diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/base | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/base')
| -rw-r--r-- | straper/db/public/apparmor/apparmor.d/abstractions/base | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/base b/straper/db/public/apparmor/apparmor.d/abstractions/base new file mode 100644 index 0000000..20700db --- /dev/null +++ b/straper/db/public/apparmor/apparmor.d/abstractions/base @@ -0,0 +1,185 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi <abi/4.0>, + + include <abstractions/crypto> + + # (Note that the ldd profile has inlined this file; if you make + # modifications here, please consider including them in the ldd + # profile as well.) + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + /dev/random r, + /dev/urandom r, + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + @{etc_ro}/locale/** r, + @{etc_ro}/locale.alias r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + /etc/writable/localtime r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/**/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + /usr/share/X11/locale/** r, + @{run}/systemd/journal/dev-log w, + # systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + /usr/lib{,32,64}/locale/** mr, + /usr/lib{,32,64}/gconv/*.so mr, + /usr/lib{,32,64}/gconv/gconv-modules* mr, + /usr/lib/@{multiarch}/gconv/*.so mr, + /usr/lib/@{multiarch}/gconv/gconv-modules* mr, + + # used by glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # ld.so.cache and ld are used to load shared libraries; they are best + # available everywhere + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/{,*.conf} r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, + /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, + /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, + /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr, + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + # we might as well allow everything to use common libraries + /{usr/,}lib{,32,64}/** r, + /{usr/,}lib{,32,64}/**.so* mr, + /{usr/,}lib/@{multiarch}/** r, + /{usr/,}lib/@{multiarch}/**.so* mr, + /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr, + /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr, + + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + /{usr/,}lib{,32,64}/.lib*.so*.hmac r, + /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r, + + # /dev/null is pretty harmless and frequently used + /dev/null rw, + # as is /dev/zero + /dev/zero rw, + # recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + # Depending on which glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + + # glibc's sysconf(3) routine to determine free memory, etc + @{PROC}/meminfo r, + @{PROC}/stat r, + @{PROC}/cpuinfo r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + + # transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # glibc's *printf protections read the maps file + @{PROC}/@{pid}/{maps,auxv,status} r, + + # some applications will display license information + /usr/share/common-licenses/** r, + + # glibc statvfs + @{PROC}/filesystems r, + + # glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace (readby) ... + ptrace (readby), + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace (tracedby) ... + ptrace (tracedby), + + # Allow us to ptrace read ourselves + ptrace (read) peer=@{profile_name}, + + # Allow unconfined processes to send us signals by default + signal (receive) peer=unconfined, + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=("exists"), + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix (receive) peer=(label=unconfined), + + # Allow us to create abstract and anonymous sockets + unix (create), + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked + # filesystems generally. This does not appreciably decrease security with + # Ubuntu profiles because the user is expected to have access to files owned + # by him/her. Exceptions to this are explicit in the profiles. While this rule + # grants access to those exceptions, the intended privacy is maintained due to + # the encrypted contents of the files in this directory. Files in this + # directory will also use filename encryption by default, so the files are + # further protected. Also, with the use of 'owner', this rule properly + # prevents access to the files from processes running under a different uid. + + # encrypted ~/.Private and old-style encrypted $HOME + owner @{HOME}/.Private/ r, + owner @{HOME}/.Private/** mrixwlk, + # new-style encrypted $HOME + owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, + owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + + + # Include additions to the abstraction + include if exists <abstractions/base.d> |
