__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
include <abstractions/crypto>
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_rw}/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo{,-icu}/ r,
/usr/share/zoneinfo{,-icu}/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
/{usr/,}lib{,32,64}/** r,
/{usr/,}lib{,32,64}/**.so* mr,
/{usr/,}lib/@{multiarch}/** r,
/{usr/,}lib/@{multiarch}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
owner @{HOME}/.Private/ r,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
include if exists <abstractions/base.d>
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| apparmor_api | Folder | 0755 |
|
|
| ubuntu-browsers.d | Folder | 0755 |
|
|
| X | File | 1.94 KB | 0644 |
|
| apache2-common | File | 1.09 KB | 0644 |
|
| aspell | File | 412 B | 0644 |
|
| audio | File | 2.01 KB | 0644 |
|
| authentication | File | 2.14 KB | 0644 |
|
| base | File | 6.93 KB | 0644 |
|
| bash | File | 1.58 KB | 0644 |
|
| consoles | File | 903 B | 0644 |
|
| crypto | File | 992 B | 0644 |
|
| cups-client | File | 820 B | 0644 |
|
| dbus | File | 694 B | 0644 |
|
| dbus-accessibility | File | 745 B | 0644 |
|
| dbus-accessibility-strict | File | 760 B | 0644 |
|
| dbus-network-manager-strict | File | 1.37 KB | 0644 |
|
| dbus-session | File | 747 B | 0644 |
|
| dbus-session-strict | File | 1.23 KB | 0644 |
|
| dbus-strict | File | 781 B | 0644 |
|
| dconf | File | 344 B | 0644 |
|
| dovecot-common | File | 675 B | 0644 |
|
| dri-common | File | 542 B | 0644 |
|
| dri-enumerate | File | 393 B | 0644 |
|
| enchant | File | 2.17 KB | 0644 |
|
| exo-open | File | 1.88 KB | 0644 |
|
| fcitx | File | 558 B | 0644 |
|
| fcitx-strict | File | 821 B | 0644 |
|
| fonts | File | 2.23 KB | 0644 |
|
| freedesktop.org | File | 1.64 KB | 0644 |
|
| gio-open | File | 1.51 KB | 0644 |
|
| gnome | File | 3.73 KB | 0644 |
|
| gnupg | File | 459 B | 0644 |
|
| groff | File | 1.86 KB | 0644 |
|
| gtk | File | 1.58 KB | 0644 |
|
| gvfs-open | File | 1.15 KB | 0644 |
|
| hosts_access | File | 511 B | 0644 |
|
| ibus | File | 992 B | 0644 |
|
| kde | File | 3.25 KB | 0644 |
|
| kde-globals-write | File | 413 B | 0644 |
|
| kde-icon-cache-write | File | 256 B | 0644 |
|
| kde-language-write | File | 575 B | 0644 |
|
| kde-open5 | File | 3.58 KB | 0644 |
|
| kerberosclient | File | 1.44 KB | 0644 |
|
| ldapclient | File | 856 B | 0644 |
|
| libpam-systemd | File | 770 B | 0644 |
|
| likewise | File | 595 B | 0644 |
|
| mdns | File | 554 B | 0644 |
|
| mesa | File | 1.21 KB | 0644 |
|
| mir | File | 694 B | 0644 |
|
| mozc | File | 573 B | 0644 |
|
| mysql | File | 739 B | 0644 |
|
| nameservice | File | 4.46 KB | 0644 |
|
| nis | File | 625 B | 0644 |
|
| nss-systemd | File | 1.22 KB | 0644 |
|
| nvidia | File | 1.09 KB | 0644 |
|
| opencl | File | 370 B | 0644 |
|
| opencl-common | File | 516 B | 0644 |
|
| opencl-intel | File | 673 B | 0644 |
|
| opencl-mesa | File | 636 B | 0644 |
|
| opencl-nvidia | File | 896 B | 0644 |
|
| opencl-pocl | File | 2.85 KB | 0644 |
|
| openssl | File | 642 B | 0644 |
|
| orbit2 | File | 197 B | 0644 |
|
| p11-kit | File | 999 B | 0644 |
|
| perl | File | 974 B | 0644 |
|
| php | File | 1.1 KB | 0644 |
|
| php-worker | File | 558 B | 0644 |
|
| php5 | File | 208 B | 0644 |
|
| postfix-common | File | 1.32 KB | 0644 |
|
| private-files | File | 1.62 KB | 0644 |
|
| private-files-strict | File | 1.18 KB | 0644 |
|
| python | File | 2.24 KB | 0644 |
|
| qt5 | File | 863 B | 0644 |
|
| qt5-compose-cache-write | File | 399 B | 0644 |
|
| qt5-settings-write | File | 514 B | 0644 |
|
| recent-documents-write | File | 466 B | 0644 |
|
| ruby | File | 1008 B | 0644 |
|
| samba | File | 1.27 KB | 0644 |
|
| samba-rpcd | File | 817 B | 0644 |
|
| smbpass | File | 581 B | 0644 |
|
| snap_browsers | File | 1.54 KB | 0644 |
|
| ssl_certs | File | 1.49 KB | 0644 |
|
| ssl_keys | File | 938 B | 0644 |
|
| svn-repositories | File | 1.72 KB | 0644 |
|
| transmission-common | File | 4.28 KB | 0644 |
|
| trash | File | 3.54 KB | 0644 |
|
| ubuntu-bittorrent-clients | File | 821 B | 0644 |
|
| ubuntu-browsers | File | 1.58 KB | 0644 |
|
| ubuntu-console-browsers | File | 731 B | 0644 |
|
| ubuntu-console-email | File | 718 B | 0644 |
|
| ubuntu-email | File | 1.06 KB | 0644 |
|
| ubuntu-feed-readers | File | 456 B | 0644 |
|
| ubuntu-gnome-terminal | File | 300 B | 0644 |
|
| ubuntu-helpers | File | 3.82 KB | 0644 |
|
| ubuntu-konsole | File | 453 B | 0644 |
|
| ubuntu-media-players | File | 2.3 KB | 0644 |
|
| ubuntu-unity7-base | File | 2.5 KB | 0644 |
|
| ubuntu-unity7-launcher | File | 311 B | 0644 |
|
| ubuntu-unity7-messaging | File | 313 B | 0644 |
|
| ubuntu-xterm | File | 346 B | 0644 |
|
| user-download | File | 987 B | 0644 |
|
| user-mail | File | 944 B | 0644 |
|
| user-manpages | File | 1000 B | 0644 |
|
| user-tmp | File | 760 B | 0644 |
|
| user-write | File | 972 B | 0644 |
|
| video | File | 596 B | 0644 |
|
| vulkan | File | 1.11 KB | 0644 |
|
| wayland | File | 713 B | 0644 |
|
| web-data | File | 811 B | 0644 |
|
| winbind | File | 882 B | 0644 |
|
| wutmp | File | 788 B | 0644 |
|
| xad | File | 984 B | 0644 |
|
| xdg-desktop | File | 782 B | 0644 |
|
| xdg-open | File | 2.23 KB | 0644 |
|