From: Frank Brehm Date: Mon, 4 May 2020 08:40:44 +0000 (+0200) Subject: committing changes in /etc after apt run X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=75b5ada6a4ea38c003fc6d46eb12fbd11516df5f;p=config%2Fbruni%2Fetc-mint-new1.git committing changes in /etc after apt run Package changes: +apparmor-profiles 2.12-4ubuntu5.1 all +apparmor-utils 2.12-4ubuntu5.1 amd64 +python3-apparmor 2.12-4ubuntu5.1 amd64 +python3-libapparmor 2.12-4ubuntu5.1 amd64 --- diff --git a/.etckeeper b/.etckeeper index 29592f7..63074ab 100755 --- a/.etckeeper +++ b/.etckeeper @@ -303,6 +303,7 @@ maybe chmod 0644 'apparmor.d/abstractions/svn-repositories' maybe chmod 0644 'apparmor.d/abstractions/ubuntu-bittorrent-clients' maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers' maybe chmod 0755 'apparmor.d/abstractions/ubuntu-browsers.d' +maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser' maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/firefox' maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/java' maybe chmod 0644 'apparmor.d/abstractions/ubuntu-browsers.d/kde' @@ -338,6 +339,9 @@ maybe chmod 0644 'apparmor.d/abstractions/winbind' maybe chmod 0644 'apparmor.d/abstractions/wutmp' maybe chmod 0644 'apparmor.d/abstractions/xad' maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop' +maybe chmod 0755 'apparmor.d/apache2.d' +maybe chmod 0644 'apparmor.d/apache2.d/phpsysinfo' +maybe chmod 0644 'apparmor.d/bin.ping' maybe chmod 0755 'apparmor.d/cache' maybe chmod 0755 'apparmor.d/disable' maybe chmod 0755 'apparmor.d/force-complain' @@ -347,25 +351,59 @@ maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.qemu' maybe chmod 0644 'apparmor.d/lightdm-guest-session' maybe chmod 0755 'apparmor.d/local' maybe chmod 0644 'apparmor.d/local/README' +maybe chmod 0644 'apparmor.d/local/bin.ping' maybe chmod 0644 'apparmor.d/local/sbin.dhclient' +maybe chmod 0644 'apparmor.d/local/sbin.klogd' +maybe chmod 0644 'apparmor.d/local/sbin.syslog-ng' +maybe chmod 0644 'apparmor.d/local/sbin.syslogd' +maybe chmod 0644 'apparmor.d/local/usr.bin.chromium-browser' maybe chmod 0644 'apparmor.d/local/usr.bin.evince' maybe chmod 0644 'apparmor.d/local/usr.bin.firefox' maybe chmod 0644 'apparmor.d/local/usr.bin.man' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.anvil' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.auth' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.config' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.deliver' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dict' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dovecot-auth' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.dovecot-lda' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.imap' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.imap-login' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.lmtp' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.log' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.managesieve' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.managesieve-login' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.pop3' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.pop3-login' +maybe chmod 0644 'apparmor.d/local/usr.lib.dovecot.ssl-params' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.oosplash' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport' maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper' maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine.real' +maybe chmod 0644 'apparmor.d/local/usr.sbin.avahi-daemon' maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.dnsmasq' +maybe chmod 0644 'apparmor.d/local/usr.sbin.dovecot' +maybe chmod 0644 'apparmor.d/local/usr.sbin.identd' maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd' maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.mdnsd' maybe chmod 0644 'apparmor.d/local/usr.sbin.named' +maybe chmod 0644 'apparmor.d/local/usr.sbin.nmbd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.nscd' maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.smbd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.smbldap-useradd' maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump' +maybe chmod 0644 'apparmor.d/local/usr.sbin.traceroute' maybe chmod 0644 'apparmor.d/sbin.dhclient' +maybe chmod 0644 'apparmor.d/sbin.klogd' +maybe chmod 0644 'apparmor.d/sbin.syslog-ng' +maybe chmod 0644 'apparmor.d/sbin.syslogd' maybe chmod 0755 'apparmor.d/tunables' maybe chmod 0644 'apparmor.d/tunables/alias' maybe chmod 0644 'apparmor.d/tunables/apparmorfs' @@ -385,27 +423,56 @@ maybe chmod 0644 'apparmor.d/tunables/sys' maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs' maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d' maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local' +maybe chmod 0644 'apparmor.d/usr.bin.chromium-browser' maybe chmod 0644 'apparmor.d/usr.bin.evince' maybe chmod 0644 'apparmor.d/usr.bin.firefox' maybe chmod 0644 'apparmor.d/usr.bin.man' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.anvil' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.auth' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.config' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.deliver' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dict' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dovecot-auth' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.dovecot-lda' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.imap' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.imap-login' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.lmtp' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.log' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.managesieve' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.managesieve-login' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.pop3' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.pop3-login' +maybe chmod 0644 'apparmor.d/usr.lib.dovecot.ssl-params' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.oosplash' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport' maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper' maybe chmod 0644 'apparmor.d/usr.lib.snapd.snap-confine.real' +maybe chmod 0644 'apparmor.d/usr.sbin.avahi-daemon' maybe chmod 0644 'apparmor.d/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/usr.sbin.cupsd' +maybe chmod 0644 'apparmor.d/usr.sbin.dnsmasq' +maybe chmod 0644 'apparmor.d/usr.sbin.dovecot' +maybe chmod 0644 'apparmor.d/usr.sbin.identd' maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd' maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd' +maybe chmod 0644 'apparmor.d/usr.sbin.mdnsd' maybe chmod 0644 'apparmor.d/usr.sbin.mysqld' maybe chmod 0644 'apparmor.d/usr.sbin.named' +maybe chmod 0644 'apparmor.d/usr.sbin.nmbd' +maybe chmod 0644 'apparmor.d/usr.sbin.nscd' maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd' +maybe chmod 0644 'apparmor.d/usr.sbin.smbd' +maybe chmod 0644 'apparmor.d/usr.sbin.smbldap-useradd' maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump' +maybe chmod 0644 'apparmor.d/usr.sbin.traceroute' maybe chmod 0755 'apparmor/init' maybe chmod 0755 'apparmor/init/network-interface-security' +maybe chmod 0644 'apparmor/logprof.conf' maybe chmod 0644 'apparmor/parser.conf' +maybe chmod 0644 'apparmor/severity.db' maybe chmod 0644 'apparmor/subdomain.conf' maybe chmod 0755 'apport' maybe chmod 0755 'apport/blacklist.d' diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser new file mode 100644 index 0000000..5c67b36 --- /dev/null +++ b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser @@ -0,0 +1,15 @@ +# This file is updated currently not managed by the package but in the future +# will be overwritten on upgrades. +# +# For site-specific adjustments, please see: +# /etc/apparmor.d/local/usr.bin.chromium-browser + +#include +#include +#include +#include +#include +#include +#include +#include +#include diff --git a/apparmor.d/apache2.d/phpsysinfo b/apparmor.d/apache2.d/phpsysinfo new file mode 100644 index 0000000..669f7a4 --- /dev/null +++ b/apparmor.d/apache2.d/phpsysinfo @@ -0,0 +1,48 @@ +# Last Modified: Fri Sep 11 13:27:22 2009 +# Author: Marc Deslauriers + + ^phpsysinfo { + #include + #include + #include + #include + #include + + /{,usr/}bin/dash ixr, + /{,usr/}bin/df ixr, + /{,usr/}bin/mount ixr, + /{,usr/}bin/uname ixr, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + /etc/debian_version r, + /etc/lsb-release r, + /etc/mtab r, + /etc/phpsysinfo/config.php r, + /etc/udev/udev.conf r, + @{PROC}/** r, + /sys/bus/ r, + /sys/bus/pci/devices/ r, + /sys/bus/pci/slots/ r, + /sys/bus/pci/slots/** r, + /sys/bus/usb/devices/ r, + /sys/class/ r, + /sys/devices/** r, + /usr/bin/ r, + /usr/bin/apt-cache ixr, + /usr/bin/dpkg-query ixr, + /usr/bin/lsb_release ixr, + /usr/bin/lspci ixr, + /usr/bin/who ixr, + /usr/{,s}bin/lsusb ixr, + /usr/share/phpsysinfo/** r, + /var/lib/dpkg/arch r, + /var/lib/dpkg/available r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + /var/lib/{misc,usbutils}/usb.ids r, + /var/log/apache2/access.log w, + /var/log/apache2/error.log w, + /{,var/}run/utmp rk, + /usr/share/misc/pci.ids r, + } diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping new file mode 100644 index 0000000..6c3faa6 --- /dev/null +++ b/apparmor.d/bin.ping @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +profile ping /{usr/,}bin/ping flags=(complain) { + #include + #include + #include + + capability net_raw, + capability setuid, + network inet raw, + network inet6 raw, + + /{,usr/}bin/ping mixr, + /etc/modules.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/local/bin.ping b/apparmor.d/local/bin.ping new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/sbin.klogd b/apparmor.d/local/sbin.klogd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/sbin.syslog-ng b/apparmor.d/local/sbin.syslog-ng new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/sbin.syslogd b/apparmor.d/local/sbin.syslogd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.bin.chromium-browser b/apparmor.d/local/usr.bin.chromium-browser new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.anvil b/apparmor.d/local/usr.lib.dovecot.anvil new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.auth b/apparmor.d/local/usr.lib.dovecot.auth new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.config b/apparmor.d/local/usr.lib.dovecot.config new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.deliver b/apparmor.d/local/usr.lib.dovecot.deliver new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.dict b/apparmor.d/local/usr.lib.dovecot.dict new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.dovecot-auth b/apparmor.d/local/usr.lib.dovecot.dovecot-auth new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.dovecot-lda b/apparmor.d/local/usr.lib.dovecot.dovecot-lda new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.imap b/apparmor.d/local/usr.lib.dovecot.imap new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.imap-login b/apparmor.d/local/usr.lib.dovecot.imap-login new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.lmtp b/apparmor.d/local/usr.lib.dovecot.lmtp new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.log b/apparmor.d/local/usr.lib.dovecot.log new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.managesieve b/apparmor.d/local/usr.lib.dovecot.managesieve new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.managesieve-login b/apparmor.d/local/usr.lib.dovecot.managesieve-login new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.pop3 b/apparmor.d/local/usr.lib.dovecot.pop3 new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.pop3-login b/apparmor.d/local/usr.lib.dovecot.pop3-login new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.lib.dovecot.ssl-params b/apparmor.d/local/usr.lib.dovecot.ssl-params new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.avahi-daemon b/apparmor.d/local/usr.sbin.avahi-daemon new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.dnsmasq b/apparmor.d/local/usr.sbin.dnsmasq new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.dovecot b/apparmor.d/local/usr.sbin.dovecot new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.identd b/apparmor.d/local/usr.sbin.identd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.mdnsd b/apparmor.d/local/usr.sbin.mdnsd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.nmbd b/apparmor.d/local/usr.sbin.nmbd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.nscd b/apparmor.d/local/usr.sbin.nscd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.smbd b/apparmor.d/local/usr.sbin.smbd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.smbldap-useradd b/apparmor.d/local/usr.sbin.smbldap-useradd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.traceroute b/apparmor.d/local/usr.sbin.traceroute new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/sbin.klogd b/apparmor.d/sbin.klogd new file mode 100644 index 0000000..aa94552 --- /dev/null +++ b/apparmor.d/sbin.klogd @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile klogd /{usr/,}sbin/klogd flags=(complain) { + #include + + capability sys_admin, # for backward compatibility with kernel <= 2.6.37 + capability syslog, + + network inet stream, + + /boot/System.map* r, + @{PROC}/kmsg r, + @{PROC}/kallsyms r, + /dev/tty rw, + + /{usr/,}sbin/klogd rmix, + /var/log/boot.msg rwl, + /{,var/}run/klogd.pid krwl, + /{,var/}run/klogd/klogd.pid krwl, + /{,var/}run/klogd/kmsg r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/sbin.syslog-ng b/apparmor.d/sbin.syslog-ng new file mode 100644 index 0000000..ef8da9b --- /dev/null +++ b/apparmor.d/sbin.syslog-ng @@ -0,0 +1,67 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2006-2009 Novell/SUSE +# Copyright (C) 2006 Christian Boltz +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +#define this to be where syslog-ng is chrooted +@{CHROOT_BASE}="" + +profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain) { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability fowner, + capability sys_tty_config, + capability sys_resource, + capability syslog, + + unix (receive) type=dgram, + unix (receive) type=stream, + + /dev/log w, + /dev/syslog w, + /dev/tty10 rw, + /dev/xconsole rw, + /dev/kmsg r, + /etc/machine-id r, + /etc/syslog-ng/* r, + /etc/syslog-ng/conf.d/ r, + /etc/syslog-ng/conf.d/* r, + @{PROC}/kmsg r, + /etc/hosts.deny r, + /etc/hosts.allow r, + /{usr/,}sbin/syslog-ng mr, + /sys/devices/system/cpu/online r, + /usr/share/syslog-ng/** r, + /var/lib/syslog-ng/syslog-ng-?????.qf rw, + # chrooted applications + @{CHROOT_BASE}/var/lib/*/dev/log w, + @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, + @{CHROOT_BASE}/var/log/** w, + @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, + @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, + /{var,var/run,run}/log/journal/ r, + /{var,var/run,run}/log/journal/*/ r, + /{var,var/run,run}/log/journal/*/*.journal r, + /{var/,}run/syslog-ng.ctl a, + /{var/,}run/syslog-ng/additional-log-sockets.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/sbin.syslogd b/apparmor.d/sbin.syslogd new file mode 100644 index 0000000..1466db5 --- /dev/null +++ b/apparmor.d/sbin.syslogd @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile syslogd /{usr/,}sbin/syslogd flags=(complain) { + #include + #include + #include + + capability sys_tty_config, + capability dac_override, + capability dac_read_search, + capability setuid, + capability setgid, + capability syslog, + + unix (receive) type=dgram, + unix (receive) type=stream, + + /dev/log wl, + /var/lib/*/dev/log wl, + + /dev/tty* w, + /dev/xconsole rw, + /etc/syslog.conf r, + /{usr/,}sbin/syslogd rmix, + /var/log/** rw, + /{,var/}run/syslogd.pid krwl, + /{,var/}run/utmp rw, + /var/spool/compaq/nic/messages_fifo rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.bin.chromium-browser b/apparmor.d/usr.bin.chromium-browser new file mode 100644 index 0000000..34838ea --- /dev/null +++ b/apparmor.d/usr.bin.chromium-browser @@ -0,0 +1,280 @@ +# Author: Jamie Strandboge +#include + +# We need 'flags=(attach_disconnected)' in newer chromium versions +/usr/lib/chromium-browser/chromium-browser flags=(complain,attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + + # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if + # you want access to productivity applications, adjust the following file + # accordingly. + #include + + # Networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # Should maybe be in abstractions + /etc/mime.types r, + /etc/mailcap r, + /etc/mtab r, + /etc/xdg/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + @{PROC}/ r, + @{PROC}/vmstat r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + @{PROC}/[0-9]*/task/[0-9]*/status r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/io r, + @{PROC}/[0-9]*/smaps r, + owner @{PROC}/[0-9]*/setgroups w, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/statm r, + @{PROC}/[0-9]*/status r, + deny @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Newer chromium needs these now + /etc/udev/udev.conf r, + /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, + /sys/devices/pci[0-9a-f]*/**/class r, + /sys/devices/pci[0-9a-f]*/**/device r, + /sys/devices/pci[0-9a-f]*/**/irq r, + /sys/devices/pci[0-9a-f]*/**/resource r, + /sys/devices/pci[0-9a-f]*/**/vendor r, + /sys/devices/pci[0-9a-f]*/**/removable r, + /sys/devices/pci[0-9a-f]*/**/block/**/size r, + /sys/devices/virtual/block/**/removable r, + /sys/devices/virtual/block/**/size r, + /sys/devices/**/uevent r, + /sys/devices/virtual/tty/tty0/active r, + # This is requested, but doesn't seem to actually be needed so deny for now + deny /run/udev/data/** r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/auxv r, + + # chromium mmaps all kinds of things for speed. + /etc/passwd m, + /usr/share/fonts/truetype/**/*.tt[cf] m, + /usr/share/fonts/**/*.pfb m, + /usr/share/mime/mime.cache m, + /usr/share/icons/**/*.cache m, + owner /{dev,run}/shm/pulse-shm* m, + owner @{HOME}/.local/share/mime/mime.cache m, + owner /tmp/** m, + + @{PROC}/sys/kernel/shmmax r, + owner /{dev,run}/shm/{,.}org.chromium.* mrw, + owner /{,var/}run/shm/shmfd-* mrw, + + /usr/lib/chromium-browser/*.pak mr, + /usr/lib/chromium-browser/locales/* mr, + + # Noisy + deny /usr/lib/chromium-browser/** w, + + # Allow ptracing ourselves + ptrace (trace) peer=@{profile_name}, + + # Make browsing directories work + / r, + /**/ r, + + # Allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}** r, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Public/ r, + owner @{HOME}/Public/* r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/* rw, + + # For migration + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/prefs.js r, + + # Helpers + /usr/bin/xdg-open ixr, + /usr/bin/gnome-open ixr, + /usr/bin/gvfs-open ixr, + /usr/bin/kdialog ixr, + # TODO: xfce + + # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** + # which is provided by abstractions/ubuntu-browsers.d/user-files). + /etc/firefox/profile/bookmarks.html r, + owner @{HOME}/.mozilla/** k, + + # Chromium Policies + /etc/chromium-browser/policies/** r, + + # Chromium configuration + owner @{HOME}/.pki/nssdb/* rwk, + owner @{HOME}/.cache/chromium/ rw, + owner @{HOME}/.cache/chromium/** rw, + owner @{HOME}/.cache/chromium/Cache/* mr, + owner @{HOME}/.config/chromium/ rw, + owner @{HOME}/.config/chromium/** rwk, + owner @{HOME}/.config/chromium/**/Cache/* mr, + owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, + owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, + + # Allow transitions to ourself and our sandbox + /usr/lib/chromium-browser/chromium-browser ix, + /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, + /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, + + # Allow communicating with sandbox + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), + + /bin/ps Uxr, + /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, + /usr/bin/xdg-settings Cxr -> xdgsettings, + ptrace (trace) peer=@{profile_name}//xdgsettings, + /usr/bin/lsb_release Cxr -> lsb_release, + ptrace (trace) peer=@{profile_name}//lsb_release, + + # GSettings + owner /{,var/}run/user/*/dconf/ rw, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + profile xdgsettings flags=(complain,attach_disconnected) { + #include + #include + + /bin/dash ixr, + + /etc/ld.so.cache r, + /usr/bin/xdg-settings r, + /usr/lib/chromium-browser/xdg-settings r, + /usr/share/applications/*.desktop r, + /usr/share/ubuntu/applications/ r, + + # Checking default browser + /bin/grep ixr, + /bin/readlink ixr, + /bin/sed ixr, + /bin/which ixr, + /usr/bin/basename ixr, + /usr/bin/cut ixr, + + # Setting the default browser + /bin/mkdir ixr, + /bin/mv ixr, + /bin/touch ixr, + /usr/bin/dirname ixr, + /usr/bin/gconftool-2 ix, + /usr/bin/[gm]awk ixr, + /usr/bin/head ixr, + /usr/bin/tr ixr, + /usr/bin/xdg-mime ixr, + owner @{HOME}/.local/share/applications/ w, + owner @{HOME}/.local/share/applications/mimeapps.list* rw, + } + + profile lsb_release flags=(complain,attach_disconnected) { + #include + #include + /usr/bin/lsb_release r, + /bin/dash ixr, + /usr/bin/dpkg-query ixr, + /usr/include/python2.[4567]/pyconfig.h r, + /etc/lsb-release r, + /etc/debian_version r, + /var/lib/dpkg/** r, + + /usr/local/lib/python3.[0-4]/dist-packages/ r, + /usr/bin/ r, + /usr/bin/python3.[0-6] mr, + + /etc/default/apport r, + /etc/apt/apt.conf.d/ r, + /usr/share/dpkg/cputable r, + /usr/share/distro-info/* r, + } + + + # Site-specific additions and overrides. See local/README for details. + #include + +profile chromium_browser_sandbox flags=(complain,attach_disconnected) { + # Be fanatical since it is setuid root and don't use an abstraction + /lib/libgcc_s.so* mr, + /lib/@{multiarch}/libgcc_s.so* mr, + /lib{,32,64}/libm-*.so* mr, + /lib/@{multiarch}/libm-*.so* mr, + /lib{,32,64}/libpthread-*.so* mr, + /lib/@{multiarch}/libpthread-*.so* mr, + /lib{,32,64}/libc-*.so* mr, + /lib/@{multiarch}/libc-*.so* mr, + /lib{,32,64}/libld-*.so* mr, + /lib/@{multiarch}/libld-*.so* mr, + /lib{,32,64}/ld-*.so* mr, + /lib/@{multiarch}/ld-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, + /usr/lib/libstdc++.so* mr, + /usr/lib/@{multiarch}/libstdc++.so* mr, + /etc/ld.so.cache r, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting + capability chown, + capability fsetid, + capability setgid, + capability setuid, + capability dac_override, + capability sys_chroot, + + capability sys_ptrace, + ptrace (read, readby), + + signal (receive) peer=unconfined, + signal peer=@{profile_name}, + signal (receive, send) set=("exists"), + signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, + + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), + unix (create), + unix peer=(label=@{profile_name}), + unix (getattr, getopt, setopt, shutdown) addr=none, + + @{PROC}/ r, + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + deny @{PROC}/[0-9]*/oom_adj w, + deny @{PROC}/[0-9]*/oom_score_adj w, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /usr/bin/chromium-browser r, + /usr/lib/chromium-browser/chromium-browser Px, + /usr/lib/chromium-browser/chromium-browser-sandbox mr, + /usr/lib/chromium-browser/chrome-sandbox mr, + + /dev/null rw, + + owner /tmp/** rw, + } +} diff --git a/apparmor.d/usr.lib.dovecot.anvil b/apparmor.d/usr.lib.dovecot.anvil new file mode 100644 index 0000000..3d54bc4 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.anvil @@ -0,0 +1,26 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/anvil flags=(complain) { + #include + #include + + capability setuid, + capability sys_chroot, + + /run/dovecot/anvil rw, + /usr/lib/dovecot/anvil mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.auth b/apparmor.d/usr.lib.dovecot.auth new file mode 100644 index 0000000..a6641b0 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.auth @@ -0,0 +1,53 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# Copyright (C) 2014 Christian Wittmer +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/auth flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability setuid, + + /etc/my.cnf r, + /etc/my.cnf.d/ r, + /etc/my.cnf.d/*.cnf r, + + /etc/dovecot/* r, + /usr/lib/dovecot/auth mr, + + # kerberos replay cache + /var/tmp/imap_* rw, + /var/tmp/pop_* rw, + /var/tmp/sieve_* rw, + /var/tmp/smtp_* rw, + + /run/dovecot/auth-master rw, + /run/dovecot/auth-worker rw, + /run/dovecot/login/login rw, + /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, + /{var/,}run/dovecot/stats-user rw, + /{var/,}run/dovecot/anvil-auth-penalty rw, + + /var/spool/postfix/private/auth w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.config b/apparmor.d/usr.lib.dovecot.config new file mode 100644 index 0000000..4dc4d8f --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.config @@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/config flags=(complain) { + #include + #include + #include + #include + + capability dac_override, + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/config mr, + /usr/lib/dovecot/managesieve Px, + /usr/share/dovecot/** r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.deliver b/apparmor.d/usr.lib.dovecot.deliver new file mode 100644 index 0000000..e00bf05 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.deliver @@ -0,0 +1,37 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 Dulmandakh Sukhbaatar +# Copyright (C) 2009-2014 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/deliver flags=(complain) { + #include + #include + #include + + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + # http://www.postfix.org/SASL_README.html#server_dovecot + /etc/dovecot/dovecot.conf r, + /etc/dovecot/{auth,conf}.d/*.conf r, + /etc/dovecot/dovecot-postfix.conf r, # ??? + + @{HOME} r, # ??? + /usr/lib/dovecot/deliver mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.dict b/apparmor.d/usr.lib.dovecot.dict new file mode 100644 index 0000000..4144604 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.dict @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/dict flags=(complain) { + #include + #include + #include + #include + #include + + capability setuid, + + network inet stream, + + /etc/dovecot/dovecot-database.conf.ext r, + /etc/dovecot/dovecot-dict-sql.conf.ext r, + /usr/lib/dovecot/dict mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.dovecot-auth b/apparmor.d/usr.lib.dovecot.dovecot-auth new file mode 100644 index 0000000..103e47a --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.dovecot-auth @@ -0,0 +1,33 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/dovecot-auth flags=(complain) { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + + @{PROC}/@{pid}/mounts r, + /usr/lib/dovecot/dovecot-auth mr, + /{,var/}run/dovecot/** rw, + # required for postfix+dovecot integration + /var/spool/postfix/private/dovecot-auth w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.dovecot-lda b/apparmor.d/usr.lib.dovecot.dovecot-lda new file mode 100644 index 0000000..56e62f0 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -0,0 +1,91 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013-2016 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/dovecot-lda flags=(complain,attach_disconnected) { + #include + #include + #include + + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/dovecot/** r, + /proc/*/mounts r, + owner /tmp/dovecot.lda.* rw, + /{var/,}run/dovecot/mounts r, + /run/dovecot/auth-userdb rw, + /usr/bin/doveconf mrix, + /usr/lib/dovecot/dovecot-lda mrix, + /usr/sbin/sendmail Cx, + /usr/share/dovecot/protocols.d/ r, + /usr/share/dovecot/protocols.d/** r, + + # Site-specific additions and overrides. See local/README for details. + #include + + + profile /usr/sbin/sendmail flags=(complain,attach_disconnected) { + # this profile is based on the usr.sbin.sendmail profile in extras + # and should support both postfix' and sendmail's sendmail binary + + #include + #include + #include + #include + #include + + capability sys_ptrace, + + /etc/aliases rw, # newaliases is a symlink to sendmail, so it's + /etc/aliases.db rw, # actually the same binary + /etc/fstab r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/mail/* r, + /etc/mail/statistics rw, + /etc/mtab r, + /etc/postfix/aliases r, + /etc/postfix/aliases.db rw, # newaliases again + /etc/sendmail.cf r, + /etc/sendmail.cw r, + /etc/shells r, + /proc/loadavg r, + /proc/net/if_inet6 r, + /root/.forward r, + /root/dead.letter w, + /usr/bin/procmail Px, + /usr/lib/postfix/master Px, + /usr/lib/postfix/showq Px, + /usr/lib/postfix/smtpd Px, + /usr/sbin/postalias Px, + /usr/sbin/postdrop Px, + /usr/sbin/postfix Px, + /usr/sbin/postqueue Px, + /usr/sbin/sendmail mrix, + /usr/sbin/sendmail.postfix mrix, + /usr/sbin/sendmail.sendmail mrix, + /{var/,}run/sendmail.pid rwl, + /{var/,}run/sm-client.pid rwl, + /{var/,}run/utmp rw, + /var/spool/clientmqueue/* rwl, + /var/spool/mail/* rwl, + /var/spool/mqueue/* rwl, + /var/spool/postfix/maildrop/* rwl, + /var/spool/postfix/public/pickup w, + /var/spool/postfix/public/qmgr w, + /var/spool/postfix/public/showq w, + } +} diff --git a/apparmor.d/usr.lib.dovecot.imap b/apparmor.d/usr.lib.dovecot.imap new file mode 100644 index 0000000..21b346e --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.imap @@ -0,0 +1,46 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/imap flags=(complain) { + #include + #include + #include + + capability setuid, + deny capability block_suspend, + + network unix stream, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? + + /etc/dovecot/dovecot.conf r, + /etc/dovecot/conf.d/ r, + /etc/dovecot/conf.d/** r, + + owner /tmp/dovecot.imap.* rw, + + /usr/bin/doveconf rix, + /usr/lib/dovecot/imap mrix, + /usr/share/dovecot/** r, + /run/dovecot/login/imap rw, + /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.imap-login b/apparmor.d/usr.lib.dovecot.imap-login new file mode 100644 index 0000000..57e2f8e --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.imap-login @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +/usr/lib/dovecot/imap-login flags=(complain) { + #include + #include + #include + #include + + capability setuid, + capability sys_chroot, + + network inet stream, + network inet6 stream, + network unix stream, + + /usr/lib/dovecot/imap-login mr, + /{,var/}run/dovecot/anvil rw, + /{,var/}run/dovecot/login-master-notify* rw, + /{,var/}run/dovecot/login/ r, + /{,var/}run/dovecot/login/* rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.lmtp b/apparmor.d/usr.lib.dovecot.lmtp new file mode 100644 index 0000000..e15b97a --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.lmtp @@ -0,0 +1,38 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/lmtp flags=(complain) { + #include + #include + #include + #include + #include + + capability dac_override, + capability dac_read_search, + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME}/.dovecot.svbin r, + + /proc/*/mounts r, + /tmp/dovecot.lmtp.* rw, + /usr/lib/dovecot/lmtp mr, + /{var/,}run/dovecot/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.log b/apparmor.d/usr.lib.dovecot.log new file mode 100644 index 0000000..6d1b77d --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.log @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/log flags=(complain,attach_disconnected) { + #include + #include + + /usr/lib/dovecot/log mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.managesieve b/apparmor.d/usr.lib.dovecot.managesieve new file mode 100644 index 0000000..cc30985 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.managesieve @@ -0,0 +1,34 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# Copyright (C) 2014 Christian Wittmer +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/managesieve flags=(complain) { + #include + #include + + capability setuid, + + network inet stream, + network inet6 stream, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/managesieve mrix, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.managesieve-login b/apparmor.d/usr.lib.dovecot.managesieve-login new file mode 100644 index 0000000..fcdf5d8 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.managesieve-login @@ -0,0 +1,36 @@ +# ------------------------------------------------------------------ +# +# Copyright (c) 2009 Dulmandakh Sukhbaatar +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# Copyright (C) 2014 Christian Wittmer +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/managesieve-login flags=(complain) { + #include + #include + #include + #include + + capability setuid, + capability sys_chroot, + + network inet stream, + network inet6 stream, + + /usr/lib/dovecot/managesieve-login mr, + /{,var/}run/dovecot/login-master-notify* rw, + /{,var/}run/dovecot/login/ r, + /{,var/}run/dovecot/login/* rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.pop3 b/apparmor.d/usr.lib.dovecot.pop3 new file mode 100644 index 0000000..17a0282 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.pop3 @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/pop3 flags=(complain) { + #include + #include + #include + + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? + /usr/lib/dovecot/pop3 mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.pop3-login b/apparmor.d/usr.lib.dovecot.pop3-login new file mode 100644 index 0000000..71d54f6 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.pop3-login @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/pop3-login flags=(complain) { + #include + #include + #include + #include + #include + + capability setuid, + capability sys_chroot, + + /usr/lib/dovecot/pop3-login mr, + /{,var/}run/dovecot/anvil rw, + /{,var/}run/dovecot/login/ r, + /{,var/}run/dovecot/login/* rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.dovecot.ssl-params b/apparmor.d/usr.lib.dovecot.ssl-params new file mode 100644 index 0000000..1333813 --- /dev/null +++ b/apparmor.d/usr.lib.dovecot.ssl-params @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/ssl-params flags=(complain) { + #include + #include + + /run/dovecot/login/ssl-params rw, + /usr/lib/dovecot/ssl-params mr, + /var/lib/dovecot/ssl-parameters.dat rw, + /var/lib/dovecot/ssl-parameters.dat.tmp rwk, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.avahi-daemon b/apparmor.d/usr.sbin.avahi-daemon new file mode 100644 index 0000000..6ef625d --- /dev/null +++ b/apparmor.d/usr.sbin.avahi-daemon @@ -0,0 +1,33 @@ +#include +/usr/sbin/avahi-daemon flags=(complain) { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability kill, + capability setuid, + capability setgid, + capability sys_chroot, + + network netlink dgram, + + /etc/avahi/ r, + /etc/avahi/avahi-daemon.conf r, + /etc/avahi/hosts r, + /etc/avahi/services/ r, + /etc/avahi/services/*.service r, + @{PROC}/@{pid}/fd/ r, + /usr/sbin/avahi-daemon mr, + /usr/share/avahi/introspection/*.introspect r, + /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, + /{,var/}run/avahi-daemon/ w, + /{,var/}run/avahi-daemon/pid krw, + /{,var/}run/avahi-daemon/socket w, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq new file mode 100644 index 0000000..da0a760 --- /dev/null +++ b/apparmor.d/usr.sbin.dnsmasq @@ -0,0 +1,114 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009 John Dong +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +@{TFTP_DIR}=/var/tftp /srv/tftpboot + +#include +/usr/sbin/dnsmasq flags=(complain,attach_disconnected) { + #include + #include + #include + + capability chown, + capability net_bind_service, + capability setgid, + capability setuid, + capability dac_override, + capability net_admin, # for DHCP server + capability net_raw, # for DHCP server ping checks + network inet raw, + network inet6 raw, + + signal (receive) peer=/usr/sbin/libvirtd, + ptrace (readby) peer=/usr/sbin/libvirtd, + + owner /dev/tty rw, + + /etc/dnsmasq.conf r, + /etc/dnsmasq.d/ r, + /etc/dnsmasq.d/* r, + /etc/dnsmasq.d-available/ r, + /etc/dnsmasq.d-available/* r, + /etc/ethers r, + /etc/NetworkManager/dnsmasq.d/ r, + /etc/NetworkManager/dnsmasq.d/* r, + + /usr/sbin/dnsmasq mr, + + /{,var/}run/*dnsmasq*.pid w, + /{,var/}run/dnsmasq-forwarders.conf r, + /{,var/}run/dnsmasq/ r, + /{,var/}run/dnsmasq/* rw, + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + + /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument + + # access to iface mtu needed for Router Advertisement messages in IPv6 + # Neighbor Discovery protocol (RFC 2461) + @{PROC}/sys/net/ipv6/conf/*/mtu r, + + # for the read-only TFTP server + @{TFTP_DIR}/ r, + @{TFTP_DIR}/** r, + + # libvirt config and hosts file for dnsmasq + /var/lib/libvirt/dnsmasq/ r, + /var/lib/libvirt/dnsmasq/* r, + + # libvirt pid files for dnsmasq + /{,var/}run/libvirt/network/ r, + /{,var/}run/libvirt/network/*.pid rw, + + # libvirt lease helper + /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, + + # lxc-net pid and lease files + /{,var/}run/lxc/dnsmasq.pid rw, + /var/lib/misc/dnsmasq.*.leases rw, + + # lxd-bridge pid and lease files + /{,var/}run/lxd-bridge/dnsmasq.pid rw, + /var/lib/lxd-bridge/dnsmasq.*.leases rw, + /var/lib/lxd/networks/*/dnsmasq.* r, + /var/lib/lxd/networks/*/dnsmasq.leases rw, + /var/lib/lxd/networks/*/dnsmasq.pid rw, + + # NetworkManager integration + /{,var/}run/nm-dns-dnsmasq.conf r, + /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, + /{,var/}run/NetworkManager/dnsmasq.conf r, + /{,var/}run/NetworkManager/dnsmasq.pid w, + + profile libvirt_leaseshelper flags=(complain) { + #include + + /etc/libnl-3/classid r, + + /usr/lib{,64}/libvirt/libvirt_leaseshelper m, + + owner @{PROC}/@{pid}/net/psched r, + owner @{PROC}/@{pid}/status r, + + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/*/meminfo r, + + # libvirt lease and status files for dnsmasq + /var/lib/libvirt/dnsmasq/*.leases rw, + /var/lib/libvirt/dnsmasq/*.status* rw, + + /{,var/}run/leaseshelper.pid rwk, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.dovecot b/apparmor.d/usr.sbin.dovecot new file mode 100644 index 0000000..467e9e5 --- /dev/null +++ b/apparmor.d/usr.sbin.dovecot @@ -0,0 +1,70 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2013 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/sbin/dovecot flags=(complain,attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability kill, + capability net_bind_service, + capability setuid, + capability sys_chroot, + capability sys_resource, + + signal send set=(int,quit) peer=/usr/lib/dovecot/*, + + /etc/dovecot/** r, + /etc/mtab r, + /etc/lsb-release r, + /etc/SuSE-release r, + @{PROC}/@{pid}/mounts r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil mrPx, + /usr/lib/dovecot/auth mrPx, + /usr/lib/dovecot/config mrPx, + /usr/lib/dovecot/dict mrPx, + /usr/lib/dovecot/dovecot-auth Pxmr, + /usr/lib/dovecot/imap Pxmr, + /usr/lib/dovecot/imap-login Pxmr, + /usr/lib/dovecot/lmtp mrPx, + /usr/lib/dovecot/log mrPx, + /usr/lib/dovecot/managesieve mrPx, + /usr/lib/dovecot/managesieve-login Pxmr, + /usr/lib/dovecot/pop3 mrPx, + /usr/lib/dovecot/pop3-login Pxmr, + /usr/lib/dovecot/ssl-build-param rix, + /usr/lib/dovecot/ssl-params mrPx, + /usr/sbin/dovecot mrix, + /usr/share/dovecot/protocols.d/ r, + /usr/share/dovecot/protocols.d/** r, + /var/lib/dovecot/ w, + /var/lib/dovecot/* rwkl, + /var/spool/postfix/private/auth w, + /var/spool/postfix/private/dovecot-lmtp w, + /{,var/}run/dovecot/ rw, + /{,var/}run/dovecot/** rw, + link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.identd b/apparmor.d/usr.sbin.identd new file mode 100644 index 0000000..e0e8d7d --- /dev/null +++ b/apparmor.d/usr.sbin.identd @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/identd flags=(complain) { + #include + #include + capability net_bind_service, + capability setgid, + capability setuid, + /etc/identd.conf r, + /etc/identd.key r, + /etc/identd.pid w, + /usr/sbin/identd rmix, + @{PROC}/net/tcp r, + @{PROC}/net/tcp6 r, + /{,var/}run/identd.pid w, + /{,var/}run/identd/ w, + /{,var/}run/identd/identd.pid w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.mdnsd b/apparmor.d/usr.sbin.mdnsd new file mode 100644 index 0000000..44d2146 --- /dev/null +++ b/apparmor.d/usr.sbin.mdnsd @@ -0,0 +1,36 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/sbin/mdnsd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + network netlink dgram, + + /usr/sbin/mdnsd rmix, + + @{PROC}/net/ r, + @{PROC}/net/unix r, + /{,var/}run/mdnsd lw, + /{,var/}run/mdnsd.pid w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.nmbd b/apparmor.d/usr.sbin.nmbd new file mode 100644 index 0000000..a54c1f7 --- /dev/null +++ b/apparmor.d/usr.sbin.nmbd @@ -0,0 +1,30 @@ +#include + +/usr/sbin/nmbd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + + @{PROC}/sys/kernel/core_pattern r, + + /usr/sbin/nmbd mr, + + /var/cache/samba/gencache.tdb rwk, + /var/{cache,lib}/samba/browse.dat* rw, + /var/{cache,lib}/samba/gencache.dat rw, + /var/{cache,lib}/samba/wins.dat* rw, + /var/{cache,lib}/samba/smb_krb5/ rw, + /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw, + /var/{cache,lib}/samba/smb_tmp_krb5.* rw, + /var/{cache,lib}/samba/sync.* rw, + /var/{cache,lib}/samba/unexpected rw, + /var/cache/samba/msg/ rw, + /var/cache/samba/msg/* w, + + /{,var/}run/samba/** rwk, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.nscd b/apparmor.d/usr.sbin.nscd new file mode 100644 index 0000000..2eeee50 --- /dev/null +++ b/apparmor.d/usr.sbin.nscd @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2009-2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +/usr/sbin/nscd flags=(complain) { + #include + #include + #include + #include + + deny capability block_suspend, + capability net_bind_service, + capability setgid, + capability setuid, + + /etc/netgroup r, + /etc/nscd.conf r, + /usr/sbin/nscd rmix, + /{,var/}run/.nscd_socket wl, + /{,var/}run/nscd/ rw, + /{,var/}run/nscd/db* rwl, + /{,var/}run/nscd/socket wl, + /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, + /{,var/}run/{nscd/,}nscd.pid rwl, + /var/lib/libvirt/dnsmasq/ r, + /var/lib/libvirt/dnsmasq/*.status r, + /var/log/nscd.log rw, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fd/* r, + @{PROC}/@{pid}/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.smbd b/apparmor.d/usr.sbin.smbd new file mode 100644 index 0000000..33662d3 --- /dev/null +++ b/apparmor.d/usr.sbin.smbd @@ -0,0 +1,58 @@ +#include + +/usr/sbin/smbd flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + #include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability fowner, + capability lease, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + capability sys_tty_config, + + /etc/mtab r, + /etc/netgroup r, + /etc/printcap r, + /etc/samba/* rwk, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + /usr/lib*/samba/vfs/*.so mr, + /usr/lib*/samba/charset/*.so mr, + /usr/lib*/samba/auth/script.so mr, + /usr/lib*/samba/pdb/*.so mr, + /usr/lib*/samba/{lowcase,upcase,valid}.dat r, + /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, + /usr/lib/@{multiarch}/samba/**/ r, + /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, + /usr/sbin/smbd mr, + /usr/sbin/smbldap-useradd Px, + /var/cache/samba/** rwk, + /var/{cache,lib}/samba/printing/printers.tdb mrw, + /var/lib/samba/** rwk, + /var/lib/sss/pubconf/kdcinfo.* r, + /{,var/}run/dbus/system_bus_socket rw, + /{,var/}run/samba/** rk, + /{,var/}run/samba/ncalrpc/ rw, + /{,var/}run/samba/ncalrpc/** rw, + /{,var/}run/samba/smbd.pid rw, + /{,var/}run/samba/msg.lock/ rw, + /{,var/}run/samba/msg.lock/[0-9]* rwk, + /var/spool/samba/** rw, + + @{HOMEDIRS}/** lrwk, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.smbldap-useradd b/apparmor.d/usr.sbin.smbldap-useradd new file mode 100644 index 0000000..497f8ad --- /dev/null +++ b/apparmor.d/usr.sbin.smbldap-useradd @@ -0,0 +1,37 @@ +# Last Modified: Tue Jan 3 00:17:40 2012 +#include + +/usr/sbin/smbldap-useradd flags=(complain) { + #include + #include + #include + #include + + /dev/tty rw, + /{,usr/}bin/bash ix, + /etc/init.d/nscd Cx, + /etc/shadow r, + /etc/smbldap-tools/smbldap.conf r, + /etc/smbldap-tools/smbldap_bind.conf r, + /usr/sbin/smbldap-useradd r, + /usr/sbin/smbldap_tools.pm r, + /var/log/samba/log.smbd w, + + # Site-specific additions and overrides. See local/README for details. + #include + + profile /etc/init.d/nscd flags=(complain) { + #include + #include + + capability sys_ptrace, + + /{,usr/}bin/bash r, + /{,usr/}bin/mountpoint rix, + /{,usr/}bin/systemctl rix, + /dev/tty rw, + /etc/init.d/nscd r, + /etc/rc.status r, + + } +} diff --git a/apparmor.d/usr.sbin.traceroute b/apparmor.d/usr.sbin.traceroute new file mode 100644 index 0000000..251c72b --- /dev/null +++ b/apparmor.d/usr.sbin.traceroute @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +/usr/{sbin/traceroute,bin/traceroute.db} flags=(complain) { + #include + #include + #include + + deny capability net_admin, # noisy setsockopt() calls + capability net_raw, + + network inet raw, + network inet6 raw, + + /usr/sbin/traceroute mrix, + /usr/bin/traceroute.db mrix, + @{PROC}/net/route r, + @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor/logprof.conf b/apparmor/logprof.conf new file mode 100644 index 0000000..18481e6 --- /dev/null +++ b/apparmor/logprof.conf @@ -0,0 +1,166 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2004-2006 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +[settings] + profiledir = /etc/apparmor.d /etc/subdomain.d + inactive_profiledir = /usr/share/apparmor/extra-profiles + logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages + + parser = /sbin/apparmor_parser /sbin/subdomain_parser + ldd = /usr/bin/ldd + logger = /bin/logger /usr/bin/logger + + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 + + # custom directory locations to look for #includes + # + # each name should be a valid directory containing possible #include + # candidate files under the profile dir which by default is /etc/apparmor.d. + # + # So an entry of my-includes will allow /etc/apparmor.d/my-includes to + # be used by the yast UI and profiling tools as a source of #include + # files. + custom_includes = + + +[repository] + distro = ubuntu-intrepid + url = http://apparmor.test.opensuse.org/backend/api + preferred_user = ubuntu + +[qualifiers] + # things will be painfully broken if bash has a profile + /bin/bash = icnu + /usr/bin/bash = icnu + /bin/ksh = icnu + /usr/bin/ksh = icnu + /bin/dash = icnu + /usr/bin/dash = icnu + + # these programs can't function if they're confined + /bin/mount = u + /usr/bin/mount = u + /etc/init.d/subdomain = u + /sbin/cardmgr = u + /usr/sbin/cardmgr = u + /sbin/subdomain_parser = u + /usr/sbin/subdomain_parser = u + /usr/sbin/genprof = u + /usr/sbin/logprof = u + /usr/lib/YaST2/servers_non_y2/ag_genprof = u + /usr/lib/YaST2/servers_non_y2/ag_logprof = u + + # these ones shouln't have their own profiles + /bin/awk = icn + /usr/bin/awk = icn + /bin/cat = icn + /usr/bin/cat = icn + /bin/chmod = icn + /usr/bin/chmod = icn + /bin/chown = icn + /usr/bin/chown = icn + /bin/cp = icn + /usr/bin/cp = icn + /bin/gawk = icn + /usr/bin/gawk = icn + /bin/grep = icn + /usr/bin/grep = icn + /bin/gunzip = icn + /usr/bin/gunzip = icn + /bin/gzip = icn + /usr/bin/gzip = icn + /bin/kill = icn + /usr/bin/kill = icn + /bin/ln = icn + /usr/bin/ln = icn + /bin/ls = icn + /usr/bin/ls = icn + /bin/mkdir = icn + /usr/bin/mkdir = icn + /bin/mv = icn + /usr/bin/mv = icn + /bin/readlink = icn + /usr/bin/readlink = icn + /bin/rm = icn + /usr/bin/rm = icn + /bin/sed = icn + /usr/bin/sed = icn + /bin/touch = icn + /usr/bin/touch = icn + /sbin/killall5 = icn + /usr/sbin/killall5 = icn + /usr/bin/find = icn + /usr/bin/killall = icn + /usr/bin/nice = icn + /usr/bin/perl = icn + /usr/bin/python = icn + /usr/bin/python2 = icn + /usr/bin/python2.7 = icn + /usr/bin/python3 = icn + /usr/bin/python3.3 = icn + /usr/bin/python3.4 = icn + /usr/bin/python3.5 = icn + /usr/bin/python3.6 = icn + /usr/bin/tr = icn + +[required_hats] + ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT + ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT + +[defaulthat] + ^.+/apache(|2|2-prefork)$ = DEFAULT_URI + ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI + +[globs] + # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib* + /lib/lib[^\/]+so[^\/]*$ = /lib/lib*so* + + # strip kernel version numbers from kernel module accesses + ^/lib/modules/[^\/]+\/ = /lib/modules/*/ + + # strip pid numbers from /proc accesses + ^/proc/\d+/ = /proc/*/ + + # if it looks like a home directory, glob out the username + ^/home/[^\/]+ = /home/* + + # if they use any perl modules, grant access to all + ^/usr/lib/x86_64-linux-gnu/perl5/5.26/.+$ = /usr/lib/x86_64-linux-gnu/perl5/5.26/** + ^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/** + + # locale foo + ^/usr/lib/locale/.+$ = /usr/lib/locale/** + ^/usr/share/locale/.+$ = /usr/share/locale/** + + # timezone fun + ^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/** + + # /foobar/fonts/baz -> /foobar/fonts/** + /fonts/.+$ = /fonts/** + + # turn /foo/bar/baz.8907234 into /foo/bar/baz.* + # BUGBUG - this one looked weird because it would suggest a glob for + # BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.* + # \.\d+$ = .* + + # some various /etc/security poo -- dunno about these ones... + ^/etc/security/_[^\/]+$ = /etc/security/* + ^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/* + ^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so + + ^/etc/pam.d/[^\/]+$ = /etc/pam.d/* + ^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh + diff --git a/apparmor/severity.db b/apparmor/severity.db new file mode 100644 index 0000000..ed411b5 --- /dev/null +++ b/apparmor/severity.db @@ -0,0 +1,464 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# Allow this process to 0wn the machine: + CAP_SYS_ADMIN 10 + CAP_SYS_CHROOT 10 + CAP_SYS_MODULE 10 + CAP_SYS_PTRACE 10 + CAP_SYS_RAWIO 10 + CAP_MAC_ADMIN 10 + CAP_MAC_OVERRIDE 10 +# Allow other processes to 0wn the machine: + CAP_SETPCAP 9 + CAP_SETFCAP 9 + CAP_CHOWN 9 + CAP_FSETID 9 + CAP_MKNOD 9 + CAP_LINUX_IMMUTABLE 9 + CAP_DAC_OVERRIDE 9 + CAP_SETGID 9 + CAP_SETUID 9 + CAP_FOWNER 9 +# Denial of service, bypass audit controls, information leak + CAP_SYS_TIME 8 + CAP_NET_ADMIN 8 + CAP_SYS_RESOURCE 8 + CAP_KILL 8 + CAP_IPC_OWNER 8 + CAP_SYS_PACCT 8 + CAP_SYS_BOOT 8 + CAP_NET_BIND_SERVICE 8 + CAP_NET_RAW 8 + CAP_SYS_NICE 8 + CAP_LEASE 8 + CAP_IPC_LOCK 8 + CAP_SYS_TTY_CONFIG 8 + CAP_AUDIT_CONTROL 8 + CAP_AUDIT_WRITE 8 + CAP_SYSLOG 8 + CAP_WAKE_ALARM 8 + CAP_BLOCK_SUSPEND 8 + CAP_DAC_READ_SEARCH 7 + CAP_AUDIT_READ 7 +# unused + CAP_NET_BROADCAST 0 + +# filename r w x +# 'hard drives' are generally 4 10 0 +/**/lost+found/** 5 5 0 +/boot/** 7 10 0 +/etc/passwd* 4 8 0 +/etc/group* 4 8 0 +/etc/shadow* 7 9 0 +/etc/shadow* 7 9 0 +/home/*/.ssh/** 7 9 0 +/home/*/.gnupg/** 5 7 0 +/home/** 4 6 0 +/srv/** 4 6 0 +/proc/** 6 9 0 +/proc/sys/kernel/hotplug 2 10 0 +/proc/sys/kernel/modprobe 2 10 0 +/proc/kallsyms 7 0 0 +/sys/** 4 8 0 +/sys/power/state 2 8 0 +/sys/firmware/** 2 10 0 +/dev/pts/* 8 9 0 +/dev/ptmx 8 9 0 +/dev/pty* 8 9 0 +/dev/null 0 0 0 +/dev/adbmouse 3 8 0 +/dev/ataraid 9 10 0 +/dev/zero 0 0 0 +/dev/agpgart* 8 10 0 +/dev/aio 3 3 0 +/dev/cbd/* 5 5 0 +/dev/cciss/* 4 10 0 +/dev/capi* 4 6 0 +/dev/cfs0 4 10 0 +/dev/compaq/* 4 10 0 +/dev/cdouble* 4 8 0 +/dev/cpu** 5 5 0 +/dev/cpu**microcode 1 10 0 +/dev/double* 4 8 0 +/dev/hd* 4 10 0 +/dev/sd* 4 10 0 +/dev/ida/* 4 10 0 +/dev/input/* 4 8 0 +/dev/mapper/control 4 10 0 +/dev/*mem 8 10 0 +/dev/loop* 4 10 0 +/dev/lp* 0 4 0 +/dev/md* 4 10 0 +/dev/msr 4 10 0 +/dev/nb* 4 10 0 +/dev/ram* 8 10 0 +/dev/rd/* 4 10 0 +/dev/*random 3 1 0 +/dev/sbpcd* 4 0 0 +/dev/rtc 6 0 0 +/dev/sd* 4 10 0 +/dev/sc* 4 10 0 +/dev/sg* 4 10 0 +/dev/st* 4 10 0 +/dev/snd/* 3 8 0 +/dev/usb/mouse* 4 6 0 +/dev/usb/hid* 4 6 0 +/dev/usb/tty* 4 6 0 +/dev/tty* 8 9 0 +/dev/stderr 0 0 0 +/dev/stdin 0 0 0 +/dev/stdout 0 0 0 +/dev/ubd* 4 10 0 +/dev/usbmouse* 4 6 0 +/dev/userdma 8 10 0 +/dev/vcs* 8 9 0 +/dev/xta* 4 10 0 +/dev/zero 0 0 0 +/dev/inittcl 8 10 0 +/dev/log 5 7 0 +/etc/fstab 3 8 0 +/etc/mtab 3 5 0 +/etc/SuSEconfig/* 1 8 0 +/etc/X11/* 2 7 0 +/etc/X11/xinit/* 2 8 0 +/etc/SuSE-release 1 5 0 +/etc/issue* 1 3 0 +/etc/motd 1 3 0 +/etc/aliases.d/* 1 7 0 +/etc/cron* 1 9 0 +/etc/cups/* 2 7 0 +/etc/default/* 3 8 0 +/etc/init.d/* 1 10 0 +/etc/permissions.d/* 1 8 0 +/etc/ppp/* 2 6 0 +/etc/ppp/*secrets 8 6 0 +/etc/profile.d/* 1 8 0 +/etc/skel/* 0 7 0 +/etc/sysconfig/* 4 10 0 +/etc/xinetd.d/* 1 9 0 +/etc/termcap/* 1 4 0 +/etc/ld.so.* 1 9 0 +/etc/pam.d/* 3 9 0 +/etc/udev/* 3 9 0 +/etc/insserv.conf 3 6 0 +/etc/security/* 1 9 0 +/etc/securetty 0 7 0 +/etc/sudoers 4 9 0 +/etc/hotplug/* 2 10 0 +/etc/xinitd.conf 1 9 0 +/etc/gpm/* 2 10 0 +/etc/ssl/** 2 7 0 +/etc/shadow* 5 9 0 +/etc/bash.bashrc 1 9 0 +/etc/csh.cshrc 1 9 0 +/etc/csh.login 1 9 0 +/etc/inittab 1 10 0 +/etc/profile* 1 9 0 +/etc/shells 1 5 0 +/etc/alternatives 1 6 0 +/etc/sysctl.conf 3 7 0 +/etc/dev.d/* 1 8 0 +/etc/manpath.config 1 6 0 +/etc/permissions* 1 8 0 +/etc/evms.conf 3 8 0 +/etc/exports 3 8 0 +/etc/samba/* 5 8 0 +/etc/ssh/* 3 8 0 +/etc/ssh/ssh_host_*key 8 8 0 +/etc/krb5.conf 4 8 0 +/etc/ntp.conf 3 8 0 +/etc/auto.* 3 8 0 +/etc/postfix/* 3 7 0 +/etc/postfix/*passwd* 6 7 0 +/etc/postfix/*cert* 6 7 0 +/etc/foomatic/* 3 5 0 +/etc/printcap 3 5 0 +/etc/youservers 4 9 0 +/etc/grub.conf 7 10 0 +/etc/modules.conf 4 10 0 +/etc/resolv.conf 2 7 0 +/etc/apache2/** 3 7 0 +/etc/apache2/**ssl** 7 7 0 +/etc/subdomain.d/** 6 10 0 +/etc/apparmor.d/** 6 10 0 +/etc/apparmor/** 6 10 0 +/var/log/** 3 8 0 +/var/adm/SuSEconfig/** 3 8 0 +/var/adm/** 3 7 0 +/var/lib/rpm/** 4 8 0 +/var/run/nscd/* 3 3 0 +/var/run/.nscd_socket 3 3 0 +/usr/share/doc/** 1 1 0 +/usr/share/man/** 3 5 0 +/usr/X11/man/** 3 5 0 +/usr/share/info/** 2 4 0 +/usr/share/java/** 2 5 0 +/usr/share/locale/** 2 4 0 +/usr/share/sgml/** 2 4 0 +/usr/share/YaST2/** 3 9 0 +/usr/share/ghostscript/** 3 5 0 +/usr/share/terminfo/** 1 8 0 +/usr/share/latex2html/** 2 4 0 +/usr/share/cups/** 5 6 0 +/usr/share/susehelp/** 2 6 0 +/usr/share/susehelp/cgi-bin/** 3 7 7 +/usr/share/zoneinfo/** 2 7 0 +/usr/share/zsh/** 3 6 0 +/usr/share/vim/** 3 8 0 +/usr/share/groff/** 3 7 0 +/usr/share/vnc/** 3 8 0 +/usr/share/wallpapers/** 2 4 0 +/usr/X11** 3 8 5 +/usr/X11*/bin/XFree86 3 8 8 +/usr/X11*/bin/Xorg 3 8 8 +/usr/X11*/bin/sux 3 8 8 +/usr/X11*/bin/xconsole 3 7 7 +/usr/X11*/bin/xhost 3 7 7 +/usr/X11*/bin/xauth 3 7 7 +/usr/X11*/bin/ethereal 3 6 8 +/usr/lib/ooo-** 3 6 5 +/usr/lib/lsb/** 2 8 8 +/usr/lib/pt_chwon 2 8 5 +/usr/lib/tcl** 2 5 3 +/usr/lib/lib*so* 3 8 4 +/usr/lib/iptables/* 2 8 2 +/usr/lib/x86_64-linux-gnu/perl5/5.26/** 4 10 6 +/usr/lib/*/perl/** 4 10 6 +/usr/lib/*/perl5/** 4 10 6 +/usr/lib/gconv/* 4 7 4 +/usr/lib/locale/** 4 8 0 +/usr/lib/jvm/** 5 7 5 +/usr/lib/sasl*/** 5 8 4 +/usr/lib/jvm-exports/** 5 7 5 +/usr/lib/jvm-private/** 5 7 5 +/usr/lib/python*/** 5 7 5 +/usr/lib/libkrb5* 4 8 4 +/usr/lib/postfix/* 4 7 4 +/usr/lib/rpm/** 4 8 6 +/usr/lib/rpm/gnupg/** 4 9 0 +/usr/lib/apache2** 4 7 4 +/usr/lib/mailman/** 4 6 4 +/usr/bin/ldd 1 7 4 +/usr/bin/netcat 5 7 8 +/usr/bin/clear 2 6 3 +/usr/bin/reset 2 6 3 +/usr/bin/tput 2 6 3 +/usr/bin/tset 2 6 3 +/usr/bin/file 2 6 3 +/usr/bin/ftp 3 7 5 +/usr/bin/busybox 4 8 6 +/usr/bin/rbash 4 8 5 +/usr/bin/screen 3 6 5 +/usr/bin/getfacl 3 7 4 +/usr/bin/setfacl 3 7 9 +/usr/bin/*awk* 3 7 7 +/usr/bin/sudo 2 9 10 +/usr/bin/lsattr 2 6 5 +/usr/bin/chattr 2 7 8 +/usr/bin/sed 3 7 6 +/usr/bin/grep 2 7 2 +/usr/bin/chroot 2 6 10 +/usr/bin/dircolors 2 9 3 +/usr/bin/cut 2 7 2 +/usr/bin/du 2 7 3 +/usr/bin/env 2 7 2 +/usr/bin/head 2 7 2 +/usr/bin/tail 2 7 2 +/usr/bin/install 2 8 4 +/usr/bin/link 2 6 4 +/usr/bin/logname 2 6 2 +/usr/bin/md5sum 2 8 3 +/usr/bin/mkfifo 2 6 10 +/usr/bin/nice 2 7 7 +/usr/bin/nohup 2 7 7 +/usr/bin/printf 2 7 1 +/usr/bin/readlink 2 7 3 +/usr/bin/seq 2 7 1 +/usr/bin/sha1sum 2 8 3 +/usr/bin/shred 2 7 3 +/usr/bin/sort 2 7 3 +/usr/bin/split 2 7 3 +/usr/bin/stat 2 7 4 +/usr/bin/sum 2 8 3 +/usr/bin/tac 2 7 3 +/usr/bin/tail 3 8 4 +/usr/bin/tee 2 7 3 +/usr/bin/test 2 8 4 +/usr/bin/touch 2 7 3 +/usr/bin/tr 2 8 3 +/usr/bin/tsort 2 7 3 +/usr/bin/tty 2 7 3 +/usr/bin/unexpand 2 7 3 +/usr/bin/uniq 2 7 3 +/usr/bin/unlink 2 8 4 +/usr/bin/uptime 2 7 3 +/usr/bin/users 2 8 4 +/usr/bin/vdir 2 8 4 +/usr/bin/wc 2 7 3 +/usr/bin/who 2 8 4 +/usr/bin/whoami 2 8 4 +/usr/bin/yes 1 6 1 +/usr/bin/ed 2 7 5 +/usr/bin/red 2 7 4 +/usr/bin/find 2 8 5 +/usr/bin/xargs 2 7 5 +/usr/bin/ispell 2 7 4 +/usr/bin/a2p 2 7 5 +/usr/bin/perlcc 2 7 5 +/usr/bin/perldoc 2 7 5 +/usr/bin/pod2* 2 7 5 +/usr/bin/prove 2 7 5 +/usr/bin/perl 2 10 7 +/usr/bin/perl* 2 10 7 +/usr/bin/suidperl 2 8 8 +/usr/bin/csh 2 8 8 +/usr/bin/tcsh 2 8 8 +/usr/bin/tree 2 6 5 +/usr/bin/last 2 7 5 +/usr/bin/lastb 2 7 5 +/usr/bin/utmpdump 2 6 5 +/usr/bin/alsamixer 2 6 8 +/usr/bin/amixer 2 6 8 +/usr/bin/amidi 2 6 8 +/usr/bin/aoss 2 6 8 +/usr/bin/aplay 2 6 8 +/usr/bin/aplaymidi 2 6 8 +/usr/bin/arecord 2 6 8 +/usr/bin/arecordmidi 2 6 8 +/usr/bin/aseqnet 2 6 8 +/usr/bin/aserver 2 6 8 +/usr/bin/iecset 2 6 8 +/usr/bin/rview 2 6 5 +/usr/bin/ex 2 7 5 +/usr/bin/enscript 2 6 5 +/usr/bin/genscript 2 6 5 +/usr/bin/xdelta 2 6 5 +/usr/bin/edit 2 6 5 +/usr/bin/vimtutor 2 6 5 +/usr/bin/rvim 2 6 5 +/usr/bin/vim 2 8 7 +/usr/bin/vimdiff 2 8 7 +/usr/bin/aspell 2 6 5 +/usr/bin/xxd 2 6 5 +/usr/bin/spell 2 6 5 +/usr/bin/eqn 2 6 5 +/usr/bin/eqn2graph 2 6 5 +/usr/bin/word-list-compress 2 6 4 +/usr/bin/afmtodit 2 6 4 +/usr/bin/hpf2dit 2 6 4 +/usr/bin/geqn 2 6 4 +/usr/bin/grn 2 6 4 +/usr/bin/grodvi 2 6 4 +/usr/bin/groff 2 6 5 +/usr/bin/groffer 2 6 4 +/usr/bin/grolj4 2 6 4 +/usr/bin/grotty 2 6 4 +/usr/bin/gtbl 2 6 4 +/usr/bin/pic2graph 2 6 4 +/usr/bin/indxbib 2 6 4 +/usr/bin/lkbib 2 6 4 +/usr/bin/lookbib 2 6 4 +/usr/bin/mmroff 2 6 4 +/usr/bin/neqn 2 6 4 +/usr/bin/pfbtops 2 6 4 +/usr/bin/pic 2 6 4 +/usr/bin/tfmtodit 2 6 4 +/usr/bin/tbl 2 6 4 +/usr/bin/post-grohtml 2 6 4 +/usr/bin/pre-grohtml 2 6 4 +/usr/bin/refer 2 6 4 +/usr/bin/soelim 2 6 4 +/usr/bin/disable-paste 2 6 6 +/usr/bin/troff 2 6 4 +/usr/bin/strace-graph 2 6 4 +/usr/bin/gpm-root 2 6 7 +/usr/bin/hltest 2 6 7 +/usr/bin/mev 2 6 6 +/usr/bin/mouse-test 2 6 6 +/usr/bin/strace 2 8 9 +/usr/bin/scsiformat 2 7 10 +/usr/bin/lsscsi 2 7 7 +/usr/bin/scsiinfo 2 7 7 +/usr/bin/sg_* 2 7 7 +/usr/bin/build-classpath 2 6 6 +/usr/bin/build-classpath-directory 2 6 6 +/usr/bin/build-jar-repository 2 6 6 +/usr/bin/diff-jars 2 6 6 +/usr/bin/jvmjar 2 6 6 +/usr/bin/rebuild-jar-repository 2 6 6 +/usr/bin/scriptreplay 2 6 5 +/usr/bin/cal 2 6 3 +/usr/bin/chkdupexe 2 6 5 +/usr/bin/col 2 6 4 +/usr/bin/colcrt 2 6 4 +/usr/bin/colrm 2 6 3 +/usr/bin/column 2 6 4 +/usr/bin/cytune 2 6 6 +/usr/bin/ddate 2 6 3 +/usr/bin/fdformat 2 6 6 +/usr/bin/getopt 2 8 6 +/usr/bin/hexdump 2 6 4 +/usr/bin/hostid 2 6 4 +/usr/bin/ipcrm 2 7 7 +/usr/bin/ipcs 2 7 6 +/usr/bin/isosize 2 6 4 +/usr/bin/line 2 6 4 +/usr/bin/look 2 6 5 +/usr/bin/mcookie 2 7 5 +/usr/bin/mesg 2 6 4 +/usr/bin/namei 2 6 5 +/usr/bin/rename 2 6 5 +/usr/bin/renice 2 6 7 +/usr/bin/rev 2 6 5 +/usr/bin/script 2 6 6 +/usr/bin/ChangeSymlinks 2 8 8 +/usr/bin/setfdprm 2 6 7 +/usr/bin/setsid 2 6 3 +/usr/bin/setterm 2 6 5 +/usr/bin/tailf 2 6 4 +/usr/bin/time 2 6 4 +/usr/bin/ul 2 6 4 +/usr/bin/wall 2 6 5 +/usr/bin/whereis 2 6 4 +/usr/bin/which 2 6 3 +/usr/bin/c_rehash 2 7 6 +/usr/bin/openssl 2 8 6 +/usr/bin/lsdev 2 6 5 +/usr/bin/procinfo 2 6 5 +/usr/bin/socklist 2 6 5 +/usr/bin/filesize 2 6 3 +/usr/bin/linkto 2 6 3 +/usr/bin/mkinfodir 2 6 5 +/usr/bin/old 2 6 4 +/usr/bin/rpmlocate 2 6 5 +/usr/bin/safe-rm 2 8 6 +/usr/bin/safe-rmdir 2 8 6 +/usr/bin/setJava 2 6 1 +/usr/bin/vmstat 2 6 4 +/usr/bin/top 2 6 6 +/usr/bin/pinentry* 2 7 6 +/usr/bin/free 2 8 4 +/usr/bin/pmap 2 6 5 +/usr/bin/slabtop 2 6 4 +/usr/bin/tload 2 6 4 +/usr/bin/watch 2 6 3 +/usr/bin/w 2 6 4 +/usr/bin/pstree.x11 2 6 4 +/usr/bin/pstree 2 6 4 +/usr/bin/snice 2 6 6 +/usr/bin/skill 2 6 7 +/usr/bin/pgrep 2 6 4 +/usr/bin/killall 2 6 7 +/usr/bin/curl 2 7 7 +/usr/bin/slptool 2 7 8 +/usr/bin/ldap* 2 7 7 +/usr/bin/whatis 2 7 5