klogd/kmsg r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.klogd>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006-2009 Novell/SUSE
+# Copyright (C) 2006 Christian Boltz
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+#define this to be where syslog-ng is chrooted
+@{CHROOT_BASE}=""
+
+profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/mysql>
+ #include <abstractions/openssl>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability fowner,
+ capability sys_tty_config,
+ capability sys_resource,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log w,
+ /dev/syslog w,
+ /dev/tty10 rw,
+ /dev/xconsole rw,
+ /dev/kmsg r,
+ /etc/machine-id r,
+ /etc/syslog-ng/* r,
+ /etc/syslog-ng/conf.d/ r,
+ /etc/syslog-ng/conf.d/* r,
+ @{PROC}/kmsg r,
+ /etc/hosts.deny r,
+ /etc/hosts.allow r,
+ /{usr/,}sbin/syslog-ng mr,
+ /sys/devices/system/cpu/online r,
+ /usr/share/syslog-ng/** r,
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
+ # chrooted applications
+ @{CHROOT_BASE}/var/lib/*/dev/log w,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
+ @{CHROOT_BASE}/var/log/** w,
+ @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+ /{var,var/run,run}/log/journal/ r,
+ /{var,var/run,run}/log/journal/*/ r,
+ /{var,var/run,run}/log/journal/*/*.journal r,
+ /{var/,}run/syslog-ng.ctl a,
+ /{var/,}run/syslog-ng/additional-log-sockets.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.syslog-ng>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile syslogd /{usr/,}sbin/syslogd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/consoles>
+
+ capability sys_tty_config,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+ capability setgid,
+ capability syslog,
+
+ unix (receive) type=dgram,
+ unix (receive) type=stream,
+
+ /dev/log wl,
+ /var/lib/*/dev/log wl,
+
+ /dev/tty* w,
+ /dev/xconsole rw,
+ /etc/syslog.conf r,
+ /{usr/,}sbin/syslogd rmix,
+ /var/log/** rw,
+ /{,var/}run/syslogd.pid krwl,
+ /{,var/}run/utmp rw,
+ /var/spool/compaq/nic/messages_fifo rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/sbin.syslogd>
+}
--- /dev/null
+# Author: Jamie Strandboge <jamie@canonical.com>
+#include <tunables/global>
+
+# We need 'flags=(attach_disconnected)' in newer chromium versions
+/usr/lib/chromium-browser/chromium-browser flags=(complain,attach_disconnected) {
+ #include <abstractions/audio>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
+ # you want access to productivity applications, adjust the following file
+ # accordingly.
+ #include <abstractions/ubuntu-browsers.d/chromium-browser>
+
+ # Networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+
+ # Should maybe be in abstractions
+ /etc/mime.types r,
+ /etc/mailcap r,
+ /etc/mtab r,
+ /etc/xdg/xubuntu/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+
+ @{PROC}/[0-9]*/fd/ r,
+ @{PROC}/filesystems r,
+ @{PROC}/ r,
+ @{PROC}/vmstat r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+ @{PROC}/[0-9]*/task/[0-9]*/status r,
+ owner @{PROC}/[0-9]*/cmdline r,
+ owner @{PROC}/[0-9]*/io r,
+ @{PROC}/[0-9]*/smaps r,
+ owner @{PROC}/[0-9]*/setgroups w,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/statm r,
+ @{PROC}/[0-9]*/status r,
+ deny @{PROC}/[0-9]*/oom_{,score_}adj w,
+ @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+ # Newer chromium needs these now
+ /etc/udev/udev.conf r,
+ /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+ /sys/devices/pci[0-9a-f]*/**/class r,
+ /sys/devices/pci[0-9a-f]*/**/device r,
+ /sys/devices/pci[0-9a-f]*/**/irq r,
+ /sys/devices/pci[0-9a-f]*/**/resource r,
+ /sys/devices/pci[0-9a-f]*/**/vendor r,
+ /sys/devices/pci[0-9a-f]*/**/removable r,
+ /sys/devices/pci[0-9a-f]*/**/block/**/size r,
+ /sys/devices/virtual/block/**/removable r,
+ /sys/devices/virtual/block/**/size r,
+ /sys/devices/**/uevent r,
+ /sys/devices/virtual/tty/tty0/active r,
+ # This is requested, but doesn't seem to actually be needed so deny for now
+ deny /run/udev/data/** r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/auxv r,
+
+ # chromium mmaps all kinds of things for speed.
+ /etc/passwd m,
+ /usr/share/fonts/truetype/**/*.tt[cf] m,
+ /usr/share/fonts/**/*.pfb m,
+ /usr/share/mime/mime.cache m,
+ /usr/share/icons/**/*.cache m,
+ owner /{dev,run}/shm/pulse-shm* m,
+ owner @{HOME}/.local/share/mime/mime.cache m,
+ owner /tmp/** m,
+
+ @{PROC}/sys/kernel/shmmax r,
+ owner /{dev,run}/shm/{,.}org.chromium.* mrw,
+ owner /{,var/}run/shm/shmfd-* mrw,
+
+ /usr/lib/chromium-browser/*.pak mr,
+ /usr/lib/chromium-browser/locales/* mr,
+
+ # Noisy
+ deny /usr/lib/chromium-browser/** w,
+
+ # Allow ptracing ourselves
+ ptrace (trace) peer=@{profile_name},
+
+ # Make browsing directories work
+ / r,
+ /**/ r,
+
+ # Allow access to documentation and other files the user may want to look
+ # at in /usr
+ /usr/{include,share,src}** r,
+
+ # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+ owner @{HOME}/ r,
+ owner @{HOME}/Public/ r,
+ owner @{HOME}/Public/* r,
+ owner @{HOME}/Downloads/ r,
+ owner @{HOME}/Downloads/* rw,
+
+ # For migration
+ owner @{HOME}/.mozilla/firefox/profiles.ini r,
+ owner @{HOME}/.mozilla/firefox/*/prefs.js r,
+
+ # Helpers
+ /usr/bin/xdg-open ixr,
+ /usr/bin/gnome-open ixr,
+ /usr/bin/gvfs-open ixr,
+ /usr/bin/kdialog ixr,
+ # TODO: xfce
+
+ # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
+ # which is provided by abstractions/ubuntu-browsers.d/user-files).
+ /etc/firefox/profile/bookmarks.html r,
+ owner @{HOME}/.mozilla/** k,
+
+ # Chromium Policies
+ /etc/chromium-browser/policies/** r,
+
+ # Chromium configuration
+ owner @{HOME}/.pki/nssdb/* rwk,
+ owner @{HOME}/.cache/chromium/ rw,
+ owner @{HOME}/.cache/chromium/** rw,
+ owner @{HOME}/.cache/chromium/Cache/* mr,
+ owner @{HOME}/.config/chromium/ rw,
+ owner @{HOME}/.config/chromium/** rwk,
+ owner @{HOME}/.config/chromium/**/Cache/* mr,
+ owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
+ owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
+
+ # Allow transitions to ourself and our sandbox
+ /usr/lib/chromium-browser/chromium-browser ix,
+ /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
+ /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
+
+ # Allow communicating with sandbox
+ unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
+
+ /bin/ps Uxr,
+ /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
+ /usr/bin/xdg-settings Cxr -> xdgsettings,
+ ptrace (trace) peer=@{profile_name}//xdgsettings,
+ /usr/bin/lsb_release Cxr -> lsb_release,
+ ptrace (trace) peer=@{profile_name}//lsb_release,
+
+ # GSettings
+ owner /{,var/}run/user/*/dconf/ rw,
+ owner /{,var/}run/user/*/dconf/user rw,
+ owner @{HOME}/.config/dconf/user r,
+
+ profile xdgsettings flags=(complain,attach_disconnected) {
+ #include <abstractions/bash>
+ #include <abstractions/gnome>
+
+ /bin/dash ixr,
+
+ /etc/ld.so.cache r,
+ /usr/bin/xdg-settings r,
+ /usr/lib/chromium-browser/xdg-settings r,
+ /usr/share/applications/*.desktop r,
+ /usr/share/ubuntu/applications/ r,
+
+ # Checking default browser
+ /bin/grep ixr,
+ /bin/readlink ixr,
+ /bin/sed ixr,
+ /bin/which ixr,
+ /usr/bin/basename ixr,
+ /usr/bin/cut ixr,
+
+ # Setting the default browser
+ /bin/mkdir ixr,
+ /bin/mv ixr,
+ /bin/touch ixr,
+ /usr/bin/dirname ixr,
+ /usr/bin/gconftool-2 ix,
+ /usr/bin/[gm]awk ixr,
+ /usr/bin/head ixr,
+ /usr/bin/tr ixr,
+ /usr/bin/xdg-mime ixr,
+ owner @{HOME}/.local/share/applications/ w,
+ owner @{HOME}/.local/share/applications/mimeapps.list* rw,
+ }
+
+ profile lsb_release flags=(complain,attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/python>
+ /usr/bin/lsb_release r,
+ /bin/dash ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/include/python2.[4567]/pyconfig.h r,
+ /etc/lsb-release r,
+ /etc/debian_version r,
+ /var/lib/dpkg/** r,
+
+ /usr/local/lib/python3.[0-4]/dist-packages/ r,
+ /usr/bin/ r,
+ /usr/bin/python3.[0-6] mr,
+
+ /etc/default/apport r,
+ /etc/apt/apt.conf.d/ r,
+ /usr/share/dpkg/cputable r,
+ /usr/share/distro-info/* r,
+ }
+
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.chromium-browser>
+
+profile chromium_browser_sandbox flags=(complain,attach_disconnected) {
+ # Be fanatical since it is setuid root and don't use an abstraction
+ /lib/libgcc_s.so* mr,
+ /lib/@{multiarch}/libgcc_s.so* mr,
+ /lib{,32,64}/libm-*.so* mr,
+ /lib/@{multiarch}/libm-*.so* mr,
+ /lib{,32,64}/libpthread-*.so* mr,
+ /lib/@{multiarch}/libpthread-*.so* mr,
+ /lib{,32,64}/libc-*.so* mr,
+ /lib/@{multiarch}/libc-*.so* mr,
+ /lib{,32,64}/libld-*.so* mr,
+ /lib/@{multiarch}/libld-*.so* mr,
+ /lib{,32,64}/ld-*.so* mr,
+ /lib/@{multiarch}/ld-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
+ /usr/lib/libstdc++.so* mr,
+ /usr/lib/@{multiarch}/libstdc++.so* mr,
+ /etc/ld.so.cache r,
+
+ # Required for dropping into PID namespace. Keep in mind that until the
+ # process drops this capability it can escape confinement, but once it
+ # drops CAP_SYS_ADMIN we are ok.
+ capability sys_admin,
+
+ # All of these are for sanely dropping from root and chrooting
+ capability chown,
+ capability fsetid,
+ capability setgid,
+ capability setuid,
+ capability dac_override,
+ capability sys_chroot,
+
+ capability sys_ptrace,
+ ptrace (read, readby),
+
+ signal (receive) peer=unconfined,
+ signal peer=@{profile_name},
+ signal (receive, send) set=("exists"),
+ signal (receive) peer=/usr/lib/chromium-browser/chromium-browser,
+
+ unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser),
+ unix (create),
+ unix peer=(label=@{profile_name}),
+ unix (getattr, getopt, setopt, shutdown) addr=none,
+
+ @{PROC}/ r,
+ @{PROC}/[0-9]*/ r,
+ @{PROC}/[0-9]*/fd/ r,
+ deny @{PROC}/[0-9]*/oom_adj w,
+ deny @{PROC}/[0-9]*/oom_score_adj w,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+
+ /usr/bin/chromium-browser r,
+ /usr/lib/chromium-browser/chromium-browser Px,
+ /usr/lib/chromium-browser/chromium-browser-sandbox mr,
+ /usr/lib/chromium-browser/chrome-sandbox mr,
+
+ /dev/null rw,
+
+ owner /tmp/** rw,
+ }
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/anvil flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /run/dovecot/anvil rw,
+ /usr/lib/dovecot/anvil mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.anvil>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/auth flags=(complain) {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/wutmp>
+ #include <abstractions/dovecot-common>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+
+ /etc/my.cnf r,
+ /etc/my.cnf.d/ r,
+ /etc/my.cnf.d/*.cnf r,
+
+ /etc/dovecot/* r,
+ /usr/lib/dovecot/auth mr,
+
+ # kerberos replay cache
+ /var/tmp/imap_* rw,
+ /var/tmp/pop_* rw,
+ /var/tmp/sieve_* rw,
+ /var/tmp/smtp_* rw,
+
+ /run/dovecot/auth-master rw,
+ /run/dovecot/auth-worker rw,
+ /run/dovecot/login/login rw,
+ /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+ /{var/,}run/dovecot/stats-user rw,
+ /{var/,}run/dovecot/anvil-auth-penalty rw,
+
+ /var/spool/postfix/private/auth w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.auth>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/config flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/ssl_keys>
+
+ capability dac_override,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/config mr,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/share/dovecot/** r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.config>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2014 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/deliver flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ # http://www.postfix.org/SASL_README.html#server_dovecot
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/{auth,conf}.d/*.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/deliver mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.deliver>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dict flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+
+ /etc/dovecot/dovecot-database.conf.ext r,
+ /etc/dovecot/dovecot-dict-sql.conf.ext r,
+ /usr/lib/dovecot/dict mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dict>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/dovecot-auth flags=(complain) {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+ #include <abstractions/dovecot-common>
+
+ capability chown,
+ capability dac_override,
+
+ @{PROC}/@{pid}/mounts r,
+ /usr/lib/dovecot/dovecot-auth mr,
+ /{,var/}run/dovecot/** rw,
+ # required for postfix+dovecot integration
+ /var/spool/postfix/private/dovecot-auth w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dovecot-auth>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013-2016 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/dovecot-lda flags=(complain,attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /proc/*/mounts r,
+ owner /tmp/dovecot.lda.* rw,
+ /{var/,}run/dovecot/mounts r,
+ /run/dovecot/auth-userdb rw,
+ /usr/bin/doveconf mrix,
+ /usr/lib/dovecot/dovecot-lda mrix,
+ /usr/sbin/sendmail Cx,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.dovecot-lda>
+
+
+ profile /usr/sbin/sendmail flags=(complain,attach_disconnected) {
+ # this profile is based on the usr.sbin.sendmail profile in extras
+ # and should support both postfix' and sendmail's sendmail binary
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/postfix-common>
+
+ capability sys_ptrace,
+
+ /etc/aliases rw, # newaliases is a symlink to sendmail, so it's
+ /etc/aliases.db rw, # actually the same binary
+ /etc/fstab r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/mail/* r,
+ /etc/mail/statistics rw,
+ /etc/mtab r,
+ /etc/postfix/aliases r,
+ /etc/postfix/aliases.db rw, # newaliases again
+ /etc/sendmail.cf r,
+ /etc/sendmail.cw r,
+ /etc/shells r,
+ /proc/loadavg r,
+ /proc/net/if_inet6 r,
+ /root/.forward r,
+ /root/dead.letter w,
+ /usr/bin/procmail Px,
+ /usr/lib/postfix/master Px,
+ /usr/lib/postfix/showq Px,
+ /usr/lib/postfix/smtpd Px,
+ /usr/sbin/postalias Px,
+ /usr/sbin/postdrop Px,
+ /usr/sbin/postfix Px,
+ /usr/sbin/postqueue Px,
+ /usr/sbin/sendmail mrix,
+ /usr/sbin/sendmail.postfix mrix,
+ /usr/sbin/sendmail.sendmail mrix,
+ /{var/,}run/sendmail.pid rwl,
+ /{var/,}run/sm-client.pid rwl,
+ /{var/,}run/utmp rw,
+ /var/spool/clientmqueue/* rwl,
+ /var/spool/mail/* rwl,
+ /var/spool/mqueue/* rwl,
+ /var/spool/postfix/maildrop/* rwl,
+ /var/spool/postfix/public/pickup w,
+ /var/spool/postfix/public/qmgr w,
+ /var/spool/postfix/public/showq w,
+ }
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/imap flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ deny capability block_suspend,
+
+ network unix stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+
+ owner /tmp/dovecot.imap.* rw,
+
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/imap mrix,
+ /usr/share/dovecot/** r,
+ /run/dovecot/login/imap rw,
+ /{,var/}run/dovecot/auth-master rw,
+ /{,var/}run/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.imap>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+/usr/lib/dovecot/imap-login flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+ network unix stream,
+
+ /usr/lib/dovecot/imap-login mr,
+ /{,var/}run/dovecot/anvil rw,
+ /{,var/}run/dovecot/login-master-notify* rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.imap-login>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/lmtp flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/openssl>
+ #include <abstractions/ssl_keys>
+
+ capability dac_override,
+ capability dac_read_search,
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME}/.dovecot.svbin r,
+
+ /proc/*/mounts r,
+ /tmp/dovecot.lmtp.* rw,
+ /usr/lib/dovecot/lmtp mr,
+ /{var/,}run/dovecot/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.lmtp>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/log flags=(complain,attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ /usr/lib/dovecot/log mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.log>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/managesieve flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ /etc/dovecot/** r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/managesieve mrix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.managesieve>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/managesieve-login flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ network inet stream,
+ network inet6 stream,
+
+ /usr/lib/dovecot/managesieve-login mr,
+ /{,var/}run/dovecot/login-master-notify* rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.managesieve-login>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+#include <tunables/dovecot>
+
+/usr/lib/dovecot/pop3 flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
+ /usr/lib/dovecot/pop3 mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.pop3>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/pop3-login flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/pop3-login mr,
+ /{,var/}run/dovecot/anvil rw,
+ /{,var/}run/dovecot/login/ r,
+ /{,var/}run/dovecot/login/* rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.pop3-login>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/ssl-params flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ /run/dovecot/login/ssl-params rw,
+ /usr/lib/dovecot/ssl-params mr,
+ /var/lib/dovecot/ssl-parameters.dat rw,
+ /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.ssl-params>
+}
--- /dev/null
+#include <tunables/global>
+/usr/sbin/avahi-daemon flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/dbus>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability dac_override,
+ capability kill,
+ capability setuid,
+ capability setgid,
+ capability sys_chroot,
+
+ network netlink dgram,
+
+ /etc/avahi/ r,
+ /etc/avahi/avahi-daemon.conf r,
+ /etc/avahi/hosts r,
+ /etc/avahi/services/ r,
+ /etc/avahi/services/*.service r,
+ @{PROC}/@{pid}/fd/ r,
+ /usr/sbin/avahi-daemon mr,
+ /usr/share/avahi/introspection/*.introspect r,
+ /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
+ /{,var/}run/avahi-daemon/ w,
+ /{,var/}run/avahi-daemon/pid krw,
+ /{,var/}run/avahi-daemon/socket w,
+ /{,var/}run/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.avahi-daemon>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+@{TFTP_DIR}=/var/tftp /srv/tftpboot
+
+#include <tunables/global>
+/usr/sbin/dnsmasq flags=(complain,attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
+ network inet6 raw,
+
+ signal (receive) peer=/usr/sbin/libvirtd,
+ ptrace (readby) peer=/usr/sbin/libvirtd,
+
+ owner /dev/tty rw,
+
+ /etc/dnsmasq.conf r,
+ /etc/dnsmasq.d/ r,
+ /etc/dnsmasq.d/* r,
+ /etc/dnsmasq.d-available/ r,
+ /etc/dnsmasq.d-available/* r,
+ /etc/ethers r,
+ /etc/NetworkManager/dnsmasq.d/ r,
+ /etc/NetworkManager/dnsmasq.d/* r,
+
+ /usr/sbin/dnsmasq mr,
+
+ /{,var/}run/*dnsmasq*.pid w,
+ /{,var/}run/dnsmasq-forwarders.conf r,
+ /{,var/}run/dnsmasq/ r,
+ /{,var/}run/dnsmasq/* rw,
+
+ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+ /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+
+ # access to iface mtu needed for Router Advertisement messages in IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
+ # for the read-only TFTP server
+ @{TFTP_DIR}/ r,
+ @{TFTP_DIR}/** r,
+
+ # libvirt config and hosts file for dnsmasq
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/* r,
+
+ # libvirt pid files for dnsmasq
+ /{,var/}run/libvirt/network/ r,
+ /{,var/}run/libvirt/network/*.pid rw,
+
+ # libvirt lease helper
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+
+ # lxc-net pid and lease files
+ /{,var/}run/lxc/dnsmasq.pid rw,
+ /var/lib/misc/dnsmasq.*.leases rw,
+
+ # lxd-bridge pid and lease files
+ /{,var/}run/lxd-bridge/dnsmasq.pid rw,
+ /var/lib/lxd-bridge/dnsmasq.*.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.* r,
+ /var/lib/lxd/networks/*/dnsmasq.leases rw,
+ /var/lib/lxd/networks/*/dnsmasq.pid rw,
+
+ # NetworkManager integration
+ /{,var/}run/nm-dns-dnsmasq.conf r,
+ /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
+ /{,var/}run/NetworkManager/dnsmasq.conf r,
+ /{,var/}run/NetworkManager/dnsmasq.pid w,
+
+ profile libvirt_leaseshelper flags=(complain) {
+ #include <abstractions/base>
+
+ /etc/libnl-3/classid r,
+
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+
+ owner @{PROC}/@{pid}/net/psched r,
+ owner @{PROC}/@{pid}/status r,
+
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/*/meminfo r,
+
+ # libvirt lease and status files for dnsmasq
+ /var/lib/libvirt/dnsmasq/*.leases rw,
+ /var/lib/libvirt/dnsmasq/*.status* rw,
+
+ /{,var/}run/leaseshelper.pid rwk,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.dnsmasq>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/sbin/dovecot flags=(complain,attach_disconnected) {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/ssl_keys>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fsetid,
+ capability kill,
+ capability net_bind_service,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ signal send set=(int,quit) peer=/usr/lib/dovecot/*,
+
+ /etc/dovecot/** r,
+ /etc/mtab r,
+ /etc/lsb-release r,
+ /etc/SuSE-release r,
+ @{PROC}/@{pid}/mounts r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil mrPx,
+ /usr/lib/dovecot/auth mrPx,
+ /usr/lib/dovecot/config mrPx,
+ /usr/lib/dovecot/dict mrPx,
+ /usr/lib/dovecot/dovecot-auth Pxmr,
+ /usr/lib/dovecot/imap Pxmr,
+ /usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp mrPx,
+ /usr/lib/dovecot/log mrPx,
+ /usr/lib/dovecot/managesieve mrPx,
+ /usr/lib/dovecot/managesieve-login Pxmr,
+ /usr/lib/dovecot/pop3 mrPx,
+ /usr/lib/dovecot/pop3-login Pxmr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params mrPx,
+ /usr/sbin/dovecot mrix,
+ /usr/share/dovecot/protocols.d/ r,
+ /usr/share/dovecot/protocols.d/** r,
+ /var/lib/dovecot/ w,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
+ /{,var/}run/dovecot/ rw,
+ /{,var/}run/dovecot/** rw,
+ link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.dovecot>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/identd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ /etc/identd.conf r,
+ /etc/identd.key r,
+ /etc/identd.pid w,
+ /usr/sbin/identd rmix,
+ @{PROC}/net/tcp r,
+ @{PROC}/net/tcp6 r,
+ /{,var/}run/identd.pid w,
+ /{,var/}run/identd/ w,
+ /{,var/}run/identd/identd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.identd>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/mdnsd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ network netlink dgram,
+
+ /usr/sbin/mdnsd rmix,
+
+ @{PROC}/net/ r,
+ @{PROC}/net/unix r,
+ /{,var/}run/mdnsd lw,
+ /{,var/}run/mdnsd.pid w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.mdnsd>
+}
--- /dev/null
+#include <tunables/global>
+
+/usr/sbin/nmbd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/samba>
+
+ capability net_bind_service,
+
+ @{PROC}/sys/kernel/core_pattern r,
+
+ /usr/sbin/nmbd mr,
+
+ /var/cache/samba/gencache.tdb rwk,
+ /var/{cache,lib}/samba/browse.dat* rw,
+ /var/{cache,lib}/samba/gencache.dat rw,
+ /var/{cache,lib}/samba/wins.dat* rw,
+ /var/{cache,lib}/samba/smb_krb5/ rw,
+ /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
+ /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
+ /var/{cache,lib}/samba/sync.* rw,
+ /var/{cache,lib}/samba/unexpected rw,
+ /var/cache/samba/msg/ rw,
+ /var/cache/samba/msg/* w,
+
+ /{,var/}run/samba/** rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.nmbd>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2009-2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+/usr/sbin/nscd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+
+ deny capability block_suspend,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ /etc/netgroup r,
+ /etc/nscd.conf r,
+ /usr/sbin/nscd rmix,
+ /{,var/}run/.nscd_socket wl,
+ /{,var/}run/nscd/ rw,
+ /{,var/}run/nscd/db* rwl,
+ /{,var/}run/nscd/socket wl,
+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ /{,var/}run/{nscd/,}nscd.pid rwl,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.status r,
+ /var/log/nscd.log rw,
+ @{PROC}/@{pid}/cmdline r,
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/fd/* r,
+ @{PROC}/@{pid}/mounts r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.nscd>
+}
--- /dev/null
+#include <tunables/global>
+
+/usr/sbin/smbd flags=(complain) {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/cups-client>
+ #include <abstractions/nameservice>
+ #include <abstractions/samba>
+ #include <abstractions/user-tmp>
+ #include <abstractions/wutmp>
+
+ capability audit_write,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability lease,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_admin,
+ capability sys_resource,
+ capability sys_tty_config,
+
+ /etc/mtab r,
+ /etc/netgroup r,
+ /etc/printcap r,
+ /etc/samba/* rwk,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/sys/kernel/core_pattern r,
+ /usr/lib*/samba/vfs/*.so mr,
+ /usr/lib*/samba/charset/*.so mr,
+ /usr/lib*/samba/auth/script.so mr,
+ /usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
+ /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
+ /usr/lib/@{multiarch}/samba/**/ r,
+ /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
+ /usr/sbin/smbd mr,
+ /usr/sbin/smbldap-useradd Px,
+ /var/cache/samba/** rwk,
+ /var/{cache,lib}/samba/printing/printers.tdb mrw,
+ /var/lib/samba/** rwk,
+ /var/lib/sss/pubconf/kdcinfo.* r,
+ /{,var/}run/dbus/system_bus_socket rw,
+ /{,var/}run/samba/** rk,
+ /{,var/}run/samba/ncalrpc/ rw,
+ /{,var/}run/samba/ncalrpc/** rw,
+ /{,var/}run/samba/smbd.pid rw,
+ /{,var/}run/samba/msg.lock/ rw,
+ /{,var/}run/samba/msg.lock/[0-9]* rwk,
+ /var/spool/samba/** rw,
+
+ @{HOMEDIRS}/** lrwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.smbd>
+}
--- /dev/null
+# Last Modified: Tue Jan 3 00:17:40 2012
+#include <tunables/global>
+
+/usr/sbin/smbldap-useradd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+
+ /dev/tty rw,
+ /{,usr/}bin/bash ix,
+ /etc/init.d/nscd Cx,
+ /etc/shadow r,
+ /etc/smbldap-tools/smbldap.conf r,
+ /etc/smbldap-tools/smbldap_bind.conf r,
+ /usr/sbin/smbldap-useradd r,
+ /usr/sbin/smbldap_tools.pm r,
+ /var/log/samba/log.smbd w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.smbldap-useradd>
+
+ profile /etc/init.d/nscd flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_ptrace,
+
+ /{,usr/}bin/bash r,
+ /{,usr/}bin/mountpoint rix,
+ /{,usr/}bin/systemctl rix,
+ /dev/tty rw,
+ /etc/init.d/nscd r,
+ /etc/rc.status r,
+
+ }
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+/usr/{sbin/traceroute,bin/traceroute.db} flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ deny capability net_admin, # noisy setsockopt() calls
+ capability net_raw,
+
+ network inet raw,
+ network inet6 raw,
+
+ /usr/sbin/traceroute mrix,
+ /usr/bin/traceroute.db mrix,
+ @{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.traceroute>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2004-2006 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+[settings]
+ profiledir = /etc/apparmor.d /etc/subdomain.d
+ inactive_profiledir = /usr/share/apparmor/extra-profiles
+ logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
+
+ parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ ldd = /usr/bin/ldd
+ logger = /bin/logger /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+ # 1 - default of what ever mode the log reported
+ # 2 - force the new permissions to be user
+ # 3 - force all perms on the rule to be user
+ default_owner_prompt = 1
+
+ # custom directory locations to look for #includes
+ #
+ # each name should be a valid directory containing possible #include
+ # candidate files under the profile dir which by default is /etc/apparmor.d.
+ #
+ # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
+ # be used by the yast UI and profiling tools as a source of #include
+ # files.
+ custom_includes =
+
+
+[repository]
+ distro = ubuntu-intrepid
+ url = http://apparmor.test.opensuse.org/backend/api
+ preferred_user = ubuntu
+
+[qualifiers]
+ # things will be painfully broken if bash has a profile
+ /bin/bash = icnu
+ /usr/bin/bash = icnu
+ /bin/ksh = icnu
+ /usr/bin/ksh = icnu
+ /bin/dash = icnu
+ /usr/bin/dash = icnu
+
+ # these programs can't function if they're confined
+ /bin/mount = u
+ /usr/bin/mount = u
+ /etc/init.d/subdomain = u
+ /sbin/cardmgr = u
+ /usr/sbin/cardmgr = u
+ /sbin/subdomain_parser = u
+ /usr/sbin/subdomain_parser = u
+ /usr/sbin/genprof = u
+ /usr/sbin/logprof = u
+ /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+ /usr/lib/YaST2/servers_non_y2/ag_logprof = u
+
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+ /usr/bin/awk = icn
+ /bin/cat = icn
+ /usr/bin/cat = icn
+ /bin/chmod = icn
+ /usr/bin/chmod = icn
+ /bin/chown = icn
+ /usr/bin/chown = icn
+ /bin/cp = icn
+ /usr/bin/cp = icn
+ /bin/gawk = icn
+ /usr/bin/gawk = icn
+ /bin/grep = icn
+ /usr/bin/grep = icn
+ /bin/gunzip = icn
+ /usr/bin/gunzip = icn
+ /bin/gzip = icn
+ /usr/bin/gzip = icn
+ /bin/kill = icn
+ /usr/bin/kill = icn
+ /bin/ln = icn
+ /usr/bin/ln = icn
+ /bin/ls = icn
+ /usr/bin/ls = icn
+ /bin/mkdir = icn
+ /usr/bin/mkdir = icn
+ /bin/mv = icn
+ /usr/bin/mv = icn
+ /bin/readlink = icn
+ /usr/bin/readlink = icn
+ /bin/rm = icn
+ /usr/bin/rm = icn
+ /bin/sed = icn
+ /usr/bin/sed = icn
+ /bin/touch = icn
+ /usr/bin/touch = icn
+ /sbin/killall5 = icn
+ /usr/sbin/killall5 = icn
+ /usr/bin/find = icn
+ /usr/bin/killall = icn
+ /usr/bin/nice = icn
+ /usr/bin/perl = icn
+ /usr/bin/python = icn
+ /usr/bin/python2 = icn
+ /usr/bin/python2.7 = icn
+ /usr/bin/python3 = icn
+ /usr/bin/python3.3 = icn
+ /usr/bin/python3.4 = icn
+ /usr/bin/python3.5 = icn
+ /usr/bin/python3.6 = icn
+ /usr/bin/tr = icn
+
+[required_hats]
+ ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
+ ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
+
+[defaulthat]
+ ^.+/apache(|2|2-prefork)$ = DEFAULT_URI
+ ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI
+
+[globs]
+ # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
+ /lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*
+
+ # strip kernel version numbers from kernel module accesses
+ ^/lib/modules/[^\/]+\/ = /lib/modules/*/
+
+ # strip pid numbers from /proc accesses
+ ^/proc/\d+/ = /proc/*/
+
+ # if it looks like a home directory, glob out the username
+ ^/home/[^\/]+ = /home/*
+
+ # if they use any perl modules, grant access to all
+ ^/usr/lib/x86_64-linux-gnu/perl5/5.26/.+$ = /usr/lib/x86_64-linux-gnu/perl5/5.26/**
+ ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
+
+ # locale foo
+ ^/usr/lib/locale/.+$ = /usr/lib/locale/**
+ ^/usr/share/locale/.+$ = /usr/share/locale/**
+
+ # timezone fun
+ ^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/**
+
+ # /foobar/fonts/baz -> /foobar/fonts/**
+ /fonts/.+$ = /fonts/**
+
+ # turn /foo/bar/baz.8907234 into /foo/bar/baz.*
+ # BUGBUG - this one looked weird because it would suggest a glob for
+ # BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
+ # \.\d+$ = .*
+
+ # some various /etc/security poo -- dunno about these ones...
+ ^/etc/security/_[^\/]+$ = /etc/security/*
+ ^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
+ ^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so
+
+ ^/etc/pam.d/[^\/]+$ = /etc/pam.d/*
+ ^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh
+
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Allow this process to 0wn the machine:
+ CAP_SYS_ADMIN 10
+ CAP_SYS_CHROOT 10
+ CAP_SYS_MODULE 10
+ CAP_SYS_PTRACE 10
+ CAP_SYS_RAWIO 10
+ CAP_MAC_ADMIN 10
+ CAP_MAC_OVERRIDE 10
+# Allow other processes to 0wn the machine:
+ CAP_SETPCAP 9
+ CAP_SETFCAP 9
+ CAP_CHOWN 9
+ CAP_FSETID 9
+ CAP_MKNOD 9
+ CAP_LINUX_IMMUTABLE 9
+ CAP_DAC_OVERRIDE 9
+ CAP_SETGID 9
+ CAP_SETUID 9
+ CAP_FOWNER 9
+# Denial of service, bypass audit controls, information leak
+ CAP_SYS_TIME 8
+ CAP_NET_ADMIN 8
+ CAP_SYS_RESOURCE 8
+ CAP_KILL 8
+ CAP_IPC_OWNER 8
+ CAP_SYS_PACCT 8
+ CAP_SYS_BOOT 8
+ CAP_NET_BIND_SERVICE 8
+ CAP_NET_RAW 8
+ CAP_SYS_NICE 8
+ CAP_LEASE 8
+ CAP_IPC_LOCK 8
+ CAP_SYS_TTY_CONFIG 8
+ CAP_AUDIT_CONTROL 8
+ CAP_AUDIT_WRITE 8
+ CAP_SYSLOG 8
+ CAP_WAKE_ALARM 8
+ CAP_BLOCK_SUSPEND 8
+ CAP_DAC_READ_SEARCH 7
+ CAP_AUDIT_READ 7
+# unused
+ CAP_NET_BROADCAST 0
+
+# filename r w x
+# 'hard drives' are generally 4 10 0
+/**/lost+found/** 5 5 0
+/boot/** 7 10 0
+/etc/passwd* 4 8 0
+/etc/group* 4 8 0
+/etc/shadow* 7 9 0
+/etc/shadow* 7 9 0
+/home/*/.ssh/** 7 9 0
+/home/*/.gnupg/** 5 7 0
+/home/** 4 6 0
+/srv/** 4 6 0
+/proc/** 6 9 0
+/proc/sys/kernel/hotplug 2 10 0
+/proc/sys/kernel/modprobe 2 10 0
+/proc/kallsyms 7 0 0
+/sys/** 4 8 0
+/sys/power/state 2 8 0
+/sys/firmware/** 2 10 0
+/dev/pts/* 8 9 0
+/dev/ptmx 8 9 0
+/dev/pty* 8 9 0
+/dev/null 0 0 0
+/dev/adbmouse 3 8 0
+/dev/ataraid 9 10 0
+/dev/zero 0 0 0
+/dev/agpgart* 8 10 0
+/dev/aio 3 3 0
+/dev/cbd/* 5 5 0
+/dev/cciss/* 4 10 0
+/dev/capi* 4 6 0
+/dev/cfs0 4 10 0
+/dev/compaq/* 4 10 0
+/dev/cdouble* 4 8 0
+/dev/cpu** 5 5 0
+/dev/cpu**microcode 1 10 0
+/dev/double* 4 8 0
+/dev/hd* 4 10 0
+/dev/sd* 4 10 0
+/dev/ida/* 4 10 0
+/dev/input/* 4 8 0
+/dev/mapper/control 4 10 0
+/dev/*mem 8 10 0
+/dev/loop* 4 10 0
+/dev/lp* 0 4 0
+/dev/md* 4 10 0
+/dev/msr 4 10 0
+/dev/nb* 4 10 0
+/dev/ram* 8 10 0
+/dev/rd/* 4 10 0
+/dev/*random 3 1 0
+/dev/sbpcd* 4 0 0
+/dev/rtc 6 0 0
+/dev/sd* 4 10 0
+/dev/sc* 4 10 0
+/dev/sg* 4 10 0
+/dev/st* 4 10 0
+/dev/snd/* 3 8 0
+/dev/usb/mouse* 4 6 0
+/dev/usb/hid* 4 6 0
+/dev/usb/tty* 4 6 0
+/dev/tty* 8 9 0
+/dev/stderr 0 0 0
+/dev/stdin 0 0 0
+/dev/stdout 0 0 0
+/dev/ubd* 4 10 0
+/dev/usbmouse* 4 6 0
+/dev/userdma 8 10 0
+/dev/vcs* 8 9 0
+/dev/xta* 4 10 0
+/dev/zero 0 0 0
+/dev/inittcl 8 10 0
+/dev/log 5 7 0
+/etc/fstab 3 8 0
+/etc/mtab 3 5 0
+/etc/SuSEconfig/* 1 8 0
+/etc/X11/* 2 7 0
+/etc/X11/xinit/* 2 8 0
+/etc/SuSE-release 1 5 0
+/etc/issue* 1 3 0
+/etc/motd 1 3 0
+/etc/aliases.d/* 1 7 0
+/etc/cron* 1 9 0
+/etc/cups/* 2 7 0
+/etc/default/* 3 8 0
+/etc/init.d/* 1 10 0
+/etc/permissions.d/* 1 8 0
+/etc/ppp/* 2 6 0
+/etc/ppp/*secrets 8 6 0
+/etc/profile.d/* 1 8 0
+/etc/skel/* 0 7 0
+/etc/sysconfig/* 4 10 0
+/etc/xinetd.d/* 1 9 0
+/etc/termcap/* 1 4 0
+/etc/ld.so.* 1 9 0
+/etc/pam.d/* 3 9 0
+/etc/udev/* 3 9 0
+/etc/insserv.conf 3 6 0
+/etc/security/* 1 9 0
+/etc/securetty 0 7 0
+/etc/sudoers 4 9 0
+/etc/hotplug/* 2 10 0
+/etc/xinitd.conf 1 9 0
+/etc/gpm/* 2 10 0
+/etc/ssl/** 2 7 0
+/etc/shadow* 5 9 0
+/etc/bash.bashrc 1 9 0
+/etc/csh.cshrc 1 9 0
+/etc/csh.login 1 9 0
+/etc/inittab 1 10 0
+/etc/profile* 1 9 0
+/etc/shells 1 5 0
+/etc/alternatives 1 6 0
+/etc/sysctl.conf 3 7 0
+/etc/dev.d/* 1 8 0
+/etc/manpath.config 1 6 0
+/etc/permissions* 1 8 0
+/etc/evms.conf 3 8 0
+/etc/exports 3 8 0
+/etc/samba/* 5 8 0
+/etc/ssh/* 3 8 0
+/etc/ssh/ssh_host_*key 8 8 0
+/etc/krb5.conf 4 8 0
+/etc/ntp.conf 3 8 0
+/etc/auto.* 3 8 0
+/etc/postfix/* 3 7 0
+/etc/postfix/*passwd* 6 7 0
+/etc/postfix/*cert* 6 7 0
+/etc/foomatic/* 3 5 0
+/etc/printcap 3 5 0
+/etc/youservers 4 9 0
+/etc/grub.conf 7 10 0
+/etc/modules.conf 4 10 0
+/etc/resolv.conf 2 7 0
+/etc/apache2/** 3 7 0
+/etc/apache2/**ssl** 7 7 0
+/etc/subdomain.d/** 6 10 0
+/etc/apparmor.d/** 6 10 0
+/etc/apparmor/** 6 10 0
+/var/log/** 3 8 0
+/var/adm/SuSEconfig/** 3 8 0
+/var/adm/** 3 7 0
+/var/lib/rpm/** 4 8 0
+/var/run/nscd/* 3 3 0
+/var/run/.nscd_socket 3 3 0
+/usr/share/doc/** 1 1 0
+/usr/share/man/** 3 5 0
+/usr/X11/man/** 3 5 0
+/usr/share/info/** 2 4 0
+/usr/share/java/** 2 5 0
+/usr/share/locale/** 2 4 0
+/usr/share/sgml/** 2 4 0
+/usr/share/YaST2/** 3 9 0
+/usr/share/ghostscript/** 3 5 0
+/usr/share/terminfo/** 1 8 0
+/usr/share/latex2html/** 2 4 0
+/usr/share/cups/** 5 6 0
+/usr/share/susehelp/** 2 6 0
+/usr/share/susehelp/cgi-bin/** 3 7 7
+/usr/share/zoneinfo/** 2 7 0
+/usr/share/zsh/** 3 6 0
+/usr/share/vim/** 3 8 0
+/usr/share/groff/** 3 7 0
+/usr/share/vnc/** 3 8 0
+/usr/share/wallpapers/** 2 4 0
+/usr/X11** 3 8 5
+/usr/X11*/bin/XFree86 3 8 8
+/usr/X11*/bin/Xorg 3 8 8
+/usr/X11*/bin/sux 3 8 8
+/usr/X11*/bin/xconsole 3 7 7
+/usr/X11*/bin/xhost 3 7 7
+/usr/X11*/bin/xauth 3 7 7
+/usr/X11*/bin/ethereal 3 6 8
+/usr/lib/ooo-** 3 6 5
+/usr/lib/lsb/** 2 8 8
+/usr/lib/pt_chwon 2 8 5
+/usr/lib/tcl** 2 5 3
+/usr/lib/lib*so* 3 8 4
+/usr/lib/iptables/* 2 8 2
+/usr/lib/x86_64-linux-gnu/perl5/5.26/** 4 10 6
+/usr/lib/*/perl/** 4 10 6
+/usr/lib/*/perl5/** 4 10 6
+/usr/lib/gconv/* 4 7 4
+/usr/lib/locale/** 4 8 0
+/usr/lib/jvm/** 5 7 5
+/usr/lib/sasl*/** 5 8 4
+/usr/lib/jvm-exports/** 5 7 5
+/usr/lib/jvm-private/** 5 7 5
+/usr/lib/python*/** 5 7 5
+/usr/lib/libkrb5* 4 8 4
+/usr/lib/postfix/* 4 7 4
+/usr/lib/rpm/** 4 8 6
+/usr/lib/rpm/gnupg/** 4 9 0
+/usr/lib/apache2** 4 7 4
+/usr/lib/mailman/** 4 6 4
+/usr/bin/ldd 1 7 4
+/usr/bin/netcat 5 7 8
+/usr/bin/clear 2 6 3
+/usr/bin/reset 2 6 3
+/usr/bin/tput 2 6 3
+/usr/bin/tset 2 6 3
+/usr/bin/file 2 6 3
+/usr/bin/ftp 3 7 5
+/usr/bin/busybox 4 8 6
+/usr/bin/rbash 4 8 5
+/usr/bin/screen 3 6 5
+/usr/bin/getfacl 3 7 4
+/usr/bin/setfacl 3 7 9
+/usr/bin/*awk* 3 7 7
+/usr/bin/sudo 2 9 10
+/usr/bin/lsattr 2 6 5
+/usr/bin/chattr 2 7 8
+/usr/bin/sed 3 7 6
+/usr/bin/grep 2 7 2
+/usr/bin/chroot 2 6 10
+/usr/bin/dircolors 2 9 3
+/usr/bin/cut 2 7 2
+/usr/bin/du 2 7 3
+/usr/bin/env 2 7 2
+/usr/bin/head 2 7 2
+/usr/bin/tail 2 7 2
+/usr/bin/install 2 8 4
+/usr/bin/link 2 6 4
+/usr/bin/logname 2 6 2
+/usr/bin/md5sum 2 8 3
+/usr/bin/mkfifo 2 6 10
+/usr/bin/nice 2 7 7
+/usr/bin/nohup 2 7 7
+/usr/bin/printf 2 7 1
+/usr/bin/readlink 2 7 3
+/usr/bin/seq 2 7 1
+/usr/bin/sha1sum 2 8 3
+/usr/bin/shred 2 7 3
+/usr/bin/sort 2 7 3
+/usr/bin/split 2 7 3
+/usr/bin/stat 2 7 4
+/usr/bin/sum 2 8 3
+/usr/bin/tac 2 7 3
+/usr/bin/tail 3 8 4
+/usr/bin/tee 2 7 3
+/usr/bin/test 2 8 4
+/usr/bin/touch 2 7 3
+/usr/bin/tr 2 8 3
+/usr/bin/tsort 2 7 3
+/usr/bin/tty 2 7 3
+/usr/bin/unexpand 2 7 3
+/usr/bin/uniq 2 7 3
+/usr/bin/unlink 2 8 4
+/usr/bin/uptime 2 7 3
+/usr/bin/users 2 8 4
+/usr/bin/vdir 2 8 4
+/usr/bin/wc 2 7 3
+/usr/bin/who 2 8 4
+/usr/bin/whoami 2 8 4
+/usr/bin/yes 1 6 1
+/usr/bin/ed 2 7 5
+/usr/bin/red 2 7 4
+/usr/bin/find 2 8 5
+/usr/bin/xargs 2 7 5
+/usr/bin/ispell 2 7 4
+/usr/bin/a2p 2 7 5
+/usr/bin/perlcc 2 7 5
+/usr/bin/perldoc 2 7 5
+/usr/bin/pod2* 2 7 5
+/usr/bin/prove 2 7 5
+/usr/bin/perl 2 10 7
+/usr/bin/perl* 2 10 7
+/usr/bin/suidperl 2 8 8
+/usr/bin/csh 2 8 8
+/usr/bin/tcsh 2 8 8
+/usr/bin/tree 2 6 5
+/usr/bin/last 2 7 5
+/usr/bin/lastb 2 7 5
+/usr/bin/utmpdump 2 6 5
+/usr/bin/alsamixer 2 6 8
+/usr/bin/amixer 2 6 8
+/usr/bin/amidi 2 6 8
+/usr/bin/aoss 2 6 8
+/usr/bin/aplay 2 6 8
+/usr/bin/aplaymidi 2 6 8
+/usr/bin/arecord 2 6 8
+/usr/bin/arecordmidi 2 6 8
+/usr/bin/aseqnet 2 6 8
+/usr/bin/aserver 2 6 8
+/usr/bin/iecset 2 6 8
+/usr/bin/rview 2 6 5
+/usr/bin/ex 2 7 5
+/usr/bin/enscript 2 6 5
+/usr/bin/genscript 2 6 5
+/usr/bin/xdelta 2 6 5
+/usr/bin/edit 2 6 5
+/usr/bin/vimtutor 2 6 5
+/usr/bin/rvim 2 6 5
+/usr/bin/vim 2 8 7
+/usr/bin/vimdiff 2 8 7
+/usr/bin/aspell 2 6 5
+/usr/bin/xxd 2 6 5
+/usr/bin/spell 2 6 5
+/usr/bin/eqn 2 6 5
+/usr/bin/eqn2graph 2 6 5
+/usr/bin/word-list-compress 2 6 4
+/usr/bin/afmtodit 2 6 4
+/usr/bin/hpf2dit 2 6 4
+/usr/bin/geqn 2 6 4
+/usr/bin/grn 2 6 4
+/usr/bin/grodvi 2 6 4
+/usr/bin/groff 2 6 5
+/usr/bin/groffer 2 6 4
+/usr/bin/grolj4 2 6 4
+/usr/bin/grotty 2 6 4
+/usr/bin/gtbl 2 6 4
+/usr/bin/pic2graph 2 6 4
+/usr/bin/indxbib 2 6 4
+/usr/bin/lkbib 2 6 4
+/usr/bin/lookbib 2 6 4
+/usr/bin/mmroff 2 6 4
+/usr/bin/neqn 2 6 4
+/usr/bin/pfbtops 2 6 4
+/usr/bin/pic 2 6 4
+/usr/bin/tfmtodit 2 6 4
+/usr/bin/tbl 2 6 4
+/usr/bin/post-grohtml 2 6 4
+/usr/bin/pre-grohtml 2 6 4
+/usr/bin/refer 2 6 4
+/usr/bin/soelim 2 6 4
+/usr/bin/disable-paste 2 6 6
+/usr/bin/troff 2 6 4
+/usr/bin/strace-graph 2 6 4
+/usr/bin/gpm-root 2 6 7
+/usr/bin/hltest 2 6 7
+/usr/bin/mev 2 6 6
+/usr/bin/mouse-test 2 6 6
+/usr/bin/strace 2 8 9
+/usr/bin/scsiformat 2 7 10
+/usr/bin/lsscsi 2 7 7
+/usr/bin/scsiinfo 2 7 7
+/usr/bin/sg_* 2 7 7
+/usr/bin/build-classpath 2 6 6
+/usr/bin/build-classpath-directory 2 6 6
+/usr/bin/build-jar-repository 2 6 6
+/usr/bin/diff-jars 2 6 6
+/usr/bin/jvmjar 2 6 6
+/usr/bin/rebuild-jar-repository 2 6 6
+/usr/bin/scriptreplay 2 6 5
+/usr/bin/cal 2 6 3
+/usr/bin/chkdupexe 2 6 5
+/usr/bin/col 2 6 4
+/usr/bin/colcrt 2 6 4
+/usr/bin/colrm 2 6 3
+/usr/bin/column 2 6 4
+/usr/bin/cytune 2 6 6
+/usr/bin/ddate 2 6 3
+/usr/bin/fdformat 2 6 6
+/usr/bin/getopt 2 8 6
+/usr/bin/hexdump 2 6 4
+/usr/bin/hostid 2 6 4
+/usr/bin/ipcrm 2 7 7
+/usr/bin/ipcs 2 7 6
+/usr/bin/isosize 2 6 4
+/usr/bin/line 2 6 4
+/usr/bin/look 2 6 5
+/usr/bin/mcookie 2 7 5
+/usr/bin/mesg 2 6 4
+/usr/bin/namei 2 6 5
+/usr/bin/rename 2 6 5
+/usr/bin/renice 2 6 7
+/usr/bin/rev 2 6 5
+/usr/bin/script 2 6 6
+/usr/bin/ChangeSymlinks 2 8 8
+/usr/bin/setfdprm 2 6 7
+/usr/bin/setsid 2 6 3
+/usr/bin/setterm 2 6 5
+/usr/bin/tailf 2 6 4
+/usr/bin/time 2 6 4
+/usr/bin/ul 2 6 4
+/usr/bin/wall 2 6 5
+/usr/bin/whereis 2 6 4
+/usr/bin/which 2 6 3
+/usr/bin/c_rehash 2 7 6
+/usr/bin/openssl 2 8 6
+/usr/bin/lsdev 2 6 5
+/usr/bin/procinfo 2 6 5
+/usr/bin/socklist 2 6 5
+/usr/bin/filesize 2 6 3
+/usr/bin/linkto 2 6 3
+/usr/bin/mkinfodir 2 6 5
+/usr/bin/old 2 6 4
+/usr/bin/rpmlocate 2 6 5
+/usr/bin/safe-rm 2 8 6
+/usr/bin/safe-rmdir 2 8 6
+/usr/bin/setJava 2 6 1
+/usr/bin/vmstat 2 6 4
+/usr/bin/top 2 6 6
+/usr/bin/pinentry* 2 7 6
+/usr/bin/free 2 8 4
+/usr/bin/pmap 2 6 5
+/usr/bin/slabtop 2 6 4
+/usr/bin/tload 2 6 4
+/usr/bin/watch 2 6 3
+/usr/bin/w 2 6 4
+/usr/bin/pstree.x11 2 6 4
+/usr/bin/pstree 2 6 4
+/usr/bin/snice 2 6 6
+/usr/bin/skill 2 6 7
+/usr/bin/pgrep 2 6 4
+/usr/bin/killall 2 6 7
+/usr/bin/curl 2 7 7
+/usr/bin/slptool 2 7 8
+/usr/bin/ldap* 2 7 7
+/usr/bin/whatis 2 7 5
projects / config / bruni / etc-mint-new1.git / commitdiff