# vim:syntax=apparmor # Last Modified: Fri Jul 17 11:46:19 2009 # Author: Jamie Strandboge ##included # ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # All the tunables definitions that should be available to every profile # should be included here ##included # ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{HOME} is a space-separated list of all user home directories. While # it doesn't refer to a specific home directory (AppArmor doesn't # enforce discretionary access controls) it can be used as if it did # refer to a specific home directory @{HOME}=@{HOMEDIRS}/*/ /root/ # @{HOMEDIRS} is a space-separated list of where user home directories # are stored, for programs that must enumerate all home directories on a # system. @{HOMEDIRS}=/home/ # Also, include files in tunables/home.d for site-specific adjustments to # @{HOMEDIRS}. ##included # This file is auto-generated. It is recommended you update it using: # $ sudo dpkg-reconfigure apparmor # # The following is a space-separated list of where additional user home # directories are stored, each must have a trailing '/'. Directories added # here are appended to @{HOMEDIRS}. See tunables/home for details. #@{HOMEDIRS}+= ##included # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{multiarch} is the set of patterns matching multi-arch library # install prefixes. @{multiarch}=*-linux-gnu* # Also, include files in tunables/multiarch.d for site and packaging # specific adjustments to @{multiarch}. ##included ##included # ------------------------------------------------------------------ # # Copyright (C) 2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{PROC} is the location where procfs is mounted. @{PROC}=/proc/ ##included # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Alias rules can be used to rewrite paths and are done after variable # resolution. For example, if '/usr' is on removable media: # alias /usr/ -> /mnt/usr/, # # Or if mysql databases are stored in /home: # alias /var/lib/mysql/ -> /home/mysql/, /sbin/dhclient { ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd # profile as well.) # The __canary_death_handler function writes a time-stamped log # message to /dev/log for logging by syslogd. So, /dev/log, timezones, # and localisations of date should be available EVERYWHERE, so # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, /dev/random r, /dev/urandom r, /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/gconv-modules* mr, /usr/lib/@{multiarch}/gconv/*.so mr, /usr/lib/@{multiarch}/gconv/gconv-modules* mr, # used by glibc when binding to ephemeral ports /etc/bindresvport.blacklist r, # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere /etc/ld.so.cache mr, /lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix, /lib/@{multiarch}/ld{,32,64}-*.so mrix, /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, # we might as well allow everything to use common libraries /lib{,32,64}/** r, /lib{,32,64}/lib*.so* mr, /lib{,32,64}/**/lib*.so* mr, /lib/@{multiarch}/** r, /lib/@{multiarch}/lib*.so* mr, /lib/@{multiarch}/**/lib*.so* mr, /usr/lib{,32,64}/** r, /usr/lib{,32,64}/*.so* mr, /usr/lib{,32,64}/**/lib*.so* mr, /usr/lib/@{multiarch}/** r, /usr/lib/@{multiarch}/lib*.so* mr, /usr/lib/@{multiarch}/**/lib*.so* mr, /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr, # /dev/null is pretty harmless and frequently used /dev/null rw, # as is /dev/zero /dev/zero rw, # recent glibc uses /dev/full in preference to /dev/null for programs # that don't have open fds at exec() /dev/full rw, # Sometimes used to determine kernel/user interfaces to use @{PROC}/sys/kernel/version r, # Depending on which glibc routine uses this file, base may not be the # best place -- but many profiles require it, and it is quite harmless. @{PROC}/sys/kernel/ngroups_max r, # glibc's sysconf(3) routine to determine free memory, etc @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, /sys/devices/system/cpu/online r, # glibc's *printf protections read the maps file @{PROC}/*/maps r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, # some applications will display license information /usr/share/common-licenses/** r, # glibc statvfs @{PROC}/filesystems r, # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned # by him/her. Exceptions to this are explicit in the profiles. While this rule # grants access to those exceptions, the intended privacy is maintained due to # the encrypted contents of the files in this directory. Files in this # directory will also use filename encryption by default, so the files are # further protected. Also, with the use of 'owner', this rule properly # prevents access to the files from processes running under a different uid. # encrypted ~/.Private and old-style encrypted $HOME owner @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Many programs wish to perform nameservice-like operations, such as # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. /etc/group r, /etc/host.conf r, /etc/hosts r, /etc/nsswitch.conf r, /etc/gai.conf r, /etc/passwd r, /etc/protocols r, # When using sssd, the passwd and group files are stored in an alternate path /var/lib/sss/mc/group r, /var/lib/sss/mc/passwd r, /etc/resolv.conf r, # on systems using resolvconf, /etc/resolv.conf is a symlink to # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in # /etc/resolvconf/run/resolv.conf /{,var/}run/resolvconf/resolv.conf r, /etc/resolvconf/run/resolv.conf r, /etc/samba/lmhosts r, /etc/services r, # db backend /var/lib/misc/*.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading # to vast speed increases when working with network-based lookups. /{,var/}run/.nscd_socket rw, /{,var/}run/nscd/socket rw, /var/{db,cache,run}/nscd/{passwd,group,services,host} r, # nscd renames and unlinks files in it's operation that clients will # have open /{,var/}run/nscd/db* rmix, # The nss libraries are sometimes used in addition to PAM; make sure # they are available /lib{,32,64}/libnss_*.so* mr, /usr/lib{,32,64}/libnss_*.so* mr, /lib/@{multiarch}/libnss_*.so* mr, /usr/lib/@{multiarch}/libnss_*.so* mr, /etc/default/nss r, # avahi-daemon is used for mdns4 resolution /{,var/}run/avahi-daemon/socket w, # nis ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # NIS rules /var/yp/binding/* r, # portmapper may ask root processes to do nis/ldap at low ports capability net_bind_service, # ldap ##included # ------------------------------------------------------------------ # # Copyright (C) 2011 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # files required by LDAP clients (e.g. nss_ldap/pam_ldap) /etc/ldap.conf r, /etc/ldap.secret r, /etc/openldap/* r, /etc/openldap/cacerts/* r, # SASL plugins and config /etc/sasl2/* r, /usr/lib{,32,64}/sasl2/* r, ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2010-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ /etc/ssl/ r, /etc/ssl/certs/ r, /etc/ssl/certs/* r, /usr/share/ca-certificates/ r, /usr/share/ca-certificates/** r, /usr/share/ssl/certs/ca-bundle.crt r, /usr/local/share/ca-certificates/ r, /usr/local/share/ca-certificates/** r, # winbind ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # pam_winbindd /tmp/.winbindd/pipe rw, /var/{lib,run}/samba/winbindd_privileged/pipe rw, /etc/samba/smb.conf r, /usr/lib*/samba/valid.dat r, /usr/lib*/samba/upcase.dat r, /usr/lib*/samba/lowcase.dat r, # likewise ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ /tmp/.lwidentity/pipe rw, /var/lib/likewise-open/lwidentity_privileged/pipe rw, # mdnsd ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # mdnsd /etc/nss_mdns.conf r, /{,var/}run/mdnsd w, # kerberos ##included # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # files required by kerberos client programs /usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, /usr/lib{,32,64}/krb5/plugins/preauth/ r, /usr/lib{,32,64}/krb5/plugins/preauth/* mr, /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, /etc/krb5.keytab r, /etc/krb5.conf r, # config files found via strings on libs /etc/krb.conf r, /etc/krb.realms r, /etc/srvtab r, # credential caches /tmp/krb5cc* r, # TCP/UDP network access network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, # interface details @{PROC}/*/net/route r, capability net_bind_service, capability net_raw, capability sys_module, capability dac_override, network packet, network raw, @{PROC}/[0-9]*/net/ r, @{PROC}/[0-9]*/net/** r, /sbin/dhclient mr, /etc/dhclient.conf r, /etc/dhcp/ r, /etc/dhcp/** r, /var/lib/dhcp{,3}/dhclient* lrw, /{,var/}run/dhclient*.pid lrw, /{,var/}run/dhclient*.lease* lrw, # NetworkManager /{,var/}run/nm*conf r, /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw, /var/lib/NetworkManager/dhclient-*.conf lrw, /var/lib/NetworkManager/dhclient*.lease* lrw, # connman /{,var/}run/connman/dhclient*.pid lrw, /{,var/}run/connman/dhclient*.leases lrw, # synce-hal /usr/share/synce-hal/dhclient.conf r, # if there is a custom script, let it run unconfined /etc/dhcp/dhclient-script Uxr, # The dhclient-script shell script sources other shell scripts rather than # executing them, so we can't just use a separate profile for dhclient-script # with 'Uxr' on the hook scripts. However, for the long-running dhclient3 # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be # able to subvert dhclient-script or write to the hooks.d directories. As # such, if the dhclient3 daemon is subverted, this effectively limits it to # only being able to run the hooks scripts. /sbin/dhclient-script Uxr, # Run the ELF executables under their own unrestricted profiles /usr/lib/NetworkManager/nm-dhcp-client.action Pxr, /usr/lib/connman/scripts/dhclient-script Pxr, # Site-specific additions and overrides. See local/README for details. ##included # Site-specific additions and overrides for sbin.dhclient. # For more details, please see /etc/apparmor.d/local/README. } /usr/lib/NetworkManager/nm-dhcp-client.action { ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd # profile as well.) # The __canary_death_handler function writes a time-stamped log # message to /dev/log for logging by syslogd. So, /dev/log, timezones, # and localisations of date should be available EVERYWHERE, so # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, /dev/random r, /dev/urandom r, /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/gconv-modules* mr, /usr/lib/@{multiarch}/gconv/*.so mr, /usr/lib/@{multiarch}/gconv/gconv-modules* mr, # used by glibc when binding to ephemeral ports /etc/bindresvport.blacklist r, # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere /etc/ld.so.cache mr, /lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix, /lib/@{multiarch}/ld{,32,64}-*.so mrix, /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, # we might as well allow everything to use common libraries /lib{,32,64}/** r, /lib{,32,64}/lib*.so* mr, /lib{,32,64}/**/lib*.so* mr, /lib/@{multiarch}/** r, /lib/@{multiarch}/lib*.so* mr, /lib/@{multiarch}/**/lib*.so* mr, /usr/lib{,32,64}/** r, /usr/lib{,32,64}/*.so* mr, /usr/lib{,32,64}/**/lib*.so* mr, /usr/lib/@{multiarch}/** r, /usr/lib/@{multiarch}/lib*.so* mr, /usr/lib/@{multiarch}/**/lib*.so* mr, /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr, # /dev/null is pretty harmless and frequently used /dev/null rw, # as is /dev/zero /dev/zero rw, # recent glibc uses /dev/full in preference to /dev/null for programs # that don't have open fds at exec() /dev/full rw, # Sometimes used to determine kernel/user interfaces to use @{PROC}/sys/kernel/version r, # Depending on which glibc routine uses this file, base may not be the # best place -- but many profiles require it, and it is quite harmless. @{PROC}/sys/kernel/ngroups_max r, # glibc's sysconf(3) routine to determine free memory, etc @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, /sys/devices/system/cpu/online r, # glibc's *printf protections read the maps file @{PROC}/*/maps r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, # some applications will display license information /usr/share/common-licenses/** r, # glibc statvfs @{PROC}/filesystems r, # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned # by him/her. Exceptions to this are explicit in the profiles. While this rule # grants access to those exceptions, the intended privacy is maintained due to # the encrypted contents of the files in this directory. Files in this # directory will also use filename encryption by default, so the files are # further protected. Also, with the use of 'owner', this rule properly # prevents access to the files from processes running under a different uid. # encrypted ~/.Private and old-style encrypted $HOME owner @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # System socket. Be careful when including this abstraction. /{,var/}run/dbus/system_bus_socket w, /usr/lib/NetworkManager/nm-dhcp-client.action mr, } /usr/lib/connman/scripts/dhclient-script { ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd # profile as well.) # The __canary_death_handler function writes a time-stamped log # message to /dev/log for logging by syslogd. So, /dev/log, timezones, # and localisations of date should be available EVERYWHERE, so # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, /dev/random r, /dev/urandom r, /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/gconv-modules* mr, /usr/lib/@{multiarch}/gconv/*.so mr, /usr/lib/@{multiarch}/gconv/gconv-modules* mr, # used by glibc when binding to ephemeral ports /etc/bindresvport.blacklist r, # ld.so.cache and ld are used to load shared libraries; they are best # available everywhere /etc/ld.so.cache mr, /lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix, /lib/@{multiarch}/ld{,32,64}-*.so mrix, /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, # we might as well allow everything to use common libraries /lib{,32,64}/** r, /lib{,32,64}/lib*.so* mr, /lib{,32,64}/**/lib*.so* mr, /lib/@{multiarch}/** r, /lib/@{multiarch}/lib*.so* mr, /lib/@{multiarch}/**/lib*.so* mr, /usr/lib{,32,64}/** r, /usr/lib{,32,64}/*.so* mr, /usr/lib{,32,64}/**/lib*.so* mr, /usr/lib/@{multiarch}/** r, /usr/lib/@{multiarch}/lib*.so* mr, /usr/lib/@{multiarch}/**/lib*.so* mr, /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr, # /dev/null is pretty harmless and frequently used /dev/null rw, # as is /dev/zero /dev/zero rw, # recent glibc uses /dev/full in preference to /dev/null for programs # that don't have open fds at exec() /dev/full rw, # Sometimes used to determine kernel/user interfaces to use @{PROC}/sys/kernel/version r, # Depending on which glibc routine uses this file, base may not be the # best place -- but many profiles require it, and it is quite harmless. @{PROC}/sys/kernel/ngroups_max r, # glibc's sysconf(3) routine to determine free memory, etc @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, /sys/devices/system/cpu/online r, # glibc's *printf protections read the maps file @{PROC}/*/maps r, # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, # some applications will display license information /usr/share/common-licenses/** r, # glibc statvfs @{PROC}/filesystems r, # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned # by him/her. Exceptions to this are explicit in the profiles. While this rule # grants access to those exceptions, the intended privacy is maintained due to # the encrypted contents of the files in this directory. Files in this # directory will also use filename encryption by default, so the files are # further protected. Also, with the use of 'owner', this rule properly # prevents access to the files from processes running under a different uid. # encrypted ~/.Private and old-style encrypted $HOME owner @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, ##included # vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2009-2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # System socket. Be careful when including this abstraction. /{,var/}run/dbus/system_bus_socket w, /usr/lib/connman/scripts/dhclient-script mr, }