Would anyone post the default Jaunty CUPS apparmor profile here? I deleted mine (long story). Reinstalling apparmor does not reinstall the cups profile, nor does installing the extra profiles.
Thanks.
Would anyone post the default Jaunty CUPS apparmor profile here? I deleted mine (long story). Reinstalling apparmor does not reinstall the cups profile, nor does installing the extra profiles.
Thanks.
rookcifer, I don't have Jaunty installed, or I would pastebin it for you. However, you should be able to regenerate it by reinstalling the cups package:
Code:% dpkg -S /etc/apparmor.d/usr.sbin.cupsd cups: /etc/apparmor.d/usr.sbin.cupsd
SVN server, usr.bin.svnserve:
Update the repository directory as required for your system. I'm not sure why it apparently wants IPv6 UDP services but not IPv4?Code:#include <tunables/global> /usr/bin/svnserve { #include <abstractions/base> network inet stream, network inet6 dgram, network inet6 stream, /etc/gai.conf r, /tmp/** rwk, /var/tmp/** rwk, /usr/bin/svnserve r, /var/run/svnserve/* rwk, # Repository /var/lib/SVN/** rwk, }
Racoon ISAKMP service, usr.sbin.racoon:
Code:#include <tunables/global> /usr/sbin/racoon { #include <abstractions/base> #include <abstractions/nameservice> capability net_admin, network key raw, /etc/racoon/** r, /proc/*/net/ r, /proc/*/net/unix r, /usr/sbin/racoon r, /var/run/racoon.pid rwk, /var/run/racoon/* rwk, }
Zabbix:
usr.sbin.zabbix_agentd:
I'm sure you can provoke the agent into accessing more files on the system to monitor other stats, but so far I haven't seen it try to do so.Code:/usr/sbin/zabbix_agentd { #include <abstractions/base> capability setgid, capability setuid, network inet stream, /bin/cat rix, /bin/dash rix, /bin/grep rix, /bin/hostname rix, /bin/uname rix, /etc/group r, /etc/nsswitch.conf r, /etc/passwd r, /etc/zabbix/zabbix_agentd.conf r, /etc/inetd.conf r, /etc/services r, /etc/gai.conf r, /bin/* r, /sbin/* r, /usr/bin/* r, /usr/sbin/* r, /boot/* r, /var/log/zabbix-agent/* ra, /var/run/zabbix-agent/* rwk, /proc/ r, /proc/*/cmdline r, /proc/*/mounts r, /proc/*/net/dev r, /proc/*/status r, /proc/cmdline r, /proc/loadavg r, /proc/sys/** r, /tmp/zabbix/* r, /usr/bin/gawk rix, /usr/bin/wc rix, /usr/bin/who rix, /usr/sbin/zabbix_agentd r, /var/run/utmp rk, }
Note that I use /tmp/zabbix to dump the output of some cron jobs which the agent later scans to update various stats; you may not need it.
usr.sbin.zabbix_server:
Code:#include <tunables/global> /usr/sbin/zabbix_server { #include <abstractions/base> capability setgid, capability setuid, network inet stream, network inet6 dgram, /etc/gai.conf r, /etc/group r, /etc/nsswitch.conf r, /etc/passwd r, /etc/services r, /etc/zabbix/zabbix_server.conf r, /usr/sbin/zabbix_server r, /var/log/zabbix-server/* ra, /var/run/zabbix-server/* rwk, /usr/share/mysql/charsets/* r, /usr/share/snmp/mibs/* r, }
thank you for posting those movieman
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
Here's my current Firefox 3.5.2 profile:
This profile allows for just about every typical browser usage scenario: mplayer plugins, Flash, PDF viewing, Java plugins, spell check, and opening torrent trackers in Transmission. Also, please note this profile is for Firefox on Kubuntu.Code:# Last Modified: Thu Sep 24 05:34:56 2009 #include <tunables/global> /usr/lib/firefox-3.5.2/firefox.sh { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/bash> #include <abstractions/consoles> #include <abstractions/dbus> #include <abstractions/fonts> #include <abstractions/gnome> #include <abstractions/kde> #include <abstractions/nameservice> #include <abstractions/nvidia> #include <abstractions/perl> deny capability sys_ptrace, deny / r, deny owner /home/*/.ICEauthority r, deny owner /home/*/.Xauthority r, deny owner /home/*/.bash** rw, deny owner /home/*/.dmrc rw, deny owner /home/*/.dvdcss/ rw, deny owner /home/*/.gnupg/ rw, deny owner /home/*/.pki/ rw, deny owner /home/*/.recently-used.xbel r, deny owner /home/*/.ssh/ rw, deny owner /home/*/ r, deny owner /home/*/.VirtualBox/ rw, /bin/dash mrix, /bin/grep rix, /bin/ps rix, /bin/sed rix, /bin/uname rix, /bin/which rix, /dev/shm/ r, owner /dev/shm/* a, /dev/zero mrw, /etc/ r, /etc/X11/cursors/* r, /etc/default/apport r, /etc/firefox-3.5/** r, /etc/fstab r, /etc/gre.d/ r, /etc/gre.d/1.9.1.4pre.system.conf r, /etc/kde4/kdeglobals r, /etc/kde4rc r, /etc/mailcap r, /etc/mime.types r, /etc/mplayer/input.conf r, /etc/mplayer/mplayer.conf r, /etc/pulse/client.conf r, /etc/sound/events/* r, /etc/xulrunner-1.9.1/* r, owner /home/*/.adobe/ r, owner /home/*/.adobe/Flash_Player/*/ r, owner /home/*/.cache/ r, owner /home/*/.cache/* rwk, owner /home/*/.cache/gnome-mplayer/*/ rw, owner /home/*/.cache/gnome-mplayer/plugin/* rw, owner /home/*/.cache/gnome-mplayer/plugin/*/ w, owner /home/*/.config/ r, owner /home/*/.config/* r, owner /home/*/.config/Trolltech.conf rwk, owner /home/*/.config/gtk-2.0/* rw, owner /home/*/.config/qtcurve.gtk-icons rw, owner /home/*/.dbus/ r, owner /home/*/.directory r, owner /home/*/.esd_auth r, owner /home/*/.fontconfig/* r, owner /home/*/.gconf/ r, owner /home/*/.gconfd/ r, owner /home/*/.gtkrc-2.0-kde4 r, owner /home/*/.gvfs/ r, owner /home/*/.icedteaplugin/ r, owner /home/*/.kde/ r, owner /home/*/.kde/share/apps/kpdf/ w, owner /home/*/.kde/share/apps/okular/* rw, owner /home/*/.kde/share/apps/okular/*/ w, owner /home/*/.kde/share/apps/okular/docdata/* w, owner /home/*/.kde/share/config/ w, owner /home/*/.kde/share/config/gtkrc-2.0 r, owner /home/*/.kde/share/config/kdeglobals rk, owner /home/*/.kde/share/config/okular* rw, owner /home/*/.kde/share/icons/** rw, owner /home/*/.local/ r, owner /home/*/.local/share/mime/mime.cache r, owner /home/*/.macromedia/ r, owner /home/*/.macromedia/*/ r, owner /home/*/.macromedia/Flash_Player/** rw, owner /home/*/.marble/ r, owner /home/*/.mozilla/ r, owner /home/*/.mozilla/extensions/*/ r, owner /home/*/.mozilla/firefox-3.5/** mrwk, owner /home/*/.mozilla/firefox/** r, owner /home/*/.mplayer/ r, owner /home/*/.mplayer/* rw, owner /home/*/.nvidia-settings-rc r, owner /home/*/.profile r, owner /home/*/.pulse-cookie r, owner /home/*/.pulse/ rw, owner /home/*/.qt/ r, owner /home/*/.sudo_as_admin_successful r, owner /home/*/.thumbnails/ r, owner /home/*/.thumbnails/normal/* r, owner /home/*/.update-manager-core/ r, owner /home/*/.xine/ r, owner /home/*/.xsession-errors r, owner /home/*/{Desktop,download}/ rw, owner /home/*/{Desktop,download}/** rw, owner /home/*/{Documents,Pictures}/ r, owner /home/*/{Documents,Pictures}/** ra, /proc/ r, /proc/*/cmdline r, owner /proc/*/fd/ r, owner /proc/*/maps r, owner /proc/*/mounts r, /proc/*/stat r, /proc/*/status r, owner /proc/*/task/ r, /proc/cpuinfo r, /proc/meminfo r, /proc/stat r, /proc/sys/kernel/pid_max r, /proc/tty/drivers r, /proc/uptime r, /proc/version r, /sys/devices/system/cpu/ r, /usr/bin/basename rix, /usr/bin/dcop rix, /usr/bin/gnome-mplayer rix, /usr/bin/kde4-config rix, /usr/bin/mencoder rix, /usr/bin/mplayer rix, /usr/bin/okular rix, /usr/bin/perl rix, /usr/bin/ps2pdf rix, /usr/bin/setarch rix, /usr/bin/transmission px, /usr/lib/firefox-3.5.2/firefox-3.5 rix, /usr/lib/firefox-3.5.2/firefox.sh rix, /usr/lib/kde4/libexec/drkonqi rix, /usr/lib/nspluginwrapper/i386/linux/npviewer rix, /usr/lib/nspluginwrapper/i386/linux/npviewer.bin rix, /usr/lib{,32,64}* mr, /usr/lib{,32,64}/** mr, /usr/share/kde4/apps/okular/* r, /usr/share/kde4/apps/okular/**/ r, /usr/share/kde4/config/kdebug.areas r, /usr/share/kde4/config/kdebugrc r, /usr/share/kde4/config/ui/ui_standards.rc r, /usr/share/kubuntu-default-settings/kde4-profile/default/share/config/kdeglobals r, /usr/share/kubuntu-default-settings/kde4-profile/default/share/config/oxygenrc r, /usr/share/libthai/* r, /usr/share/myspell/dicts/ r, /usr/share/myspell/dicts/* r, /var/lib/flashplugin-installer/npwrapper.libflashplayer.so mr, }
I would like feedback on my deny policies. Firefox tries to read just about the whole /home directory and, as you can see, I have denied quite a few of these directories and it still seems to function just fine. I would also like feedback on /proc. Does FF really need access to all of these /proc directories?
Yes, I realize I did not use the macros @{HOME}, etc. For some reason if I use them, AppArmor does not recognize them in my profile. Perhaps I need to adjust the tunables and/or globals file, but I haven't gotten around to it (though I figured these variables should already be defined).
Firefox is a difficult profile. Many people expect different things from Firefox, from browsing, to media to reading documents to web page development to email.
Your profile looks fine, the main thing I do is allow full access to home , then limit what FF does not need, such as ~/.ssh (it is easier to allow all and deny a few then allow specific access to all teh .config files in $HOME).
Also, FYI, there is now a profile for Firefox in 9.10. So I am looking at modifying the default profile more then maintaining my own. Again Firefox is difficult to maintain as the various directories keep changing.
There are two mistakes one can make along the road to truth...not going all the way, and not starting.
--Prince Gautama Siddharta
#ubuntuforums web interface
i attach /etc/apparmor.d content as it was when i have installed new ubuntu 9.10 , there are profiles that worked with ubuntu 9.04 and ubuntu 8.10 .
2009-12-25 9:58 utc+3 :
most useful profiles there i think these:
usr.bin.icecast2
usr.bin.ices2
usr.bin.konqueror
usr.bin.pidgin
usr.bin.psi
usr.bin.totem-gstreamer
usr.bin.transmission
usr.bin.wine
usr.bin.xchat
usr.lib.firefox-3.0.15.firefox.sh
usr.sbin.dancer-ircd
usr.sbin.ejabberd
usr.share.virtualbox.VBox.sh
except them there are usr.bin.gajim and usr.bin.gossip but i have not used them much enough, just tried. and there is home.dinar-q.doc.phpcmdl.test2.php for testing a command line php script. and there are backup files of firefox since usr.lib.firefox-3.0.6.firefox.sh~ .
10:12 utc+3: to #60 : i also had thought about that but was lazy and thought may be will write that later.
2009-12-25 16:38 utc+3: md5sum: e0f10e74e04a50f58f815e53200c9759
Last edited by q.dinar; December 25th, 2009 at 02:39 PM.
Joel Goguen
Bookmarks