OXIESEC PANEL
- Current Dir:
/
/
etc
/
apparmor.d
Server IP: 139.59.38.164
Upload:
Create Dir:
Name
Size
Modified
Perms
📁
..
-
05/20/2025 05:23:23 PM
rwxr-xr-x
📁
abstractions
-
05/09/2024 07:14:29 AM
rwxr-xr-x
📁
cache
-
05/19/2025 07:54:53 AM
rwxr-xr-x
📁
disable
-
10/21/2019 03:48:36 PM
rwxr-xr-x
📁
force-complain
-
04/24/2018 02:47:41 PM
rwxr-xr-x
📁
local
-
10/28/2024 08:41:33 AM
rwxr-xr-x
📁
lxc
-
05/09/2024 07:15:54 AM
rwxr-xr-x
📄
lxc-containers
198 bytes
11/23/2018 04:49:34 AM
rw-r--r--
📄
sbin.dhclient
3.12 KB
03/26/2018 09:00:31 PM
rw-r--r--
📁
tunables
-
05/09/2024 07:14:29 AM
rwxr-xr-x
📄
ubuntu_pro_apt_news
1.98 KB
09/06/2024 11:58:19 PM
rw-r--r--
📄
ubuntu_pro_esm_cache
7.33 KB
09/06/2024 11:58:19 PM
rw-r--r--
📄
usr.bin.lxc-start
125 bytes
11/23/2018 04:49:34 AM
rw-r--r--
📄
usr.bin.man
2.79 KB
04/07/2018 11:14:41 AM
rw-r--r--
📄
usr.lib.snapd.snap-confine.real
27.82 KB
05/29/2023 12:10:12 PM
rw-r--r--
📄
usr.sbin.mysqld
1.75 KB
01/21/2020 02:10:07 PM
rw-r--r--
📄
usr.sbin.rsyslogd
1.51 KB
04/24/2018 01:15:46 PM
rw-r--r--
📄
usr.sbin.slapd
1.2 KB
05/12/2022 01:52:38 PM
rw-r--r--
📄
usr.sbin.tcpdump
1.42 KB
02/10/2023 06:11:16 PM
rw-r--r--
Editing: ubuntu_pro_esm_cache
Close
include <tunables/global> # attach_disconnected is needed in all profiles defined here because this # service runs with systemd's PrivateTmp=true profile ubuntu_pro_esm_cache flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/openssl> include <abstractions/python> include <abstractions/user-tmp> capability chown, capability dac_override, capability dac_read_search, capability fowner, capability kill, capability setgid, capability setuid, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv, /etc/apt/** r, /etc/machine-id r, /etc/ubuntu-advantage/uaclient.conf r, # GH: #3109 # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/,lib/}os-release r, /run/ubuntu-advantage/ rw, /run/ubuntu-advantage/** rw, /run/systemd/container/ r, /run/systemd/container/** r, /{,usr/}bin/apt mrix, /{,usr/}bin/apt-cache mrix, /{,usr/}bin/ischroot mrix, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /{,usr/}bin/cloud-id Cx -> cloud_id, # LP: #2067319 /{,usr/}bin/ps Cx -> ps, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /{,usr/}bin/dpkg Cx -> dpkg, /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info, /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv, /{,usr/}lib/apt/methods/http Cx -> apt_methods, /{,usr/}lib/apt/methods/https Cx -> apt_methods, /{,usr/}lib/apt/methods/store Cx -> apt_methods, # when there is no status.json cached, esm-cache.service will invoke "snap status" /{,usr/}bin/snap PUx, /usr/share/dpkg/** r, /usr/share/keyrings/* r, /var/cache/apt/** rw, /var/lib/apt/** r, /var/lib/dpkg/** r, /var/lib/ubuntu-advantage/** rwk, /var/log/ubuntu-advantage.log rw, @{PROC}/@{pid}/fd/ r, @{PROC}/1/cgroup r, @{PROC}/version_signature r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, # see https://bugs.python.org/issue40501 /sbin/ldconfig rix, /sbin/ldconfig.real rix, @{PROC}/@{pid}/mounts r, /usr/bin/@{multiarch}-gcc-* rix, /usr/bin/@{multiarch}-ld.bfd rix, /usr/lib/gcc/@{multiarch}/*/collect2 rix, /usr/bin/@{multiarch}-objdump rix, profile ps flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> capability sys_ptrace, # GH: #3079 capability dac_read_search, capability dac_override, # GH: #3119 ptrace (read,trace), # LP: #2067319 /{,usr/}bin/ps mrix, /dev/tty r, @{PROC}/ r, @{PROC}/@{pid}/** r, @{PROC}/uptime r, @{PROC}/sys/kernel/** r, # GH: #3079 @{PROC}/tty/drivers r, /sys/devices/system/node/ r, /sys/devices/system/node/** r, } profile cloud_id flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/python> ptrace read peer=unconfined, /etc/cloud/** r, /etc/apt/** r, /etc/apport/** r, /etc/ssl/openssl.cnf r, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/1/environ r, @{PROC}/1/cmdline r, @{PROC}/@{pid}/status r, /run/cloud-init/** r, /{,usr/}bin/ r, /{,usr/}bin/cloud-id r, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /usr/share/dpkg/** r, # workarounds for # https://gitlab.com/apparmor/apparmor/-/issues/346 # LP: #2067319 /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /var/lib/cloud/** r, # see https://bugs.python.org/issue40501 /sbin/ldconfig rix, /sbin/ldconfig.real rix, @{PROC}/@{pid}/mounts r, /usr/bin/@{multiarch}-gcc-* rix, /usr/bin/@{multiarch}-ld.bfd rix, /usr/lib/gcc/@{multiarch}/*/collect2 rix, /usr/bin/@{multiarch}-objdump rix, /etc/lsb-release r, @{PROC}/cmdline r, /bin/dash mrix, /bin/uname mrix, } profile dpkg flags=(attach_disconnected) { include <abstractions/base> capability setgid, /etc/dpkg/** r, /{,usr/}bin/dpkg mr, # LP: #2067810 /var/lib/dpkg/** r, } profile ubuntu_distro_info flags=(attach_disconnected) { include <abstractions/base> /{,usr/}bin/ubuntu-distro-info mr, /usr/share/distro-info/** r, } profile apt_methods flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, network inet stream, network inet6 stream, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/** r, /{,usr/}lib/apt/methods/gpgv mr, /{,usr/}lib/apt/methods/http mr, /{,usr/}lib/apt/methods/https mr, /{,usr/}lib/apt/methods/store mr, /usr/share/dpkg/** r, # LP: #2067810 /var/lib/dpkg/** r, /var/lib/ubuntu-advantage/apt-esm/** rwk, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fd/ r, } profile apt_methods_gpgv flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/** r, # there are just too many shell script tools that are called, like head, # tail, cut, sed, etc /{,usr/}bin/* mrix, /{,usr/}lib/apt/methods/gpgv mr, /usr/share/dpkg/** r, /usr/share/keyrings/* r, /var/lib/ubuntu-advantage/apt-esm/** r, @{PROC}/@{pid}/fd/ r, # apt-config command needs these # Note: observed only in xenial tests, but makes sense for all releases /etc/apt/** r, /var/lib/apt/** r, # LP: #2067810 /var/lib/dpkg/** r, } # Site-specific additions and overrides. See local/README for details. #include <local/ubuntu_pro_esm_cache> } # these profiles were initially subprofiles of cloud-id, but: # a) that crashes the kernel # https://gitlab.com/apparmor/apparmor/-/issues/346 # b) <= bionic doesn't like the // or - chars in profile names # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) { include <abstractions/base> capability net_admin, capability sys_ptrace, ptrace read peer=unconfined, # LP: #2067319 /{,usr/}bin/systemctl mr, /run/systemd/private rw, /run/systemd/** r, @{PROC}/cmdline r, # GH: #3119 @{PROC}/1/* r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, # GH: 3119 /sys/firmware/efi/efivars/** r, } profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) { include <abstractions/base> capability sys_ptrace, ptrace read peer=unconfined, /{,usr/}bin/systemd-detect-virt mr, /run/systemd/** r, /sys/devices/virtual/** r, # GH: #3119 /sys/firmware/efi/efivars/** r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/1/cmdline r, @{PROC}/sys/kernel/osrelease r, }