1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
[settings]
profiledir = ../../profiles/apparmor.d
inactive_profiledir = ../../profiles/apparmor/profiles/extras
logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
parser = ../../parser/apparmor_parser ../parser/apparmor_parser
logger = /bin/logger /usr/bin/logger
# customize how file ownership permissions are presented
# 0 - off
# 1 - default of what ever mode the log reported
# 2 - force the new permissions to be user
# 3 - force all perms on the rule to be user
default_owner_prompt = 1
# custom directory locations to look for #includes
#
# each name should be a valid directory containing possible #include
# candidate files under the profile dir which by default is /etc/apparmor.d.
#
# So an entry of my-includes will allow /etc/apparmor.d/my-includes to
# be used by the yast UI and profiling tools as a source of #include
# files.
custom_includes =
[qualifiers]
# things will be painfully broken if bash has a profile
/bin/bash = icnu
/bin/ksh = icnu
/bin/dash = icnu
# these programs can't function if they're confined
/bin/mount = u
/etc/init.d/subdomain = u
/sbin/cardmgr = u
/sbin/subdomain_parser = u
/usr/sbin/genprof = u
/usr/sbin/logprof = u
/usr/lib/YaST2/servers_non_y2/ag_genprof = u
/usr/lib/YaST2/servers_non_y2/ag_logprof = u
# these ones shouldn't have their own profiles
/bin/awk = icn
/bin/cat = icn
/bin/chmod = icn
/bin/chown = icn
/bin/cp = icn
/bin/gawk = icn
/bin/grep = icn
/bin/gunzip = icn
/bin/gzip = icn
/bin/kill = icn
/bin/ln = icn
/bin/ls = icn
/bin/mkdir = icn
/bin/mv = icn
/bin/readlink = icn
/bin/rm = icn
/bin/sed = icn
/bin/touch = icn
/sbin/killall5 = icn
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
/usr/bin/perl = icn
/usr/bin/tr = icn
[required_hats]
^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
[defaulthat]
^.+/apache(|2|2-prefork)$ = DEFAULT_URI
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI
[globs]
# /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
/lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*
# strip kernel version numbers from kernel module accesses
^/lib/modules/[^\/]+\/ = /lib/modules/*/
# strip pid numbers from /proc accesses
^/proc/\d+/ = /proc/*/
# if it looks like a home directory, glob out the username
^/home/[^\/]+ = /home/*
# if they use any perl modules, grant access to all
^/usr/lib/perl5/.+$ = /usr/lib/perl5/**
^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
^/usr/share/locale/.+$ = /usr/share/locale/**
# timezone fun
^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/**
# /foobar/fonts/baz -> /foobar/fonts/**
/fonts/.+$ = /fonts/**
# turn /foo/bar/baz.8907234 into /foo/bar/baz.*
# BUGBUG - this one looked weird because it would suggest a glob for
# BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
# \.\d+$ = .*
# some various /etc/security poo -- dunno about these ones...
^/etc/security/_[^\/]+$ = /etc/security/*
^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so
^/etc/pam.d/[^\/]+$ = /etc/pam.d/*
^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh
|
