OXIESEC PANEL
- Current Dir:
/
/
etc
/
apparmor.d
Server IP: 139.59.38.164
Upload:
Create Dir:
Name
Size
Modified
Perms
📁
..
-
05/20/2025 05:23:23 PM
rwxr-xr-x
📁
abstractions
-
05/09/2024 07:14:29 AM
rwxr-xr-x
📁
cache
-
05/19/2025 07:54:53 AM
rwxr-xr-x
📁
disable
-
10/21/2019 03:48:36 PM
rwxr-xr-x
📁
force-complain
-
04/24/2018 02:47:41 PM
rwxr-xr-x
📁
local
-
10/28/2024 08:41:33 AM
rwxr-xr-x
📁
lxc
-
05/09/2024 07:15:54 AM
rwxr-xr-x
📄
lxc-containers
198 bytes
11/23/2018 04:49:34 AM
rw-r--r--
📄
sbin.dhclient
3.12 KB
03/26/2018 09:00:31 PM
rw-r--r--
📁
tunables
-
05/09/2024 07:14:29 AM
rwxr-xr-x
📄
ubuntu_pro_apt_news
1.98 KB
09/06/2024 11:58:19 PM
rw-r--r--
📄
ubuntu_pro_esm_cache
7.33 KB
09/06/2024 11:58:19 PM
rw-r--r--
📄
usr.bin.lxc-start
125 bytes
11/23/2018 04:49:34 AM
rw-r--r--
📄
usr.bin.man
2.79 KB
04/07/2018 11:14:41 AM
rw-r--r--
📄
usr.lib.snapd.snap-confine.real
27.82 KB
05/29/2023 12:10:12 PM
rw-r--r--
📄
usr.sbin.mysqld
1.75 KB
01/21/2020 02:10:07 PM
rw-r--r--
📄
usr.sbin.rsyslogd
1.51 KB
04/24/2018 01:15:46 PM
rw-r--r--
📄
usr.sbin.slapd
1.2 KB
05/12/2022 01:52:38 PM
rw-r--r--
📄
usr.sbin.tcpdump
1.42 KB
02/10/2023 06:11:16 PM
rw-r--r--
Editing: usr.bin.man
Close
# vim:syntax=apparmor #include <tunables/global> /usr/bin/man { #include <abstractions/base> # Use a special profile when man calls anything groff-related. We only # include the programs that actually parse input data in a non-trivial # way, not wrappers such as groff and nroff, since the latter would need a # broader profile. /usr/bin/eqn rmCx -> &man_groff, /usr/bin/grap rmCx -> &man_groff, /usr/bin/pic rmCx -> &man_groff, /usr/bin/preconv rmCx -> &man_groff, /usr/bin/refer rmCx -> &man_groff, /usr/bin/tbl rmCx -> &man_groff, /usr/bin/troff rmCx -> &man_groff, /usr/bin/vgrind rmCx -> &man_groff, # Similarly, use a special profile when man calls decompressors and other # simple filters. /bin/bzip2 rmCx -> &man_filter, /bin/gzip rmCx -> &man_filter, /usr/bin/col rmCx -> &man_filter, /usr/bin/compress rmCx -> &man_filter, /usr/bin/iconv rmCx -> &man_filter, /usr/bin/lzip.lzip rmCx -> &man_filter, /usr/bin/tr rmCx -> &man_filter, /usr/bin/xz rmCx -> &man_filter, # Allow basically anything in terms of file system access, subject to DAC. # The purpose of this profile isn't to confine man itself (that might be # nice in the future, but is tricky since it's quite configurable), but to # confine the processes it calls that parse untrusted data. /** mrixwlk, capability setuid, capability setgid, signal peer=man_groff, signal peer=man_filter, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.man> } profile man_groff { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> # man always runs its groff pipeline with the input file open on stdin, # so we can skip <abstractions/user-manpages>. /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, /usr/bin/preconv rm, /usr/bin/refer rm, /usr/bin/tbl rm, /usr/bin/troff rm, /usr/bin/vgrind rm, /etc/groff/** r, /usr/lib/groff/site-tmac/** r, /usr/share/groff/** r, signal peer=/usr/bin/man, } profile man_filter { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> /bin/bzip2 rm, /bin/gzip rm, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm, /usr/bin/lzip.lzip rm, /usr/bin/tr rm, /usr/bin/xz rm, # Manual pages can be more or less anywhere, especially with "man -l", and # there's no harm in allowing wide read access here since the worst it can # do is feed data to the invoking man process. /** r, signal peer=/usr/bin/man, }