##included # ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010-2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # All the tunables definitions that should be available to every profile # should be included here ##included # ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{HOME} is a space-separated list of all user home directories. While # it doesn't refer to a specific home directory (AppArmor doesn't # enforce discretionary access controls) it can be used as if it did # refer to a specific home directory @{HOME}=@{HOMEDIRS}/*/ /root/ # @{HOMEDIRS} is a space-separated list of where user home directories # are stored, for programs that must enumerate all home directories on a # system. @{HOMEDIRS}=/home/ # Also, include files in tunables/home.d for site-specific adjustments to # @{HOMEDIRS}. ##included # This file is auto-generated. It is recommended you update it using: # $ sudo dpkg-reconfigure apparmor # # The following is a space-separated list of where additional user home # directories are stored, each must have a trailing '/'. Directories added # here are appended to @{HOMEDIRS}. See tunables/home for details. #@{HOMEDIRS}+= ##included # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{multiarch} is the set of patterns matching multi-arch library # install prefixes. @{multiarch}=*-linux-gnu* # Also, include files in tunables/multiarch.d for site and packaging # specific adjustments to @{multiarch}. ##included ##included # ------------------------------------------------------------------ # # Copyright (C) 2006 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # @{PROC} is the location where procfs is mounted. @{PROC}=/proc/ ##included # ------------------------------------------------------------------ # # Copyright (C) 2010 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Alias rules can be used to rewrite paths and are done after variable # resolution. For example, if '/usr' is on removable media: # alias /usr/ -> /mnt/usr/, # # Or if mysql databases are stored in /home: # alias /var/lib/mysql/ -> /home/mysql/, ##included # Copyright (C) 2012 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # This file should contain declarations to kernel vars or variables # that will become kernel vars at some point # until kernel vars are implemented # and until the parser supports nested groupings like # @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},} # use @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} #same pattern as @{pid} for now @{tid}=@{pid} #A pattern for pids that can appear @{pids}=@{pid} ##included # ------------------------------------------------------------------ # # Copyright (C) 2014 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # Define the common set of XDG user directories (usually defined in # /etc/xdg/user-dirs.defaults) @{XDG_DESKTOP_DIR}="Desktop" @{XDG_DOWNLOAD_DIR}="Downloads" @{XDG_TEMPLATES_DIR}="Templates" @{XDG_PUBLICSHARE_DIR}="Public" @{XDG_DOCUMENTS_DIR}="Documents" @{XDG_MUSIC_DIR}="Music" @{XDG_PICTURES_DIR}="Pictures" @{XDG_VIDEOS_DIR}="Videos" # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories ##included # ------------------------------------------------------------------ # # Copyright (C) 2014 Canonical Ltd. # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # The following may be used to add additional entries such as for # translations. See tunables/xdg-user-dirs for details. Eg: #@{XDG_MUSIC_DIR}+="Musique" #@{XDG_DESKTOP_DIR}+="" #@{XDG_DOWNLOAD_DIR}+="" #@{XDG_TEMPLATES_DIR}+="" #@{XDG_PUBLICSHARE_DIR}+="" #@{XDG_DOCUMENTS_DIR}+="" #@{XDG_MUSIC_DIR}+="" #@{XDG_PICTURES_DIR}+="" #@{XDG_VIDEOS_DIR}+="" /usr/bin/lxc-start flags=(attach_disconnected) { ##included network, capability, file, # The following 3 entries are only supported by recent apparmor versions. # Comment them if the apparmor parser doesn't recognize them. dbus, signal, ptrace, # currently blocked by apparmor bug mount -> /usr/lib/*/lxc/{**,}, mount -> /usr/lib/lxc/{**,}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=(rw, slave) -> /, mount fstype=debugfs, # allow pre-mount hooks to stage mounts under /var/lib/lxc// mount -> /var/lib/lxc/{**,}, # required for some pre-mount hooks (like the new lxc-start-ephemeral) mount fstype=overlayfs, mount fstype=aufs, mount fstype=ecryptfs, # all umounts are under the original root's /mnt, but right now we # can't allow those umounts after pivot_root. So allow all umounts # right now. They'll be restricted for the container at least. umount, #umount /mnt/{**,}, # This may look a bit redundant, however it appears we need all of # them if we want things to work properly on all combinations of kernel # and userspace parser... pivot_root /usr/lib/lxc/, pivot_root /usr/lib/*/lxc/, pivot_root /usr/lib/lxc/**, pivot_root /usr/lib/*/lxc/**, change_profile -> lxc-*, change_profile -> unconfined, }