-
-
Save anonymous/17aed11fde3276b44449 to your computer and use it in GitHub Desktop.
AppArmor tcpdump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dec 15 22:20:55 nilesh kernel: [60252.781731] type=1400 audit(1418710855.725:1890): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.781832] type=1400 audit(1418710855.725:1891): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.781893] type=1400 audit(1418710855.725:1892): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.781926] type=1400 audit(1418710855.725:1893): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.781968] type=1400 audit(1418710855.725:1894): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782000] type=1400 audit(1418710855.725:1895): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782040] type=1400 audit(1418710855.725:1896): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782071] type=1400 audit(1418710855.725:1897): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782111] type=1400 audit(1418710855.725:1898): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782141] type=1400 audit(1418710855.725:1899): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782180] type=1400 audit(1418710855.725:1900): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782211] type=1400 audit(1418710855.725:1901): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782249] type=1400 audit(1418710855.725:1902): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782279] type=1400 audit(1418710855.725:1903): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782318] type=1400 audit(1418710855.725:1904): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782348] type=1400 audit(1418710855.725:1905): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782386] type=1400 audit(1418710855.725:1906): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782416] type=1400 audit(1418710855.725:1907): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782455] type=1400 audit(1418710855.725:1908): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782484] type=1400 audit(1418710855.725:1909): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782523] type=1400 audit(1418710855.725:1910): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782553] type=1400 audit(1418710855.725:1911): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782591] type=1400 audit(1418710855.725:1912): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782621] type=1400 audit(1418710855.725:1913): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782659] type=1400 audit(1418710855.725:1914): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782689] type=1400 audit(1418710855.725:1915): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782727] type=1400 audit(1418710855.725:1916): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782757] type=1400 audit(1418710855.725:1917): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782795] type=1400 audit(1418710855.725:1918): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782825] type=1400 audit(1418710855.725:1919): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768 | |
Dec 15 22:20:55 nilesh kernel: [60252.782926] type=1400 audit(1418710855.725:1920): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="inet" sock_type="dgram" protocol=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vim:syntax=apparmor | |
# Last Modified: Wed Feb 3 07:58:30 2009 | |
# Author: Jamie Strandboge <jamie@canonical.com> | |
##included <tunables/global> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2006-2009 Novell/SUSE | |
# Copyright (C) 2010-2011 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# All the tunables definitions that should be available to every profile | |
# should be included here | |
##included <tunables/home> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2006-2009 Novell/SUSE | |
# Copyright (C) 2010 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# @{HOME} is a space-separated list of all user home directories. While | |
# it doesn't refer to a specific home directory (AppArmor doesn't | |
# enforce discretionary access controls) it can be used as if it did | |
# refer to a specific home directory | |
@{HOME}=@{HOMEDIRS}/*/ /root/ | |
# @{HOMEDIRS} is a space-separated list of where user home directories | |
# are stored, for programs that must enumerate all home directories on a | |
# system. | |
@{HOMEDIRS}=/home/ | |
# Also, include files in tunables/home.d for site-specific adjustments to | |
# @{HOMEDIRS}. | |
##included <tunables/home.d> | |
# This file is auto-generated. It is recommended you update it using: | |
# $ sudo dpkg-reconfigure apparmor | |
# | |
# The following is a space-separated list of where additional user home | |
# directories are stored, each must have a trailing '/'. Directories added | |
# here are appended to @{HOMEDIRS}. See tunables/home for details. | |
#@{HOMEDIRS}+= | |
##included <tunables/multiarch> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2010 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# @{multiarch} is the set of patterns matching multi-arch library | |
# install prefixes. | |
@{multiarch}=*-linux-gnu* | |
# Also, include files in tunables/multiarch.d for site and packaging | |
# specific adjustments to @{multiarch}. | |
##included <tunables/multiarch.d> | |
##included <tunables/proc> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2006 Novell/SUSE | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# @{PROC} is the location where procfs is mounted. | |
@{PROC}=/proc/ | |
##included <tunables/alias> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2010 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# Alias rules can be used to rewrite paths and are done after variable | |
# resolution. For example, if '/usr' is on removable media: | |
# alias /usr/ -> /mnt/usr/, | |
# | |
# Or if mysql databases are stored in /home: | |
# alias /var/lib/mysql/ -> /home/mysql/, | |
/usr/sbin/tcpdump flags=(complain) { | |
##included <abstractions/base> | |
# vim:syntax=apparmor | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2009 Novell/SUSE | |
# Copyright (C) 2009-2011 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# (Note that the ldd profile has inlined this file; if you make | |
# modifications here, please consider including them in the ldd | |
# profile as well.) | |
# The __canary_death_handler function writes a time-stamped log | |
# message to /dev/log for logging by syslogd. So, /dev/log, timezones, | |
# and localisations of date should be available EVERYWHERE, so | |
# StackGuard, FormatGuard, etc., alerts can be properly logged. | |
/dev/log w, | |
/dev/random r, | |
/dev/urandom r, | |
/etc/locale/** r, | |
/etc/locale.alias r, | |
/etc/localtime r, | |
/usr/share/locale-langpack/** r, | |
/usr/share/locale/** r, | |
/usr/share/**/locale/** r, | |
/usr/share/zoneinfo/ r, | |
/usr/share/zoneinfo/** r, | |
/usr/share/X11/locale/** r, | |
/usr/lib{,32,64}/locale/** mr, | |
/usr/lib{,32,64}/gconv/*.so mr, | |
/usr/lib{,32,64}/gconv/gconv-modules* mr, | |
/usr/lib/@{multiarch}/gconv/*.so mr, | |
/usr/lib/@{multiarch}/gconv/gconv-modules mr, | |
# used by glibc when binding to ephemeral ports | |
/etc/bindresvport.blacklist r, | |
# ld.so.cache and ld are used to load shared libraries; they are best | |
# available everywhere | |
/etc/ld.so.cache mr, | |
/lib{,32,64}/ld{,32,64}-*.so mrix, | |
/lib{,32,64}/**/ld{,32,64}-*.so mrix, | |
/lib/@{multiarch}/ld{,32,64}-*.so mrix, | |
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, | |
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix, | |
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, | |
# we might as well allow everything to use common libraries | |
/lib{,32,64}/** r, | |
/lib{,32,64}/lib*.so* mr, | |
/lib{,32,64}/**/lib*.so* mr, | |
/lib/@{multiarch}/** r, | |
/lib/@{multiarch}/lib*.so* mr, | |
/lib/@{multiarch}/**/lib*.so* mr, | |
/usr/lib{,32,64}/** r, | |
/usr/lib{,32,64}/*.so* mr, | |
/usr/lib{,32,64}/**/lib*.so* mr, | |
/usr/lib/@{multiarch}/** r, | |
/usr/lib/@{multiarch}/lib*.so* mr, | |
/usr/lib/@{multiarch}/**/lib*.so* mr, | |
/lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, | |
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr, | |
# /dev/null is pretty harmless and frequently used | |
/dev/null rw, | |
# as is /dev/zero | |
/dev/zero rw, | |
# recent glibc uses /dev/full in preference to /dev/null for programs | |
# that don't have open fds at exec() | |
/dev/full rw, | |
# Sometimes used to determine kernel/user interfaces to use | |
@{PROC}/sys/kernel/version r, | |
# Depending on which glibc routine uses this file, base may not be the | |
# best place -- but many profiles require it, and it is quite harmless. | |
@{PROC}/sys/kernel/ngroups_max r, | |
# glibc's sysconf(3) routine to determine free memory, etc | |
@{PROC}/meminfo r, | |
@{PROC}/stat r, | |
@{PROC}/cpuinfo r, | |
# glibc's *printf protections read the maps file | |
@{PROC}/*/maps r, | |
# libgcrypt reads some flags from /proc | |
@{PROC}/sys/crypto/* r, | |
# some applications will display license information | |
/usr/share/common-licenses/** r, | |
# glibc statvfs | |
@{PROC}/filesystems r, | |
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked | |
# filesystems generally. This does not appreciably decrease security with | |
# Ubuntu profiles because the user is expected to have access to files owned | |
# by him/her. Exceptions to this are explicit in the profiles. While this rule | |
# grants access to those exceptions, the intended privacy is maintained due to | |
# the encrypted contents of the files in this directory. Files in this | |
# directory will also use filename encryption by default, so the files are | |
# further protected. Also, with the use of 'owner', this rule properly | |
# prevents access to the files from processes running under a different uid. | |
# encrypted ~/.Private and old-style encrypted $HOME | |
owner @{HOME}/.Private/** mrixwlk, | |
# new-style encrypted $HOME | |
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, | |
##included <abstractions/nameservice> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2009 Novell/SUSE | |
# Copyright (C) 2009-2011 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# Many programs wish to perform nameservice-like operations, such as | |
# looking up users by name or id, groups by name or id, hosts by name | |
# or IP, etc. These operations may be performed through files, dns, | |
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. | |
/etc/group r, | |
/etc/host.conf r, | |
/etc/hosts r, | |
/etc/ldap.conf r, | |
/etc/ldap.secret r, | |
/etc/nsswitch.conf r, | |
/etc/gai.conf r, | |
/etc/passwd r, | |
/etc/protocols r, | |
/etc/resolv.conf r, | |
# on systems using resolvconf, /etc/resolv.conf is a symlink to | |
# /var/run/resolvconf/resolv.conf and a file sometimes referenced in | |
# /etc/resolvconf/run/resolv.conf | |
/var/run/resolvconf/resolv.conf r, | |
/etc/resolvconf/run/resolv.conf r, | |
/etc/samba/lmhosts r, | |
/etc/services r, | |
# all openldap config | |
/etc/openldap/* r, | |
/etc/ldap/** r, | |
# db backend | |
/var/lib/misc/*.db r, | |
# The Name Service Cache Daemon can cache lookups, sometimes leading | |
# to vast speed increases when working with network-based lookups. | |
/var/run/.nscd_socket rw, | |
/var/run/nscd/socket rw, | |
/var/{db,cache,run}/nscd/{passwd,group,services,host} r, | |
# nscd renames and unlinks files in it's operation that clients will | |
# have open | |
/var/run/nscd/db* rmix, | |
# The nss libraries are sometimes used in addition to PAM; make sure | |
# they are available | |
/lib{,32,64}/libnss_*.so* mr, | |
/usr/lib{,32,64}/libnss_*.so* mr, | |
/lib/@{multiarch}/libnss_*.so* mr, | |
/usr/lib/@{multiarch}/libnss_*.so* mr, | |
/etc/default/nss r, | |
# avahi-daemon is used for mdns4 resolution | |
/var/run/avahi-daemon/socket w, | |
# nis | |
##included <abstractions/nis> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2006 Novell/SUSE | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# NIS rules | |
/var/yp/binding/* r, | |
# portmapper may ask root processes to do nis/ldap at low ports | |
capability net_bind_service, | |
# winbind | |
##included <abstractions/winbind> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2009 Novell/SUSE | |
# Copyright (C) 2009 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# pam_winbindd | |
/tmp/.winbindd/pipe rw, | |
/var/{lib,run}/samba/winbindd_privileged/pipe rw, | |
/etc/samba/smb.conf r, | |
/usr/lib/samba/valid.dat r, | |
/usr/lib/samba/upcase.dat r, | |
/usr/lib/samba/lowcase.dat r, | |
# likewise | |
##included <abstractions/likewise> | |
# vim:syntax=apparmor | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2009 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
/tmp/.lwidentity/pipe rw, | |
/var/lib/likewise-open/lwidentity_privileged/pipe rw, | |
# mdnsd | |
##included <abstractions/mdns> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2006 Novell/SUSE | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# mdnsd | |
/etc/nss_mdns.conf r, | |
/var/run/mdnsd w, | |
# kerberos | |
##included <abstractions/kerberosclient> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2009 Novell/SUSE | |
# Copyright (C) 2009-2011 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# files required by kerberos client programs | |
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r, | |
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, | |
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, | |
/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, | |
/usr/lib{,32,64}/krb5/plugins/preauth/ r, | |
/usr/lib{,32,64}/krb5/plugins/preauth/* mr, | |
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r, | |
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, | |
/etc/krb5.keytab r, | |
/etc/krb5.conf r, | |
# config files found via strings on libs | |
/etc/krb.conf r, | |
/etc/krb.realms r, | |
/etc/srvtab r, | |
# credential caches | |
/tmp/krb5cc* r, | |
# TCP/UDP network access | |
network inet stream, | |
network inet6 stream, | |
network inet dgram, | |
network inet6 dgram, | |
# interface details | |
@{PROC}/*/net/route r, | |
##included <abstractions/user-tmp> | |
# ------------------------------------------------------------------ | |
# | |
# Copyright (C) 2002-2009 Novell/SUSE | |
# Copyright (C) 2009-2010 Canonical Ltd. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# ------------------------------------------------------------------ | |
# per-user tmp directories | |
owner @{HOME}/tmp/** rwkl, | |
owner @{HOME}/tmp/ rw, | |
# global tmp directories | |
owner /var/tmp/** rwkl, | |
/var/tmp/ rw, | |
owner /tmp/** rwkl, | |
/tmp/ rw, | |
capability net_raw, | |
capability setuid, | |
capability setgid, | |
capability dac_override, | |
network raw, | |
network packet, | |
# for -D | |
capability sys_module, | |
@{PROC}/bus/usb/ r, | |
@{PROC}/bus/usb/** r, | |
# for finding an interface | |
@{PROC}/[0-9]*/net/dev r, | |
/sys/bus/usb/devices/ r, | |
/sys/class/net/ r, | |
/sys/devices/**/net/* r, | |
# for tracing USB bus, which libpcap supports | |
/dev/usbmon* r, | |
/dev/bus/usb/ r, | |
/dev/bus/usb/** r, | |
# for init_etherarray(), with -e | |
/etc/ethers r, | |
# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) | |
/dev/bus/usb/**/[0-9]* w, | |
# for -F and -w | |
audit deny @{HOME}/.* mrwkl, | |
audit deny @{HOME}/.*/ rw, | |
audit deny @{HOME}/.*/** mrwkl, | |
audit deny @{HOME}/bin/ rw, | |
audit deny @{HOME}/bin/** mrwkl, | |
owner @{HOME}/ r, | |
owner @{HOME}/** rw, | |
/usr/local/** rw, | |
/usr/sbin/tcpdump r, | |
# Site-specific additions and overrides. See local/README for details. | |
##included <local/usr.sbin.tcpdump> | |
# Site-specific additions and overrides for usr.sbin.tcpdump. | |
# For more details, please see /etc/apparmor.d/local/README. | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment