base 6.65 KB
Newer Older
1
# vim:syntax=apparmor
2
3
# ------------------------------------------------------------------
#
4
#    Copyright (C) 2002-2009 Novell/SUSE
5
#    Copyright (C) 2009-2011 Canonical Ltd.
6
7
8
9
10
11
12
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

13
  abi <abi/3.0>,
14

15
  include <abstractions/crypto>
16
17
18
19
20
21
22
23
24
25

  # (Note that the ldd profile has inlined this file; if you make
  # modifications here, please consider including them in the ldd
  # profile as well.)

  # The __canary_death_handler function writes a time-stamped log
  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  # and localisations of date should be available EVERYWHERE, so
  # StackGuard, FormatGuard, etc., alerts can be properly logged.
  /dev/log                       w,
26
  /dev/random                    r,
27
  /dev/urandom                   r,
28
29
30
  # Allow access to the uuidd daemon (this daemon is a thin wrapper around
  # time and getrandom()/{,u}random and, when available, runs under an
  # unprivilged, dedicated user).
nl6720's avatar
nl6720 committed
31
  @{run}/uuidd/request           r,
32
33
34
  @{etc_ro}/locale/**          r,
  @{etc_ro}/locale.alias       r,
  @{etc_ro}/localtime          r,
35
  /usr/share/locale-bundle/**    r,
36
  /usr/share/locale-langpack/**  r,
37
  /usr/share/locale/**           r,
38
  /usr/share/**/locale/**        r,
39
  /usr/share/zoneinfo/           r,
40
  /usr/share/zoneinfo/**         r,
41
  /usr/share/X11/locale/**       r,
nl6720's avatar
nl6720 committed
42
  @{run}/systemd/journal/dev-log w,
43
  # systemd native journal API (see sd_journal_print(4))
nl6720's avatar
nl6720 committed
44
  @{run}/systemd/journal/socket  w,
45
46
47
  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
  # be required but applications fail without it. journald doesn't leak
  # anything when reading so this is ok.
nl6720's avatar
nl6720 committed
48
  @{run}/systemd/journal/stdout  rw,
49

50
51
52
  /usr/lib{,32,64}/locale/**             mr,
  /usr/lib{,32,64}/gconv/*.so            mr,
  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
Jamie Strandboge's avatar
Jamie Strandboge committed
53
54
  /usr/lib/@{multiarch}/gconv/*.so           mr,
  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
55
56

  # used by glibc when binding to ephemeral ports
57
  @{etc_ro}/bindresvport.blacklist    r,
58
59
60

  # ld.so.cache and ld are used to load shared libraries; they are best
  # available everywhere
61
62
63
64
  @{etc_ro}/ld.so.cache               mr,
  @{etc_ro}/ld.so.conf                r,
  @{etc_ro}/ld.so.conf.d/{,*.conf}    r,
  @{etc_ro}/ld.so.preload             r,
65
66
67
68
69
  /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
  /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
  /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
70
71

  # we might as well allow everything to use common libraries
72
  /{usr/,}lib{,32,64}/**                r,
73
  /{usr/,}lib{,32,64}/**.so*       mr,
74
  /{usr/,}lib/@{multiarch}/**            r,
75
76
77
  /{usr/,}lib/@{multiarch}/**.so*   mr,
  /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,
78

79
80
81
82
83
  # FIPS-140-2 versions of some crypto libraries need to access their
  # associated integrity verification file, or they will abort.
  /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
  /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,

84
85
86
  # /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
  # as is /dev/zero
87
  /dev/zero                      rw,
88
89
90
  # recent glibc uses /dev/full in preference to /dev/null for programs
  # that don't have open fds at exec()
  /dev/full                      rw,
91
92

  # Sometimes used to determine kernel/user interfaces to use
93
  @{PROC}/sys/kernel/version     r,
94
95
  # Depending on which glibc routine uses this file, base may not be the
  # best place -- but many profiles require it, and it is quite harmless.
96
  @{PROC}/sys/kernel/ngroups_max r,
97
98

  # glibc's sysconf(3) routine to determine free memory, etc
99
100
101
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,
102
103
  @{sys}/devices/system/cpu/       r,
  @{sys}/devices/system/cpu/online r,
104

105
  # glibc's *printf protections read the maps file
106
  @{PROC}/@{pid}/{maps,auxv,status} r,
107

108
109
  # some applications will display license information
  /usr/share/common-licenses/**  r,
110

Kees Cook's avatar
Kees Cook committed
111
112
113
  # glibc statvfs
  @{PROC}/filesystems            r,

114
115
116
  # glibc malloc (man 5 proc)
  @{PROC}/sys/vm/overcommit_memory r,

117
118
119
  # Allow determining the highest valid capability of the running kernel
  @{PROC}/sys/kernel/cap_last_cap r,

120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  # Allow other processes to read our /proc entries, futexes, perf tracing and
  # kcmp for now (they will need 'read' in the first place). Administrators can
  # override with:
  #   deny ptrace (readby) ...
  ptrace (readby),

  # Allow other processes to trace us by default (they will need 'trace' in
  # the first place). Administrators can override with:
  #   deny ptrace (tracedby) ...
  ptrace (tracedby),

  # Allow us to ptrace read ourselves
  ptrace (read) peer=@{profile_name},

  # Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,

  # Allow us to signal ourselves
  signal peer=@{profile_name},

  # Checking for PID existence is quite common so add it by default for now
  signal (receive, send) set=("exists"),

143
144
145
146
147
148
149
150
151
  # Allow us to create and use abstract and anonymous sockets
  unix peer=(label=@{profile_name}),

  # Allow unconfined processes to us via unix sockets
  unix (receive) peer=(label=unconfined),

  # Allow us to create abstract and anonymous sockets
  unix (create),

152
153
  # Allow us to getattr, getopt, setop and shutdown on unix sockets
  unix (getattr, getopt, setopt, shutdown),
154

155
156
157
158
159
160
161
162
163
164
165
  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  # filesystems generally. This does not appreciably decrease security with
  # Ubuntu profiles because the user is expected to have access to files owned
  # by him/her. Exceptions to this are explicit in the profiles. While this rule
  # grants access to those exceptions, the intended privacy is maintained due to
  # the encrypted contents of the files in this directory. Files in this
  # directory will also use filename encryption by default, so the files are
  # further protected. Also, with the use of 'owner', this rule properly
  # prevents access to the files from processes running under a different uid.

  # encrypted ~/.Private and old-style encrypted $HOME
166
  owner @{HOME}/.Private/ r,
167
  owner @{HOME}/.Private/** mrixwlk,
168
  # new-style encrypted $HOME
169
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
170
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
171

172
173

  # Include additions to the abstraction
174
  include if exists <abstractions/base.d>