--- /dev/null
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# evolution, amongst other things, calls this program. I didn't want to
+# give evolution access to significant chunks of /proc
+#
+
+#include <tunables/global>
+
+/bin/netstat {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability dac_override,
+ capability dac_read_search,
+ deny capability sys_ptrace,
+
+ /bin/netstat rmix,
+ /etc/networks r,
+ @{PROC} r,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/[0-9]*/fd r,
+ @{PROC}/net r,
+ @{PROC}/net/* r,
+ @{PROC}/*/fd/ r,
+ owner @{PROC}/*/net/raw r,
+ owner @{PROC}/*/net/raw6 r,
+ owner @{PROC}/*/net/tcp r,
+ owner @{PROC}/*/net/tcp6 r,
+ owner @{PROC}/*/net/udp r,
+ owner @{PROC}/*/net/udp6 r,
+ owner @{PROC}/*/net/unix r,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 12:35:39 2012
+#include <tunables/global>
+
+/home/harvie/private/dotfiles/.purple/answerscripts flags=(complain) {
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/ubuntu-browsers.d/plugins-common>
+
+
+
+ /** rix,
+ /home/*/private/dotfiles/.purple/* rwix,
+ /home/*/private/dotfiles/.purple/answerscripts.d/ r,
+ /home/*/{,private/dotfiles/.purple/}answerscripts.d/* rix,
+
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# Note that this profile doesn't include any NetDomain rules; dhclient uses
+# raw sockets, and thus cannot be confined with NetDomain
+#
+# Should these programs have their own domains?
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
+
+#include <tunables/global>
+
+/sbin/dhclient {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/nameservice>
+
+ network packet packet,
+ network packet raw,
+
+ /sbin/dhclient mrix,
+
+ /bin/bash mrix,
+ /bin/df mrix,
+ /bin/netstat Px,
+ /bin/ps mrix,
+ /dev/random r,
+ /etc/dhclient.conf r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
+ # following rule shouldn't work, self is a symlink
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
+ /var/lib/dhcp/dhclient.leases rw,
+ /var/lib/dhcp/dhclient-*.leases rw,
+ /var/log/lastlog r,
+ /var/log/messages r,
+ /var/log/wtmp r,
+ /{,var/}run/dhclient.pid rw,
+ /{,var/}run/dhclient-*.pid rw,
+ /var/spool r,
+ /var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpix,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /{,var/}run/nm-dhclient-*.conf r,
+
+}
--- /dev/null
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include <tunables/global>
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 14:06:39 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+#
+# If you wish to use /etc/sysconfig/network/scripts/dhcpcd-hook, be sure
+# to configure a subdomain profile for it.
+#
+# Note that dhcpcd (at least as distributed by SuSE) offers to rewrite
+# ntp.conf and yp.conf in addition to resolv.conf.
+#
+
+#include <tunables/global>
+
+/sbin/dhcpcd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability dac_override,
+ capability net_admin,
+ capability net_raw,
+ capability sys_admin,
+
+
+
+ /bin/bash mrix,
+ /bin/touch mrix,
+ /dev/tty rw,
+ /etc/* r,
+ /etc/dhcpc/* rwl,
+ /etc/init.d/syslog Ux,
+ /etc/ntp.conf{,.sv} rwl,
+ /etc/resolv.conf{,.sv} rwl,
+ /etc/sysconfig/network/scripts/dhcpcd-hook mrix,
+ /etc/yp.conf{,.sv} rwl,
+ /proc/sys/** w,
+ /sbin/dhcpcd mrix,
+ /sbin/ifup Ux,
+ /sbin/modify_resolvconf mrix,
+ /usr/lib/networkmanager/nm-dhcp-client.action rix,
+ /var/lib/dhcpcd/* rw,
+ /{,var/}run/dhcpcd-*.pid rwlk,
+
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/portmap {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setuid,
+ capability setgid,
+
+ /etc/bindresvport.blacklist r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /sbin/portmap rmix,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+# Last Modified: Mon Mar 13 15:55:30 2006
+
+#include <tunables/global>
+
+/sbin/resmgrd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability fowner,
+ capability chown,
+
+ /dev/** rw,
+ /etc/resmgr.conf r,
+ /etc/resmgr.conf.d/ r,
+ /etc/resmgr.conf.d/*.conf r,
+ /sbin/resmgrd r,
+ /{,var/}run/.resmgr_socket lrw,
+ /{,var/}run/resmgr.pid lrw,
+ /{,var/}run/fence* lrw,
+ /{,var/}run/resmgr/classes/** wl,
+ /{run,var}/lock/LCK* lrw,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/rpc.lockd {
+ #include <abstractions/base>
+ /sbin/rpc.lockd rmix,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/sbin/rpc.statd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ /etc/rpc r,
+ /sbin/rpc.statd rmix,
+ /sm rw,
+ /sm.bak rw,
+ /state rw,
+ /var/lib/nfs/sm/* rw,
+ /var/lib/nfs/statd rw,
+ /var/lib/nfs/statd/sm r,
+ /var/lib/nfs/statd/sm/* rwl,
+ /var/lib/nfs/statd/state rw,
+ /var/lib/nfs/statd/sm.bak r,
+ /var/lib/nfs/statd/sm.bak/* rwl,
+ /{,var/}run/rpc.statd.pid w,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+# Last Modified: Wed Aug 24 16:21:32 2005
+
+#include <tunables/global>
+
+/usr/X11R6/bin/acroread {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/fonts>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/gnome>
+ #include <abstractions/X>
+
+ capability dac_override,
+
+ /bin/basename mixr,
+ /bin/bash mix,
+ /bin/cat mixr,
+ /bin/grep mixr,
+ /bin/uname mixr,
+ /etc/** r,
+
+ @{HOME}/.adobe/** rw,
+ @{HOME}/Desktop/** rw,
+ @{HOME}/Documents/* rw,
+ @{HOME}/.fonts.cache-* r,
+ @{HOME}/.gconfd/saved_state lrw,
+ @{HOME}/.gconfd/saved_state.orig lw,
+ @{HOME}/.gconfd/saved_state.tmp lrw,
+ @{HOME}/.gconf r,
+ @{HOME}/.gconf/.testing.writeability lw,
+ @{HOME}/* rw,
+
+ /usr/bin/acroread Pxr,
+ /usr/bin/gconftool-2 mixr,
+ /usr/lib/firefox/firefox.sh Pxr,
+ /usr/lib/GConf/** r,
+ /usr/lib/GConf/2/gconfd-2 Pxr,
+ /usr/share/icons r,
+ /usr/share/icons/hicolor/icon-theme.cache r,
+ /usr/share/pixmaps r,
+ /usr/lib/Acrobat7/Reader/intellinux/lib/**so* mixr,
+ /usr/bin/cut mixr,
+ /usr/bin/dirname mixr,
+ /usr/bin/which mixr,
+ /usr/lib/jvm/java-*/jre/lib/fonts/** r,
+ /usr/lib/ooo-*/share/fonts/** r,
+ /usr/share/icons r,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/apropos {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ /bin/basename mixr,
+ /bin/bash mixr,
+ /bin/grep mixr,
+ /etc/manpath.config r,
+ /usr/bin/apropos rmix,
+ /usr/bin/man Px,
+ /usr/bin/tr mixr,
+ /var/cache/man/whatis r,
+ /var/cache/man/** r,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 09:14:15 2012
+#include <tunables/global>
+
+/usr/bin/epiphany {
+ #include <abstractions/base>
+ #include <abstractions/enchant>
+ #include <abstractions/gnome>
+ #include <abstractions/nameservice>
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-browsers.d/plugins-common>
+
+
+
+ / r,
+ /dev/ r,
+ /dev/**/ r,
+ /etc/** r,
+ /home/*/ r,
+ /home/*/** rw,
+ /home/*/.gnome2/epiphany/** rwk,
+ /home/*/.local/share/** rwk,
+ /opt/java/** mr,
+ /opt/kde/share/** r,
+ /proc/**/ r,
+ /sys/devices/system/cpu/online r,
+ owner /tmp/** rwlk,
+ /tmp/** m,
+ /usr/include/** r,
+ /usr/share/** r,
+
+}
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Wed Sep 7 21:32:52 2005
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ----------------------------------------------------------------------
+#
+#
+# Profile for Evolution 2.4:
+#
+# Covered scenarios:
+#
+# Receive Mail:
+# IMAP/POP/Local
+# Mark mail as junk mail
+# Print mail message with lpr local
+# Print mail message with cups remote
+# View pdf attachements
+# Decrypt using gpg
+#
+# Send Mail:
+# SMTP/Sendmail
+# Encrypt/Sign using gpg
+#
+# Contacts:
+# Add/Edit/Delete local contacts
+#
+# Calendaring:
+# Add Local calendar
+# Add|Edit|Delete event to|in|from local calendar
+# Publish free/busy information to webdav server
+# Subscribe to webcal:// calendar
+#
+#
+
+#include <tunables/global>
+
+/usr/bin/evolution-2.10 {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/fonts>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+ #include <abstractions/gnome>
+ #include <abstractions/user-mail>
+ #include <abstractions/user-write>
+
+ capability ipc_lock,
+ capability setuid,
+
+ /bin/basename mixr,
+ /bin/bash mix,
+ /bin/grep mixr,
+ /bin/netstat mixr,
+ /dev/random r,
+ /etc/cups/client.conf r,
+ /etc/cups/lpoptions r,
+ /etc/cups/printcap r,
+ /etc/mail/spamassassin r,
+ /etc/mail/spamassassin/* r,
+ /etc/mtab r,
+ /etc/gnome-vfs-*/modules r,
+ /etc/gnome-vfs-*/modules/*.conf r,
+ /etc/pango/*.modules r,
+ /etc/opt/kde3/share/applications r,
+ /etc/opt/kde3/share/applications/kde r,
+ /etc/opt/kde3/share/applications/kde/*.desktop r,
+ /etc/opt/kde3/share/applications/mimeinfo.cache r,
+ /etc/rpc r,
+ /etc/xdg/menus/*.menu r,
+ /etc/xdg/menus/applications-merged r,
+ /etc/xdg/menus/applications-merged/*.menu r,
+ /etc/xml/*.xml r,
+ /etc/xml/catalog r,
+
+ @{HOMEDIRS} r,
+ @{HOMEDIRS}/* r,
+ @{HOME}* r,
+ @{HOME}/.AbiSuite/* r,
+ @{HOME}/.AbiSuite/AbiWord.Profile rw,
+ @{HOME}/.camel_certs/* rw,
+ @{HOME}/.evolution-composer.autosave-* lrw,
+ @{HOME}/.evolution/*.db rw,
+ @{HOME}/.evolution/cache/tmp r,
+ @{HOME}/.evolution/cache/tmp/** lrw,
+ @{HOME}/.evolution/calendar/config/** lrw,
+ @{HOME}/.evolution/calendar/local/** lrw,
+ @{HOME}/.evolution/camel-cert.db~ lrw,
+ @{HOME}/.evolution/mail/** lrw,
+ @{HOME}/.evolution/tasks/local/system/*.ics rw,
+ @{HOME}/.evolution/tasks/local/system/*.ics~ lrw,
+ @{HOME}/.gaim/blist.xml r,
+ @{HOME}/.gnome2/evolution-* lw,
+ @{HOME}/.gnome2/gnome-pilot.d/gpilotd rw,
+ @{HOME}/.gnome2/yelp rw,
+ @{HOME}/.gnome2/yelp.d/mozilla/** lrw,
+ @{HOME}/.gnome2_private w,
+ @{HOME}/.gnome2_private/Evolution rw,
+ @{HOME}/.kde/share/config/gtkrc-2.0 r,
+ @{HOME}/.mozilla/pluginreg.dat r,
+ @{HOME}/.qt/** lrw,
+ @{HOME}/.recently-used rw,
+
+ /usr/bin/evolution-2.10 mixr,
+ /usr/bin/firefox Pxr,
+ /usr/lib/** r,
+ /usr/lib/GConf/2/gconfd-2 Px,
+ /usr/lib64/GConf/2/gconfd-2 Px,
+ /usr/lib/evolution-data-server*/* r,
+ /usr/lib/evolution-data-server*/evolution-data-server-* Pxr,
+ /usr/lib/evolution/** r,
+ /usr/lib/evolution/*/evolution-alarm-notify mixr,
+ /usr/lib/gnome-** r,
+ /usr/lib/gnome-spell/libgnome-spell-component-*.so mr,
+ /usr/lib/gtk-** r,
+ /usr/lib/gtkhtml/libgnome-gtkhtml-editor-*.so mr,
+ /usr/lib/libgnomeui/gnome_segv2 mixr,
+ /usr/lib/pango/** r,
+ /usr/share/** r,
+ /opt/kde3/share/** r,
+ /opt/mozilla/bin/mozilla.sh Pxr,
+ @{PROC}/*/cmdline r,
+ @{PROC}/net r,
+ @{PROC}/net/* r,
+ /tmp r,
+ /tmp/* lrw,
+ /tmp/.ICE-unix/* w,
+ /tmp/gconfd-** r,
+ /tmp/orbit** lrw,
+ /usr/lib/aspell-** r,
+ /usr/lib/enchant r,
+ /usr/lib/enchant/*.* mr,
+ /usr/lib/jvm/java-*/jre/lib/fonts r,
+ /usr/lib/jvm/java-*/jre/lib/fonts/* r,
+ /usr/lib/ooo-2.0/share/fonts r,
+ /usr/lib/ooo-2.0/share/fonts/** r,
+ /usr/share/applications r,
+ /usr/share/applications/*.desktop r,
+ /usr/share/applications/mimeinfo.cache r,
+ /usr/share/icons r,
+ /usr/share/mime/** r,
+ /usr/share/spamassassin r,
+ /usr/share/spamassassin/*.cf r,
+ /usr/share/spamassassin/triplets.txt r,
+ /usr/share/xml/docbook/schema/** r,
+ /usr/X11R6/lib/Acrobat7/Resource/Font r,
+ /usr/X11R6/lib/Acrobat7/Resource/Font/** r,
+ /var/tmp r,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/fam {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ /tmp/.fam* wl,
+ /etc/mtab rw,
+ /usr/bin/fam rmix,
+ # it makes some level of sense for FAM to read all files on the
+ # filesystem, even if this is a little unfortunate.
+ /** r,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/freshclam {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability setgid,
+ capability setuid,
+
+ /etc/clamd.conf r,
+ /etc/freshclam.conf r,
+ /usr/bin/freshclam mr,
+ /var/lib/clamav/clamav-* rw,
+ /var/lib/clamav/daily.cvd rw,
+ /var/lib/clamav/main.cvd rw,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+# Last Modified: Fri Sep 2 19:07:43 2005
+
+#include <tunables/global>
+
+/usr/bin/gaim {
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+ #include <abstractions/gnome>
+ #include <abstractions/user-tmp>
+
+ /bin/bash mixr,
+ /dev/random r,
+ /etc/esd.conf r,
+ /etc/pango/pango.modules r,
+ /etc/pango/pango64.modules r,
+
+ @{HOME}/.fonts r,
+ @{HOME}/.gaim r,
+ @{HOME}/.gaim/** lrw,
+ @{HOME}/.gnome2/nautilus-sendto/* rw,
+ @{HOME}/.gtk_qt_engine_rc r,
+ @{HOME}/.icons/** r,
+ @{HOME}/.mcop/random-seed rw,
+ @{HOME}/.mcoprc r,
+ @{HOME}/.kde/share/config/gtkrc-* r,
+ @{HOME}/.themes/** r,
+
+ /opt/MozillaFirefox/bin/firefox.sh Px,
+ /usr/bin/gaim mixr,
+ /usr/lib/GConf/2/gconfd-2 Px,
+ /usr/share/icons r,
+ /usr/share/icons/** r,
+ /usr/share/pixmaps r,
+ /usr/share/pixmaps/gaim/** r,
+ /usr/share/sounds/gaim/* r,
+ /usr/share/themes/** r,
+ /opt/kde3/bin/kde-config mixr,
+ @{PROC}/*/cmdline r,
+ /usr/X11R6/lib/Acrobat*/Resource/Font/* r,
+ /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
+ /usr/lib/ao/plugins-* r,
+ /usr/lib/aspell-** mr,
+ /usr/lib/jvm/java-*/jre/lib/fonts/** r,
+ /usr/lib/ooo-*/share/fonts/** r,
+ /usr/lib/tcl*/encoding/* r,
+ /usr/lib64/ao/plugins-* r,
+ /usr/lib64/aspell-* r,
+ /usr/share/alsa/alsa.conf r,
+ /usr/share/icons r,
+ /usr/share/tcl/tcl*/encoding/* r,
+ /{,var/}run/.resmgr_socket w,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 10:55:22 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+#
+
+#include <tunables/global>
+
+/usr/bin/man flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-manpages>
+
+ capability setgid,
+ capability setuid,
+
+
+
+ /etc/man_db.conf r,
+ /opt/java/jre/man/ r,
+ /opt/java/jre/man/* rk,
+ /opt/java/man/ r,
+ /opt/java/man/* rk,
+ /opt/java/man/*/ r,
+ /opt/kde/man/ r,
+ /opt/kde/man/*/ r,
+ /opt/qt/man/ r,
+ /opt/qt/man/* r,
+ /opt/qt/man/*/ r,
+ /root/.lesshst w,
+ /usr/lib/man-db/man Px,
+ /usr/local/man/ r,
+ /usr/man/ r,
+ /usr/share/man/ r,
+ /var/cache/man/** rk,
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 10:06:57 2012
+#include <tunables/global>
+
+/usr/bin/netsurf {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+
+
+
+ /etc/* r,
+ /home/*/.Xauthority r,
+ /home/*/.gtkrc-2.0 r,
+ /home/*/.icons/** r,
+ /home/*/.netsurf/* rw,
+ /home/*/.themes/** r,
+ /opt/kde/share/** r,
+ /sys/** r,
+ /usr/share/** r,
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 09:29:55 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/opera {
+ #include <abstractions/X>
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/gnome>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/ubuntu-browsers.d/plugins-common>
+ #include <abstractions/user-download>
+ #include <abstractions/user-write>
+
+ capability dac_override,
+
+
+
+ /bin/true mrix,
+ /bin/uname rix,
+ /etc/SuSE-release r,
+ /etc/X11/.qt_plugins_3.3rc.lock rw,
+ /etc/X11/.qtrc.lock rw,
+ /etc/cups/client.conf r,
+ /etc/mailcap r,
+ /etc/opera6rc rw,
+ /etc/opera6rc.fixed rw,
+ /etc/pkcs11/modules/ r,
+ /home/*/** mrk,
+ /opt/ r,
+ /opt/java/** r,
+ /opt/kde/share/** r,
+ /opt/kde3/lib/kde3/plugins/integration/*.so mr,
+ /proc/*/cmdline r,
+ /proc/*/fd/ r,
+ /sys/devices/system/cpu/online r,
+ owner /tmp/** rwlk,
+ /tmp/** m,
+ /usr/ r,
+ /usr/bin/acroread rPx,
+ /usr/bin/opera mr,
+ /usr/lib r,
+ /usr/lib/RealPlayer10/realplay rPx,
+ /usr/lib/RealPlayer10/realplay.bin rPx,
+ /usr/lib/opera/** mrix,
+ /usr/lib/opera/*/opera ix,
+ /usr/lib/opera/*/works rix,
+ /usr/local r,
+ /usr/share/** rk,
+ /var/spool/cups/tmp/* rwl,
+ /{,var/}run/.resmgr_socket w,
+ @{HOME} r,
+ @{HOME}/.fonts r,
+ @{HOME}/.kde/share/** r,
+ @{HOME}/.opera r,
+ @{HOME}/.opera/** rwl,
+ @{HOME}/OperaDownloads/* rw,
+ @{HOME}/tux/.fonts/ r,
+ @{HOME}/tux/.opera/ w,
+ @{HOME}/tux/.qt/.qtrx.lock k,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/net/if_inet6 r,
+ @{PROC}/sys/vm/heap-stack-gap r,
+
+}
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Sat Jan 6 09:35:33 2007
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2006 Volker Kuhlmann
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/passwd {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability sys_resource,
+
+ /etc/.pwd.lock w,
+ /etc/pwdutils/logging r,
+ /etc/shadow rwl,
+ /etc/shadow.old rwl,
+ /etc/shadow.tmp?????? rwl,
+ /usr/bin/passwd mr,
+ /usr/lib/pwdutils/lib*.so* mr,
+ /usr/lib64/pwdutils/lib*.so* mr,
+ /usr/share/cracklib/pw_dict.hwm r,
+ /usr/share/cracklib/pw_dict.pwd r,
+ /usr/share/cracklib/pw_dict.pwi r,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 14:45:09 2012
+#include <tunables/global>
+
+/usr/bin/perl flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/freedesktop.org>
+
+
+
+ /** mr,
+ /bin/bash rix,
+ /home/*/private/dotfiles/.purple/* rw,
+ /usr/bin/head rix,
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 10:23:46 2012
+#include <tunables/global>
+
+/usr/bin/php-cgi flags=(complain) {
+ #include <abstractions/base>
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 12:29:15 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/pidgin {
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/gnome>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+ #include <abstractions/user-tmp>
+
+ deny capability sys_ptrace,
+
+
+ deny /usr/share/enchant/enchant.ordering r,
+
+ /bin/bash rix,
+ /dev/random r,
+ /etc/esd.conf r,
+ /etc/pango/pango.modules r,
+ /etc/pango/pango64.modules r,
+ /home/** mrwk,
+ /home/harvie/private/dotfiles/.purple/answerscripts px,
+ /opt/MozillaFirefox/bin/firefox.sh Px,
+ /opt/kde/share/** r,
+ /opt/kde3/bin/kde-config mrix,
+ owner /tmp/** rwlk,
+ /tmp/** m,
+ /usr/X11R6/lib/Acrobat*/Resource/Font/* r,
+ /usr/X11R6/lib/Acrobat*/Resource/Font/PFM/* r,
+ /usr/bin/pidgin mrix,
+ /usr/bin/purple-remote r,
+ /usr/lib/GConf/2/gconfd-2 Px,
+ /usr/lib/ao/plugins-* r,
+ /usr/lib/aspell-** mr,
+ /usr/lib/jvm/java-*/jre/lib/fonts/** r,
+ /usr/lib/ooo-*/share/fonts/** r,
+ /usr/lib/tcl*/encoding/* r,
+ /usr/lib64/ao/plugins-* r,
+ /usr/lib64/aspell-* r,
+ /usr/lib{,32,64}/** mr,
+ /usr/share/*/ r,
+ /usr/share/alsa/alsa.conf r,
+ /usr/share/icons r,
+ /usr/share/icons/** r,
+ /usr/share/pixmaps r,
+ /usr/share/pixmaps/pidgin/** r,
+ /usr/share/sounds/pidgin/* r,
+ /usr/share/tcl/tcl*/encoding/* r,
+ /usr/share/themes/** r,
+ /var/db/nscd/* r,
+ /{,var/}run/.resmgr_socket w,
+ @{HOME}/.fonts r,
+ @{HOME}/.gnome2/nautilus-sendto/* rw,
+ @{HOME}/.gtk_qt_engine_rc r,
+ @{HOME}/.icons/** r,
+ @{HOME}/.kde/share/config/gtkrc-* r,
+ @{HOME}/.mcop/random-seed rw,
+ @{HOME}/.mcoprc r,
+ @{HOME}/.purple r,
+ @{HOME}/.purple/** rwl,
+ @{HOME}/.themes/** r,
+ @{HOME}/private/dotfiles/.purple r,
+ @{HOME}/private/dotfiles/.purple/** rwl,
+ @{PROC}/*/cmdline r,
+
+}
--- /dev/null
+# Last Modified: Mon Oct 26 13:29:13 2009
+# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
+# Additional profiling based on work by Андрей Калинин, LP: #226624
+#include <tunables/global>
+/usr/bin/skype {
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/freedesktop.org>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/user-tmp>
+ #include <abstractions/X>
+
+ # are these needed?
+ /proc/*/cmdline r,
+ /dev/video* mrw,
+ /var/cache/libx11/compose/* r,
+
+ # should this be in a separate KDE abstraction?
+ @{HOME}/.kde/share/config/kioslaverc r,
+
+ /usr/bin/skype mr,
+ /usr/share/skype/** kr,
+ /usr/share/skype/sounds/*.wav kr,
+
+ @{HOME}/.Skype/ rw,
+ @{HOME}/.Skype/** krw,
+ @{HOME}/.config/* kr,
+
+ @{HOME}/.mozilla/ r,
+ @{HOME}/.mozilla/*/ r,
+ @{HOME}/.mozilla/*/*/ r,
+ @{HOME}/.mozilla/*/*/bookmarkbackups/ r,
+ @{HOME}/.mozilla/*/*/chrome/ r,
+ @{HOME}/.mozilla/*/*/extensions/ r,
+ @{HOME}/.mozilla/*/*/prefs.js r,
+}
+
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Thu Aug 25 13:37:56 2005
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/bin/wireshark {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+ #include <abstractions/gnome>
+ #include <abstractions/user-write>
+ #include <abstractions/X>
+
+ capability net_raw,
+
+ /etc/ethers r,
+
+ @{HOME}/.wireshark/* rw,
+ @{HOME}/.fonts.cache-* r,
+
+ /etc/pango/pango.modules r,
+ /usr/lib/gtk-*/*/loaders/* mr,
+ /usr/share/* r,
+ /usr/share/icons/** r,
+ /usr/share/mime/* r,
+ /usr/lib/firefox/firefox.sh rPx,
+ /usr/bin/wireshark mixr,
+ /usr/share/icons r,
+ /usr/share/mime/* r,
+ /usr/share/snmp/mibs r,
+ /usr/share/snmp/mibs/* r,
+ /usr/share/snmp/mibs/.index rw,
+}
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Thu Sep 1 16:16:34 2005
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/GConf/2/gconfd-2 {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ /etc/gconf/2/path r,
+ /etc/gconf/gconf.xml.defaults r,
+ /etc/gconf/gconf.xml.defaults/** r,
+ /etc/gconf/gconf.xml.defaults/schemas/** r,
+ /etc/gconf/gconf.xml.mandatory r,
+
+ @{HOME}/.gconf r,
+ @{HOME}/.gconf/** lrw,
+ @{HOME}/.gconfd/** lrw,
+
+ /usr/lib/GConf/2/gconfd-2 rmix,
+ /usr/lib/GConf/2/libgconfbackend-xml.so mr,
+ /usr/lib64/GConf/2/libgconfbackend-xml.so mr,
+ /usr/share/locale/** r,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+# Last Modified: Mon Aug 29 10:49:30 2005
+
+#include <tunables/global>
+
+/usr/lib/bonobo/bonobo-activation-server {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ /etc/bonobo-activation/bonobo-activation-config.xml r,
+ /usr/lib/bonobo/bonobo-activation-server rmix,
+ /usr/lib/bonobo/servers r,
+ /usr/lib/bonobo/servers/*.server r,
+ /usr/lib/evolution-data-server-*/evolution-data-server-* Px,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 09:53:41 2012
+# Author: Thomas Mudrunka
+
+#include <tunables/global>
+
+/usr/lib/chromium/chromium {
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/freedesktop.org>
+ #include <abstractions/gnome>
+ #include <abstractions/nameservice>
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-browsers.d/plugins-common>
+ #include <abstractions/ubuntu-konsole>
+
+ capability dac_override,
+ capability dac_read_search,
+ capability setgid,
+ capability setuid,
+ capability sys_admin,
+ capability sys_chroot,
+ capability sys_ptrace,
+
+
+
+ /bin/ps r,
+ /dev/shm/* rw,
+ /etc/** r,
+ /home/*/* r,
+ /home/*/.adobe/**/ rw,
+ /home/*/.cache/chromium/** rw,
+ /home/*/.cups/* r,
+ /home/*/.icons/** r,
+ /home/*/.macromedia/** rw,
+ /home/*/.mozilla/** r,
+ /home/*/.pki/** rwk,
+ /home/*/.themes/** r,
+ /home/*/Work/GIT/plugins/chrome-extensions/** r,
+ /home/*/private/dotfiles/.config/chromium/** rwk,
+ /opt/java/** r,
+ /opt/kde/share/** r,
+ /proc/ r,
+ /proc/** rw,
+ /sys/** r,
+ /tmp/* r,
+ /usr/lib/chromium/chromium rix,
+ /usr/lib/chromium/chromium-sandbox rix,
+ /usr/lib/lib*so* mr,
+ /var/tmp/* rw,
+
+}
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Wed Sep 7 07:44:21 2005
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/evolution-data-server/evolution-data-server-1.10 {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ /etc/mtab r,
+ /etc/** r,
+
+ @{HOME}/.evolution/addressbook/local/** lrw,
+ @{HOME}/.evolution/cache/calendar/** lrw,
+ @{HOME}/.evolution/calendar/local/** lrw,
+ @{HOME}/.evolution/tasks/local/** lrw,
+ @{HOME}/.gconf r,
+ @{HOME}/.gconf/** lrw,
+ @{HOME}/.gnome2_private w,
+
+ /usr/lib/GConf/**.so mr,
+ /usr/lib/GConf/2/gconfd-2 Pxr,
+ /usr/lib64/GConf/2/gconfd-2 Pxr,
+ /usr/lib/evolution-data-server/evolution-data-server-* rmix,
+ /usr/lib/evolution-data-server*/extensions r,
+ /usr/lib/evolution-data-server*/extensions/lib*.so r,
+ /usr/lib/gnome-vfs** mr,
+ /usr/share/evolution-data-server*/** mr,
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 14:47:08 2012
+#include <tunables/global>
+
+/usr/lib/firefox/firefox {
+ #include <abstractions/audio>
+ #include <abstractions/gnome>
+ #include <abstractions/nameservice>
+ #include <abstractions/ubuntu-browsers.d/plugins-common>
+
+
+ deny /dev/tty rw,
+
+ /bin/ps r,
+ /etc/** r,
+ /home/*/.Xauthority r,
+ /home/*/.adobe/**/ rw,
+ /home/*/.asoundrc.asoundconf r,
+ /home/*/.icons/** r,
+ /home/*/.local/share/ r,
+ /home/*/.local/share/**/ r,
+ /home/*/.macromedia/** rw,
+ /home/*/.mozilla/**/ r,
+ /home/*/.mozilla/firefox/** mrwk,
+ /opt/java/** r,
+ /opt/kde/share/** r,
+ /proc/** r,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/* r,
+ owner /tmp/** rlk,
+ /tmp/** w,
+ /usr/lib/firefox/plugin-container rix,
+ /usr/share/ r,
+ /usr/share/** r,
+ /var/db/nscd/* r,
+
+}
--- /dev/null
+# Last Modified: Wed Nov 5 03:32:59 2008
+#include <tunables/global>
+
+/usr/lib/firefox/firefox.sh {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ deny capability sys_ptrace,
+
+ /bin/basename rix,
+ /bin/bash rix,
+ /bin/grep rix,
+ /etc/magic r,
+ /usr/bin/file rix,
+ /usr/lib/firefox/firefox px,
+ /usr/share/misc/magic.mgc r,
+
+}
--- /dev/null
+# vim:syntax=apparmor
+# Last Modified: Thu Sep 1 23:02:44 2005
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/firefox/mozilla-xremote-client {
+ #include <abstractions/base>
+ #include <abstractions/X>
+
+ /usr/lib/mozilla/lib*so* mr,
+ /usr/lib/firefox/mozilla-xremote-client rmix,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/lib/man-db/man flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/user-manpages>
+
+ /bin/bash rmix,
+ /bin/cat rmix,
+ /bin/gunzip rmix,
+ /bin/mktemp rmix,
+ /bin/more rmix,
+ /bin/rm rmix,
+
+ /etc/groff/man.local r,
+ /etc/lesskey.bin r,
+ /etc/manpath.config r,
+ /etc/man.config r,
+ /etc/papersize r,
+ /etc/termcap r,
+
+ /tmp/nroff.** rw,
+
+ /usr/man/** r,
+ /usr/bin/apropos Px,
+ /usr/bin/cmp rmix,
+ /usr/bin/getopt rmix,
+ /usr/bin/groff rmix,
+ /usr/bin/grops rmix,
+ /usr/bin/grotty rmix,
+ /usr/bin/iconv rmix,
+ /{usr/,}bin/less rmix,
+ /usr/bin/locale rmix,
+ /usr/bin/man rmix,
+ /usr/bin/nroff rmix,
+ /usr/bin/preconv rmix,
+ /usr/bin/tbl rmix,
+ /usr/bin/troff rmix,
+ /usr/bin/zsoelim rmix,
+ /usr/lib/man-db/man rmix,
+ /usr/lib/man-db/manconv rmix,
+ /usr/local/man/ r,
+ /usr/local/man/** r,
+ /usr/local/share/man/ r,
+ /usr/local/share/man/** r,
+ /usr/share/groff/** r,
+ /usr/share/locale-bundle/** r,
+ /usr/share/man/ r,
+ /usr/share/man/** r,
+ /usr/share/terminfo/** r,
+ /usr/share/texmf/teTeX/man/** r,
+
+ /var/cache/man/** rk,
+
+ owner @{HOME}/.lesshst rw,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 14:45:09 2012
+#include <tunables/global>
+
+/usr/sbin/cupsd {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/dbus>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+
+ capability chown,
+ capability dac_override,
+ capability fowner,
+ capability fsetid,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+
+
+ /bin/bash rix,
+ /bin/cat ix,
+ /dev/lp0 rw,
+ /dev/tty rw,
+ /dev/ttyS? w,
+ /etc/** r,
+ /etc/cups rw,
+ /etc/cups/*.conf* rw,
+ /etc/cups/certs w,
+ /etc/cups/certs/* w,
+ /etc/cups/ppd rw,
+ /etc/cups/printcap rw,
+ /etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
+ /etc/printcap rw,
+ /proc/meminfo r,
+ /proc/sys/dev/parport/** r,
+ /sys/class/usb r,
+ /usr/bin/foomatic-rip rix,
+ /usr/bin/gs ix,
+ /usr/bin/perl ix,
+ /usr/bin/smbspool rix,
+ /usr/lib/cups/backend/* rix,
+ /usr/lib/cups/filter/* rix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/lib{,32,64}/** mr,
+ /usr/sbin/cupsd mrix,
+ /usr/share/cups/** r,
+ /usr/share/ghostscript/** r,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
+ /var/log/cups/* rw,
+ /var/spool/cups rw,
+ /var/spool/cups/** rw,
+ /var/spool/cups/tmp w,
+ /var/spool/cups/tmp/ r,
+ /{,var/}run/cups/ rw,
+ /{,var/}run/cups/** rw,
+
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/dhcpd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability dac_override,
+ capability net_bind_service,
+ capability net_raw,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+ network inet raw,
+ network packet raw,
+
+ /db/dhcpd.leases* lrw,
+ /etc/dhcpd.conf r,
+ /etc/named.d/* r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ @{PROC}/net/dev r,
+ /usr/sbin/dhcpd rmix,
+ /var/lib/dhcp/{db/,}dhcpd.leases* rwl,
+ /var/lib/dhcp/etc/dhcpd.conf r,
+ /{,var/}run/dhcpd.pid wl,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/in.fingerd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ @{HOME}/.plan r,
+ @{HOME}/.project r,
+
+ /usr/bin/finger mix,
+ /var/log/lastlog r,
+ /{,var/}run/utmp r,
+}
--- /dev/null
+# Last Modified: Wed Jan 18 10:48:17 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/lighttpd {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+ #include <abstractions/php5>
+ #include <abstractions/web-data>
+
+ capability dac_override,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+
+ deny /usr/bin/pacman r,
+
+ /bin/bash mix,
+ /bin/cat mix,
+ /bin/egrep r,
+ /bin/zsh mix,
+ /etc/lighttpd r,
+ /etc/lighttpd/*.conf r,
+ /etc/lighttpd/auth.d/* r,
+ /etc/lighttpd/conf.d/*.conf r,
+ /etc/lighttpd/vhosts.d r,
+ /etc/lighttpd/vhosts.d/* r,
+ /etc/php/conf.d/ r,
+ /etc/php/php.ini r,
+ /etc/ssl/private/*.pem r,
+ /run/lighttpd/* w,
+ /srv/http/ r,
+ /srv/http/** r,
+ /tmp/* rw,
+ /usr/bin/php-cgi Cx,
+ /usr/lib/lighttpd/*.so mr,
+ /usr/lib64/lighttpd/*.so mr,
+ /usr/sbin/lighttpd mix,
+ /var/cache/lighttpd/ r,
+ /var/cache/lighttpd/** rwl,
+ /var/lib/lighttpd/ r,
+ /var/lib/lighttpd/** rwl,
+ /var/log/lighttpd/*.log rw,
+ /{,var/}run/lighttpd.pid rwl,
+
+
+ profile /usr/bin/php-cgi {
+ #include <abstractions/base>
+
+
+
+ /etc/* r,
+ /etc/php/** r,
+ /lib/lib*so* mr,
+ /srv/http/ r,
+ /srv/http/** r,
+ /tmp/* rwk,
+ /usr/bin/php-cgi r,
+ /usr/lib/lib*so* mr,
+ /usr/lib{,32,64}/** mr,
+
+ }
+}
--- /dev/null
+# Last Modified: Wed Jan 18 14:01:31 2012
+#include <tunables/global>
+
+/usr/sbin/minidlna {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+
+
+
+ /bin/bash rix,
+ /etc/minidlna.conf r,
+ /home/*/** r,
+ /proc/sys/** r,
+ /run/minidlna.pid rw,
+ /sys/devices/system/** r,
+ /tmp/** rwk,
+
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+# Last Modified: Wed Aug 17 14:28:07 2005
+
+#include <tunables/global>
+
+/usr/sbin/mysqld {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability dac_override,
+ capability setgid,
+ capability setuid,
+
+ /etc/my.cnf r,
+ /usr/sbin/mysqld r,
+ /usr/share/mysql/** r,
+ /var/lib/mysql/** lrw,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2006 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/sbin/squid {
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/kerberosclient>
+ #include <abstractions/nameservice>
+
+ capability setgid,
+ capability setuid,
+
+ /usr/lib/squid/* rmix,
+ /usr/sbin/squid rmix,
+ /usr/sbin/unlinkd mixr,
+
+ /var/cache/squid/** lrw,
+
+ /dev/tty rw,
+ /etc/mtab r,
+ /etc/squid/* r,
+ @{PROC}/[0-9]*/mounts r,
+ @{PROC}/mounts r,
+ /usr/share/squid/** r,
+ /var/log/squid/access.log w,
+ /var/log/squid/cache.log rw,
+ /var/log/squid/store.log w,
+ /{,var/}run/squid.pid lrw,
+
+ /usr/sbin/digest_pw_auth rmix,
+ /usr/sbin/diskd rmix,
+ /usr/sbin/getpwname_auth rmix,
+ /usr/sbin/ip_user_check rmix,
+ /usr/sbin/msnt_auth rmix,
+ /usr/sbin/ncsa_auth rmix,
+ /usr/sbin/no_check.pl rmix,
+ /usr/sbin/ntlm_auth rmix,
+ /usr/sbin/pam_auth rmix,
+ /usr/sbin/rcsquid rmix,
+ /usr/sbin/smb_auth rmix,
+ /usr/sbin/smb_auth.pl rmix,
+ /usr/sbin/smb_auth.sh rmix,
+ /usr/sbin/squid rmix,
+ /usr/sbin/squid_ldap_auth rmix,
+ /usr/sbin/squid_ldap_group rmix,
+ /usr/sbin/squid_ldapauth rmix,
+ /usr/sbin/squid_unix_group rmix,
+ /usr/sbin/squidclient rmix,
+ /usr/sbin/unlinkd rmix,
+ /usr/sbin/wbinfo_group.pl rmix,
+ /usr/sbin/yp_auth rmix,
+
+}
--- /dev/null
+# Last Modified: Wed Jan 18 10:55:22 2012
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# will need to revalidate this profile once we finish re-architecting
+# the change_hat patch.
+#
+
+#include <tunables/global>
+
+/usr/sbin/sshd {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+
+
+ capability audit_control,
+ capability chown,
+ capability dac_override,
+ capability fowner,
+ capability fsetid,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+ capability sys_tty_config,
+
+
+ /bin/ash rUx,
+ /bin/bash rUx,
+ /bin/bash2 rUx,
+ /bin/bsh rUx,
+ /bin/csh rUx,
+ /bin/ksh rUx,
+ /bin/sh rUx,
+ /bin/tcsh rUx,
+ /bin/zsh rUx,
+ /dev/ptmx rw,
+ /dev/pts/[0-9]* rw,
+ /dev/urandom r,
+ /etc/** r,
+ /proc/*/oom_adj rw,
+ /proc/*/oom_score_adj rw,
+ /sbin/nologin rUx,
+ /tmp/ssh-*/agent.[0-9]* rwl,
+ /tmp/ssh-*[0-9]*/ w,
+ /usr/sbin/sshd mrix,
+ /var/log/* rw,
+ /{,var/}run w,
+ /{,var/}run/sshd{,.init}.pid wl,
+ @{HOME}/.ssh/authorized_keys{,2} r,
+ @{PROC}/[0-9]*/fd/ r,
+ @{PROC}/[0-9]*/loginuid w,
+ @{PROC}/[0-9]*/mounts r,
+
+
+ ^AUTHENTICATED {
+ #include <abstractions/authentication>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+
+ /dev/log w,
+ /dev/ptmx rw,
+ /etc/default/passwd r,
+ /etc/localtime r,
+ /etc/login.defs r,
+ /etc/motd r,
+ /tmp/ssh-*/agent.[0-9]* rwl,
+ /tmp/ssh-*[0-9]*/ w,
+
+ }
+
+ ^EXEC {
+ #include <abstractions/base>
+
+
+ /bin/ash Ux,
+ /bin/bash Ux,
+ /bin/bash2 Ux,
+ /bin/bsh Ux,
+ /bin/csh Ux,
+ /bin/ksh Ux,
+ /bin/sh Ux,
+ /bin/tcsh Ux,
+ /bin/zsh Ux,
+ /sbin/nologin Ux,
+
+ }
+
+ ^PRIVSEP {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+
+
+ }
+
+ ^PRIVSEP_MONITOR {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+
+ capability chown,
+ capability setgid,
+ capability setuid,
+
+
+ /dev/ptmx rw,
+ /dev/pts/[0-9]* rw,
+ /dev/urandom r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/ssh/moduli r,
+ @{HOME}/.ssh/authorized_keys{,2} r,
+ @{PROC}/[0-9]*/mounts r,
+
+ }
+}
--- /dev/null
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/useradd {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/perl>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+
+ capability chown,
+ capability dac_override,
+ capability fowner,
+ capability fsetid,
+ capability sys_resource,
+
+ /bin/bash mixr,
+ /etc/.pwd.lock rwk,
+ /etc/default/useradd r,
+ /etc/group* rwl,
+ /etc/gshadow* rwl,
+ /etc/login.defs r,
+ /etc/passwd* rwl,
+ /etc/shadow* rwl,
+ /etc/pwdutils/logging r,
+ /etc/skel r,
+ /etc/skel/** r,
+ @{HOMEDIRS}** rw,
+ @{PROC}/[0-9]*/mounts r,
+ @{PROC}/filesystems r,
+ /usr/lib*/pwdutils/*so* mr,
+ /usr/sbin/adduser rmix,
+ /usr/sbin/useradd rmix,
+ /usr/sbin/useradd.local rmix,
+ /var/log/faillog rw,
+ /{,var/}run/nscd.pid rw,
+ /var/spool/mail/* rw,
+}
--- /dev/null
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/userdel {
+ #include <abstractions/authentication>
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/perl>
+ #include <abstractions/nameservice>
+ #include <abstractions/wutmp>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability sys_resource,
+
+ /bin/cat rmix,
+ /bin/bash rmix,
+ /dev/log w,
+ /etc/.pwd.lock rw,
+ /etc/cron.deny r,
+ /etc/default/useradd r,
+ /etc/group* rwl,
+ /etc/gshadow* rwl,
+ /etc/login.defs r,
+ /etc/passwd* rwl,
+ /etc/shadow* rwl,
+ /etc/pwdutils/logging r,
+ @{HOMEDIRS}** rwl,
+ @{PROC}/[0-9]*/mounts r,
+ /usr/bin/crontab rmix,
+ /usr/lib*/pwdutils/*.so.* mr,
+ /usr/sbin/userdel rmix,
+ /usr/sbin/userdel-post.local rmix,
+ /usr/sbin/userdel-pre.local rmix,
+ /usr/sbin/userdel rmix,
+ # XXX
+ /{,var/}run/nscd.pid r,
+ /var/spool/mail/* wl,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/vsftpd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/authentication>
+
+ /dev/urandom r,
+ /etc/fstab r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/mtab r,
+ /etc/shells r,
+ /etc/vsftpd.* r,
+ /etc/vsftpd/* r,
+ /usr/sbin/vsftpd rmix,
+ /var/log/vsftpd.log w,
+ /var/log/xferlog w,
+ # anon chroots
+ / r,
+ /pub r,
+ /pub/** r,
+ @{HOMEDIRS} r,
+ @{HOME}/** rwl,
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/xinetd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/xinetd.conf r,
+ /etc/xinetd.d r,
+ /etc/xinetd.d/* r,
+ /usr/sbin/xinetd rmix,
+ /var/log/xinetd.log w,
+ /{,var/}run/xinetd.pid rwl,
+
+ /bin/netstat Px,
+ /bin/ps mix,
+ /sbin/linuxconf Px,
+ /usr/bin/cvs Px,
+ /usr/bin/fam Px,
+ /usr/bin/kotalkd Px,
+ /usr/bin/ktalkd Px,
+ /usr/bin/nrpe Px,
+ /usr/bin/rsync Px,
+ /usr/kerberos/sbin/ftpd Px,
+ /usr/kerberos/sbin/klogind Px,
+ /usr/kerberos/sbin/kshd Px,
+ /usr/kerberos/sbin/telnetd Px,
+ /usr/lib/amanda/amandad Px,
+ /usr/lib/amanda/amidxtaped Px,
+ /usr/lib/amanda/amindexd Px,
+
+ /usr/lib64/cups/daemon/cups-lpd Px,
+ /usr/lib/cups/daemon/cups-lpd Px,
+
+ /usr/sbin/dbskkd-cdb Px,
+ /usr/sbin/imapd Px,
+ /usr/sbin/in.comsat Px,
+ /usr/sbin/in.fingerd Px,
+ /usr/sbin/in.ftpd Px,
+ /usr/sbin/in.httpd-redir Px,
+ /usr/sbin/in.ntalkd Px,
+ /usr/sbin/in.rexecd Px,
+ /usr/sbin/in.rlogind Px,
+ /usr/sbin/in.rshd Px,
+ /usr/sbin/in.telnetd Px,
+ /usr/sbin/in.tftpd Px,
+ /usr/sbin/ipop2d Px,
+ /usr/sbin/ipop3d Px,
+ /usr/sbin/popper Px,
+ /usr/sbin/rsyncd Px,
+ /usr/sbin/swat Px,
+ /usr/sbin/tcpd Px,
+ /usr/sbin/vsftpd Px,
+ /usr/X11R6/bin/vnc_inetd_httpd Px,
+ /usr/X11R6/bin/Xvnc Px,
+}
GIT.Harvie.CZ / mirrors / AppArmor-Profiles.git / commitdiff
