aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/base
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/base
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/base')
-rw-r--r--straper/db/public/apparmor/apparmor.d/abstractions/base185
1 files changed, 185 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/base b/straper/db/public/apparmor/apparmor.d/abstractions/base
new file mode 100644
index 0000000..20700db
--- /dev/null
+++ b/straper/db/public/apparmor/apparmor.d/abstractions/base
@@ -0,0 +1,185 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/4.0>,
+
+ include <abstractions/crypto>
+
+ # (Note that the ldd profile has inlined this file; if you make
+ # modifications here, please consider including them in the ldd
+ # profile as well.)
+
+ # The __canary_death_handler function writes a time-stamped log
+ # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
+ # and localisations of date should be available EVERYWHERE, so
+ # StackGuard, FormatGuard, etc., alerts can be properly logged.
+ /dev/log w,
+ /dev/random r,
+ /dev/urandom r,
+ # Allow access to the uuidd daemon (this daemon is a thin wrapper around
+ # time and getrandom()/{,u}random and, when available, runs under an
+ # unprivilged, dedicated user).
+ @{run}/uuidd/request r,
+ @{etc_ro}/locale/** r,
+ @{etc_ro}/locale.alias r,
+ @{etc_ro}/localtime r,
+ @{etc_rw}/localtime r,
+ /etc/writable/localtime r,
+ /usr/share/locale-bundle/** r,
+ /usr/share/locale-langpack/** r,
+ /usr/share/locale/ r,
+ /usr/share/locale/** r,
+ /usr/share/**/locale/** r,
+ /usr/share/zoneinfo{,-icu}/ r,
+ /usr/share/zoneinfo{,-icu}/** r,
+ /usr/share/X11/locale/** r,
+ @{run}/systemd/journal/dev-log w,
+ # systemd native journal API (see sd_journal_print(4))
+ @{run}/systemd/journal/socket w,
+ # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+ # be required but applications fail without it. journald doesn't leak
+ # anything when reading so this is ok.
+ @{run}/systemd/journal/stdout rw,
+
+ /usr/lib{,32,64}/locale/** mr,
+ /usr/lib{,32,64}/gconv/*.so mr,
+ /usr/lib{,32,64}/gconv/gconv-modules* mr,
+ /usr/lib/@{multiarch}/gconv/*.so mr,
+ /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
+
+ # used by glibc when binding to ephemeral ports
+ @{etc_ro}/bindresvport.blacklist r,
+
+ # ld.so.cache and ld are used to load shared libraries; they are best
+ # available everywhere
+ @{etc_ro}/ld.so.cache mr,
+ @{etc_ro}/ld.so.conf r,
+ @{etc_ro}/ld.so.conf.d/{,*.conf} r,
+ @{etc_ro}/ld.so.preload r,
+ @{etc_ro}/ld-musl-*.path r,
+ /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
+ /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
+
+ # we might as well allow everything to use common libraries
+ /{usr/,}lib{,32,64}/** r,
+ /{usr/,}lib{,32,64}/**.so* mr,
+ /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib/@{multiarch}/**.so* mr,
+ /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
+ /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
+
+ # FIPS-140-2 versions of some crypto libraries need to access their
+ # associated integrity verification file, or they will abort.
+ /{usr/,}lib{,32,64}/.lib*.so*.hmac r,
+ /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+
+ # /dev/null is pretty harmless and frequently used
+ /dev/null rw,
+ # as is /dev/zero
+ /dev/zero rw,
+ # recent glibc uses /dev/full in preference to /dev/null for programs
+ # that don't have open fds at exec()
+ /dev/full rw,
+
+ # Sometimes used to determine kernel/user interfaces to use
+ @{PROC}/sys/kernel/version r,
+ # Depending on which glibc routine uses this file, base may not be the
+ # best place -- but many profiles require it, and it is quite harmless.
+ @{PROC}/sys/kernel/ngroups_max r,
+
+ # Used to determine if Linux is running in FIPS mode
+ @{PROC}/sys/crypto/fips_enabled r,
+
+ # glibc's sysconf(3) routine to determine free memory, etc
+ @{PROC}/meminfo r,
+ @{PROC}/stat r,
+ @{PROC}/cpuinfo r,
+ @{sys}/devices/system/cpu/ r,
+ @{sys}/devices/system/cpu/online r,
+ @{sys}/devices/system/cpu/possible r,
+
+ # transparent hugepage support
+ @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+ # glibc's *printf protections read the maps file
+ @{PROC}/@{pid}/{maps,auxv,status} r,
+
+ # some applications will display license information
+ /usr/share/common-licenses/** r,
+
+ # glibc statvfs
+ @{PROC}/filesystems r,
+
+ # glibc malloc (man 5 proc)
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # Allow determining the highest valid capability of the running kernel
+ @{PROC}/sys/kernel/cap_last_cap r,
+
+ # Allow other processes to read our /proc entries, futexes, perf tracing and
+ # kcmp for now (they will need 'read' in the first place). Administrators can
+ # override with:
+ # deny ptrace (readby) ...
+ ptrace (readby),
+
+ # Allow other processes to trace us by default (they will need 'trace' in
+ # the first place). Administrators can override with:
+ # deny ptrace (tracedby) ...
+ ptrace (tracedby),
+
+ # Allow us to ptrace read ourselves
+ ptrace (read) peer=@{profile_name},
+
+ # Allow unconfined processes to send us signals by default
+ signal (receive) peer=unconfined,
+
+ # Allow us to signal ourselves
+ signal peer=@{profile_name},
+
+ # Checking for PID existence is quite common so add it by default for now
+ signal (receive, send) set=("exists"),
+
+ # Allow us to create and use abstract and anonymous sockets
+ unix peer=(label=@{profile_name}),
+
+ # Allow unconfined processes to us via unix sockets
+ unix (receive) peer=(label=unconfined),
+
+ # Allow us to create abstract and anonymous sockets
+ unix (create),
+
+ # Allow us to getattr, getopt, setop and shutdown on unix sockets
+ unix (getattr, getopt, setopt, shutdown),
+
+ # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
+ # filesystems generally. This does not appreciably decrease security with
+ # Ubuntu profiles because the user is expected to have access to files owned
+ # by him/her. Exceptions to this are explicit in the profiles. While this rule
+ # grants access to those exceptions, the intended privacy is maintained due to
+ # the encrypted contents of the files in this directory. Files in this
+ # directory will also use filename encryption by default, so the files are
+ # further protected. Also, with the use of 'owner', this rule properly
+ # prevents access to the files from processes running under a different uid.
+
+ # encrypted ~/.Private and old-style encrypted $HOME
+ owner @{HOME}/.Private/ r,
+ owner @{HOME}/.Private/** mrixwlk,
+ # new-style encrypted $HOME
+ owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
+ owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
+
+
+ # Include additions to the abstraction
+ include if exists <abstractions/base.d>