golden hour

/etc/apparmor.d/abstractions

⬆️ Go Up

Upload

File/Folder	Size	Actions
X	1.72 KB	Del OK
apache2-common	849 B	Del OK
apparmor_api	-	Del OK
aspell	308 B	Del OK
audio	1.82 KB	Del OK
authentication	1.55 KB	Del OK
base	6.39 KB	Del OK
bash	1.48 KB	Del OK
consoles	798 B	Del OK
cups-client	714 B	Del OK
dbus	593 B	Del OK
dbus-accessibility	630 B	Del OK
dbus-accessibility-strict	637 B	Del OK
dbus-session	638 B	Del OK
dbus-session-strict	919 B	Del OK
dbus-strict	677 B	Del OK
dconf	246 B	Del OK
dovecot-common	562 B	Del OK
dri-common	434 B	Del OK
dri-enumerate	281 B	Del OK
enchant	1.96 KB	Del OK
fcitx	456 B	Del OK
fcitx-strict	712 B	Del OK
fonts	2.04 KB	Del OK
freedesktop.org	1.26 KB	Del OK
gnome	3.54 KB	Del OK
gnupg	356 B	Del OK
ibus	1 KB	Del OK
kde	2.71 KB	Del OK
kde-globals-write	298 B	Del OK
kde-icon-cache-write	138 B	Del OK
kde-language-write	458 B	Del OK
kerberosclient	1.14 KB	Del OK
ldapclient	754 B	Del OK
libpam-systemd	659 B	Del OK
likewise	489 B	Del OK
mdns	457 B	Del OK
mesa	577 B	Del OK
mir	593 B	Del OK
mozc	471 B	Del OK
mysql	641 B	Del OK
nameservice	4.96 KB	Del OK
nis	524 B	Del OK
nvidia	649 B	Del OK
opencl	269 B	Del OK
opencl-common	404 B	Del OK
opencl-intel	564 B	Del OK
opencl-mesa	527 B	Del OK
opencl-nvidia	785 B	Del OK
opencl-pocl	2.75 KB	Del OK
openssl	470 B	Del OK
orbit2	93 B	Del OK
p11-kit	899 B	Del OK
perl	872 B	Del OK
php	1.02 KB	Del OK
php5	105 B	Del OK
postfix-common	1.17 KB	Del OK
private-files	1.51 KB	Del OK
private-files-strict	1.02 KB	Del OK
python	1.5 KB	Del OK
qt5	762 B	Del OK
qt5-compose-cache-write	278 B	Del OK
qt5-settings-write	398 B	Del OK
recent-documents-write	346 B	Del OK
ruby	906 B	Del OK
samba	830 B	Del OK
smbpass	476 B	Del OK
ssl_certs	1.26 KB	Del OK
ssl_keys	790 B	Del OK
svn-repositories	1.61 KB	Del OK
ubuntu-bittorrent-clients	698 B	Del OK
ubuntu-browsers	1.63 KB	Del OK
ubuntu-browsers.d	-	Del OK
ubuntu-console-browsers	611 B	Del OK
ubuntu-console-email	601 B	Del OK
ubuntu-email	977 B	Del OK
ubuntu-feed-readers	339 B	Del OK
ubuntu-gnome-terminal	182 B	Del OK
ubuntu-helpers	3.32 KB	Del OK
ubuntu-konsole	343 B	Del OK
ubuntu-media-players	2.18 KB	Del OK
ubuntu-unity7-base	2.39 KB	Del OK
ubuntu-unity7-launcher	191 B	Del OK
ubuntu-unity7-messaging	192 B	Del OK
ubuntu-xterm	237 B	Del OK
user-download	876 B	Del OK
user-mail	837 B	Del OK
user-manpages	889 B	Del OK
user-tmp	654 B	Del OK
user-write	864 B	Del OK
video	127 B	Del OK
vulkan	503 B	Del OK
wayland	580 B	Del OK
web-data	705 B	Del OK
winbind	739 B	Del OK
wutmp	585 B	Del OK
xad	883 B	Del OK
xdg-desktop	673 B	Del OK

Edit: ubuntu-helpers

# Lenient profile that is intended to be used when 'Ux' is desired but # does not provide enough environment sanitizing. This effectively is an # open profile that blacklists certain known dangerous files and also # does not allow any capabilities. For example, it will not allow 'm' on files # owned be the user invoking the program. While this provides some additional # protection, please use with care as applications running under this profile # are effectively running without any AppArmor protection. Use this profile # only if the process absolutely must be run (effectively) unconfined. # # Usage: # Because this abstraction defines the sanitized_helper profile, it must only # be #included once. Therefore this abstraction should typically not be # included in other abstractions so as to avoid parser errors regarding # multiple definitions. # # Limitations: # 1. This does not work for root owned processes, because of the way we use # owner matching in the sanitized helper. We could do a better job with # this to support root, but it would make the policy harder to understand # and going unconfined as root is not desirable any way. # # 2. For this sanitized_helper to work, the program running in the sanitized # environment must open symlinks directly in order for AppArmor to mediate # it. This is confirmed to work with: # - compiled code which can load shared libraries # - python imports # It is known not to work with: # - perl includes # 3. Sanitizing ruby and java # # Use at your own risk. This profile was developed as an interim workaround for # LP: #851986 until AppArmor utilizes proper environment filtering. profile sanitized_helper { #include <abstractions/base> #include <abstractions/X> # Allow all networking network inet, network inet6, # Allow all DBus communications #include <abstractions/dbus-session-strict> #include <abstractions/dbus-strict> dbus, # Needed for Google Chrome ptrace (trace) peer=**//sanitized_helper, # Allow exec of anything, but under this profile. Allow transition # to other profiles if they exist. /{usr/,usr/local/,}{bin,sbin}/* Pixr, # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* /usr/{,local/}lib*/{,**/}* Pixr, # Allow exec of software-center scripts. We may need to allow wider # permissions for /usr/share, but for now just do this. (LP: #972367) /usr/share/software-center/* Pixr, # Allow exec of texlive font build scripts (LP: #1010909) /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, # While the chromium and chrome sandboxes are setuid root, they only link # in limited libraries so glibc's secure execution should be enough to not # require the santized_helper (ie, LD_PRELOAD will only use standard system # paths (man ld.so)). /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, /opt/google/chrome{,-beta,-unstable}/chrome Pixr, /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, # Full access / r, /** rwkl, /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, # Dangerous files audit deny owner /**/* m, # compiled libraries audit deny owner /**/*.py* r, # python imports }
Save