Share your AppArmor Profiles

[running_rabbit07]

Cool thanks, I'll check it out.

[bodhi.zazen]

Just as a FYI, I host some aa profiles on my server. As I see there is renewed interest, please feel free to look at the profiles as well.

If anyone would like, I am accepting profiles from the community as well, send me an PM if you are interested in contributing.

http://bodhizazen.net/aa-profiles/

[running_rabbit07]

Bodhi, I have quite a few of yours installed. Thanks for sharing them.

[q.dinar]

Code:

#include <tunables/global>

/usr/bin/xchat-gnome {
  #include <abstractions/base>
/proc/filesystems r,
  #include <abstractions/nameservice>
/var/run/gdm/auth-for-*-*/database r,
/usr/share/themes/** r,
/etc/gnome-vfs-2.0/modules/ r,
@{HOME}/.ICEauthority r,
/tmp/orbit-*/linc-*-*-* wr,
/etc/sound/** r,
@{HOME}/.xchat2/ wr,
/usr/share/xchat-gnome/** r,
/etc/gnome-vfs-2.0/modules/** r,
@{HOME}/.xchat2/** wr,
/etc/fonts/** r,
/var/cache/fontconfig/*-x86.cache-2 r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/lib/pango/** mr,
/var/lib/defoma/fontconfig.d/** r,
/usr/share/icons/** r,
/usr/local/share/icons/ r,
/usr/share/icons/ r,
@{HOME}/.config/enchant/ r,
/usr/share/enchant/** r,
/usr/share/pixmaps/ r,
/usr/share/myspell/dicts/ r,
/var/lib/aspell/** r,
/usr/share/myspell/dicts/** r,
/usr/lib/gtk-2.0/** mr,
@{HOME}/.esd_auth r,
/var/lib/dbus/machine-id r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/** r,
/usr/share/mime/** r,
@{HOME}/.gnome2/accels/xchat-gnome wr,
@{HOME}/.recently-used.xbel rw,
@{HOME}/.gtk-bookmarks r,
@{HOME}/.config/user-dirs.dirs r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini r,
/dev/tty rw,
/usr/share/xml/iso-codes/** r,
/usr/lib/xchat-gnome/** mr,
@{HOME}/.recently-used.xbel.* wr,
/home/ r,
/usr/share/libthai/** r,
/proc/*/fd/ r,
/usr/bin/xprop ix,
/usr/lib/firefox-3.5.*/firefox.sh PUx,








}

[q.dinar]

open office :

Code:

# min qdb yazam
#include <tunables/global>

/usr/lib/openoffice/program/soffice {
  #include <abstractions/base>
/etc/openoffice/soffice.sh r,
/usr/bin/stat ix,
/bin/uname ix,
/usr/bin/dirname ix,
/usr/bin/basename ix,
/proc/filesystems r,
/usr/lib/ure/bin/javaldx ix,
#/usr/lib/openoffice/basis3.1/program/pagein ix,
/usr/lib/openoffice/basis*/program/* ix,
/sys/devices/system/cpu/ r,
/etc/nsswitch.conf r,
/etc/passwd r,
@{HOME}/.openoffice.org/ rw,
@{HOME}/.openoffice.org/** rw,
#/var/lib/openoffice/basis3.1/program/services.rdb r,
/var/lib/openoffice/** rk,
/usr/lib/openoffice/program/*.bin ix,
/bin/dash ix,
/usr/lib/ure/lib/*.so m,
/etc/openoffice/ r,
/etc/openoffice/** r,
/var/run/gdm/auth-for-*-*/database r,
/usr/share/themes/** r,
/usr/bin/gconftool-2 ix,
/var/spool/openoffice/** rkw,
/usr/lib/ure/share/misc/types.rdb kr,
/tmp/*.tmp rwk,
@{HOME}/.execooo* wrm,
/etc/fonts/** r,
/tmp/orbit-*/linc-*-*-* wr,
/usr/lib/openoffice/** k,
/var/cache/fontconfig/** r,
/usr/share/fonts/ r,
/usr/local/share/fonts/ r,
/usr/share/fonts/** r,
/usr/local/share/fonts/** r,
/usr/lib/ure/share/misc/services.rdb k,
/tmp/.execooo* wrm,
/var/lib/defoma/fontconfig.d/** r,
/usr/lib/pango/**/*.so m,
/tmp/OSL_PIPE_1000_SingleOfficeIPC_* wr,
/tmp/ r,
/tmp/*.tmp/ wrk,
/usr/share/icons/** r,
/usr/lib/gtk-2.0/**/*.so m,
@{HOME}/.ICEauthority r,
/usr/bin/paperconf ix,
/etc/services ix,
#network inet stream,
#network inet6 stream,
/tmp/virtual-*.*/ r,
/tmp/*.tmp/*.tmp wrk,
/etc/papersize r,
/etc/services r,
#@{HOME}/.mozilla/ r,
@{HOME}/Загрузки/ r,
@{HOME}/Загрузки/** r,
/home/MYSISTER/Загрузки/** w,
@{HOME}/Документы/ r,
@{HOME}/Документы/** r,
/home/MYSISTER/Документы/** w,
"@{HOME}/Рабочий стол/" r,
"@{HOME}/Рабочий стол/**" r,
"/home/MYSISTER/Рабочий стол/**" w,
/ r,
/{mnt,media}/ r,
/{mnt,media}/*/ r,
/{mnt,media}/*/**/ r,
/{mnt,media}/*/**/*.{doc,DOC,rtf,RTF,txt,TXT,odt,ODT,docx,DOCX,html,HTML,htm,HTM,xml,XML} rw,
@{HOME}/.recently-used wrk,
#saqlaw
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/** r,
@{HOME}/.recently-used.xbel* rw,
/etc/fstab r,
/proc/*/mounts r,
@{HOME}/.gtk-bookmarks r,
/usr/local/share/icons/ r,
/usr/share/icons/ r,
/usr/share/pixmaps/ r,
/usr/local/share/icons/** r,
/usr/share/icons/** r,
/usr/share/pixmaps/** r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
/usr/share/mime/* r,
@{HOME}/.config/user-dirs.dirs r,
@{HOME}/ r,
@{HOME}/* r,





}

warning: open office tries to connect to internet and read .mozilla directory.
in this profile i have not made directory to write yet in home directory, but all files writable for my sister in some directories in her home directory.
and this can complain for additional files if you run open office first time.

[q.dinar]

Code:

# min qdb yazam
#include <tunables/global>

/usr/bin/gimp-2.* {
  #include <abstractions/base>
/proc/filesystems r,
/etc/nsswitch.conf r,
/etc/passwd r,
@{HOME}/.gimp-2.*/ wr,
@{HOME}/.gimp-2.*/** wr,
@{HOME}/.gegl-0.0/** r,
/usr/lib/babl-0.0/*.so m,
/usr/lib/gegl-0.0/*.so m,
/var/run/gdm/auth-for-*-*/database r,
/usr/share/themes/** r,
/etc/gimp/** r,
/usr/share/gimp/** r,
/etc/fonts/** r,
/var/cache/fontconfig/** r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/lib/pango/** m,
/var/lib/defoma/fontconfig.d/** r,
@{HOME}/.fontconfig/** rw,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/** r,
@{HOME}/.recently-used.xbel r,
/usr/lib/gimp/2.0/plug-ins/script-fu ix,
/usr/share/icons/** r,
/usr/share/icons/ r,
/usr/lib/gtk-2.0/** m,
/usr/local/share/icons/ r,
/usr/local/share/icons/** r,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/usr/share/mime/* r,
@{HOME}/ r,
@{HOME}/Картинки/ r,
@{HOME}/Картинки/** r,
@{HOME}/Картинки/gimpocon/ rw,
@{HOME}/Картинки/gimpocon/** rw,
/home/MYSISTER/Картинки/** rw,
@{HOME}/Документы/ r,
@{HOME}/Документы/** r,
/home/MYSISTER/Документы/** rw,
@{HOME}/Загрузки/ r,
@{HOME}/Загрузки/** r,
/home/MYSISTER/Загрузки/** rw,
"@{HOME}/Рабочий стол/" r,
"@{HOME}/Рабочий стол/**" r,
"/home/MYSISTER/Рабочий стол/**" rw,
@{HOME}/Музыка/ r,
@{HOME}/Музыка/** r,
/home/MYSISTER/Музыка/** rw,
@{HOME}/.gtk-bookmarks r,
@{HOME}/.config/user-dirs.dirs r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
@{HOME}/.xsession-errors r,
@{HOME}/* r,
@{HOME}/.thumbnails/** rw,
/usr/lib/gimp/2.0/plug-ins/* ix,
@{HOME}/.recently-used.xbel* rw,














}

[q.dinar]

file and directory comparer "meld"
warning: this profile does not allow to save modified files

Code:

#aftoro qdb
#include <tunables/global>
/usr/bin/meld {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/python2.6 ix,
/usr/bin/meld r,
/proc/filesystems r,
/etc/nsswitch.conf r,
/etc/passwd r,
/var/run/gdm/auth-for-*-*/database r,
/usr/share/themes/** r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/** r,
/usr/share/meld/** r,
/etc/apt/apt.conf.d/ r,
/tmp/orbit-*/linc-*-*-* wr,
/etc/fonts/** r,
/var/cache/fontconfig/*-x86.cache-* r,
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/lib/pango/**/*.so mr,
/var/lib/defoma/fontconfig.d/** r,
/usr/share/icons/** r,
/usr/local/share/icons/** r,
/usr/share/pixmaps/** r,
/usr/local/share/icons/ r,
/usr/share/icons/ r,
/usr/share/pixmaps/ r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/** r,
/usr/share/mime/** r,
/usr/lib/gtk-2.0/**/*.so mr,
/ r,
/**/ r,
@{HOME}/.recently-used.xbel rw,
@{HOME}/.gtk-bookmarks r,
@{HOME}/.config/user-dirs.dirs r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini rw,
@{HOME}/.xsession-errors r,
@{HOME}/.gpilotd.pid r,
#@{HOME}/erl_crash.dump r,
@{HOME}/.recently-used.xbel.* wr,
@{HOME}/.esd_auth r,
@{HOME}/.pulse-cookie r,
@{HOME}/.ICEauthority r,
#@{HOME}/.sudo_as_admin_successful r,
#@{HOME}/.gksu.lock r,
#@{HOME}/.bash_history r,
#@{HOME}/.erlang.cookie r,
#@{HOME}/.mysql_history r,
@{HOME}/.dmrc r,
@{HOME}/* r,
@{HOME}/.config/gtk-2.0/gtkfilechooser.ini.* rw,
@{HOME}/Документы/ r,
@{HOME}/Документы/** r,
@{HOME}/Загрузки/ r,
@{HOME}/Загрузки/** r,
/usr/share/gtksourceview-2.0/** r,





}

[q.dinar]

addition to usr.bin.passwd from apparmor profiles package ...doc.. extra directory:

Code:

# for ubuntu 9.10, added by qdb
/etc/.pwd.lock kr,
/proc/filesystems r,
/var/run/utmp rkw,
/etc/nshadow rw,
capability fsetid,
capability setuid,
/usr/bin/gnome-keyring-daemon PUx,

[q.dinar]

all my current apparmor profiles: http://qdb.tmf.org.ru/9.10_ubuntu_apparmor_profillaro/ . for ubuntu 9.10 . these are real, loaded profiles.
new profiles among them:
usr.bin.skype
usr.bin.zekr
usr.sbin.PootleServer
etc.init.d.pootle
usr.bin.rhythmbox
usr.bin.ghex2
usr.bin.liveice
usr.bin.icecast
usr.bin.darkice
usr.bin.emacs23-x
profiles that i had not said here:
usr.lib.apache2.mpm-worker.apache2
usr.bin.omegat
usr.bin.cronolog
usr.bin.awffull

add at 15:59 utc+4 :
this site now works only from 6:55 till 23:55 utc+4 .

[bodhi.zazen]

all my current apparmor profiles: http://qdb.tmf.org.ru/9.10_ubuntu_apparmor_profillaro/ . for ubuntu 9.10 . these are real, loaded profiles.
new profiles among them:
usr.bin.skype
usr.bin.zekr
usr.sbin.PootleServer
etc.init.d.pootle
usr.bin.rhythmbox
usr.bin.ghex2
usr.bin.liveice
usr.bin.icecast
usr.bin.darkice
usr.bin.emacs23-x
profiles that i had not said here:
usr.lib.apache2.mpm-worker.apache2
usr.bin.omegat
usr.bin.cronolog
usr.bin.awffull

add at 15:59 utc+4 :
this site now works only from 6:55 till 23:55 utc+4 .

If you would like, send me your profiles (zip or tar ball) and I will post them on my server. IMO it helps to keep these things in one location and it does not sound as if your server is up 24/7 .

I will PM you my e-mail.