__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
# vim:syntax=apparmor
#include <tunables/global>
/usr/bin/man {
#include <abstractions/base>
# Use a special profile when man calls anything groff-related. We only
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
/usr/bin/eqn rmCx -> &man_groff,
/usr/bin/grap rmCx -> &man_groff,
/usr/bin/pic rmCx -> &man_groff,
/usr/bin/preconv rmCx -> &man_groff,
/usr/bin/refer rmCx -> &man_groff,
/usr/bin/tbl rmCx -> &man_groff,
/usr/bin/troff rmCx -> &man_groff,
/usr/bin/vgrind rmCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
/{,usr/}bin/bzip2 rmCx -> &man_filter,
/{,usr/}bin/gzip rmCx -> &man_filter,
/usr/bin/col rmCx -> &man_filter,
/usr/bin/compress rmCx -> &man_filter,
/usr/bin/iconv rmCx -> &man_filter,
/usr/bin/lzip.lzip rmCx -> &man_filter,
/usr/bin/tr rmCx -> &man_filter,
/usr/bin/xz rmCx -> &man_filter,
# Allow basically anything in terms of file system access, subject to DAC.
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
unix,
capability setuid,
capability setgid,
# Ordinary permission checks sometimes involve checking whether the
# process has this capability, which can produce audit log messages.
# Silence them.
deny capability dac_override,
deny capability dac_read_search,
signal peer=@{profile_name},
signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.man>
}
profile man_groff {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
# man always runs its groff pipeline with the input file open on stdin,
# so we can skip <abstractions/user-manpages>.
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
/usr/bin/preconv rm,
/usr/bin/refer rm,
/usr/bin/tbl rm,
/usr/bin/troff rm,
/usr/bin/vgrind rm,
/etc/groff/** r,
/etc/papersize r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
/tmp/groff* rw,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_groff,
}
profile man_filter {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
/{,usr/}bin/bzip2 rm,
/{,usr/}bin/gzip rm,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
/usr/bin/lzip.lzip rm,
/usr/bin/tr rm,
/usr/bin/xz rm,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can
# do is feed data to the invoking man process.
/** r,
# Allow writing cat pages.
/var/cache/man/** w,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
}
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| abi | Folder | 0755 |
|
|
| abstractions | Folder | 0755 |
|
|
| disable | Folder | 0755 |
|
|
| force-complain | Folder | 0755 |
|
|
| local | Folder | 0755 |
|
|
| rsyslog.d | Folder | 0755 |
|
|
| tunables | Folder | 0755 |
|
|
| 1password | File | 354 B | 0644 |
|
| Discord | File | 352 B | 0644 |
|
| MongoDB_Compass | File | 386 B | 0644 |
|
| QtWebEngineProcess | File | 404 B | 0644 |
|
| balena-etcher | File | 374 B | 0644 |
|
| brave | File | 348 B | 0644 |
|
| buildah | File | 342 B | 0644 |
|
| busybox | File | 342 B | 0644 |
|
| cam | File | 330 B | 0644 |
|
| ch-checkns | File | 351 B | 0644 |
|
| ch-run | File | 339 B | 0644 |
|
| chrome | File | 349 B | 0644 |
|
| code | File | 349 B | 0644 |
|
| crun | File | 333 B | 0644 |
|
| devhelp | File | 342 B | 0644 |
|
| element-desktop | File | 368 B | 0644 |
|
| epiphany | File | 356 B | 0644 |
|
| evolution | File | 348 B | 0644 |
|
| firefox | File | 410 B | 0644 |
|
| flatpak | File | 342 B | 0644 |
|
| foliate | File | 342 B | 0644 |
|
| geary | File | 336 B | 0644 |
|
| github-desktop | File | 378 B | 0644 |
|
| goldendict | File | 353 B | 0644 |
|
| ipa_verify | File | 351 B | 0644 |
|
| kchmviewer | File | 353 B | 0644 |
|
| keybase | File | 346 B | 0644 |
|
| lc-compliance | File | 360 B | 0644 |
|
| libcamerify | File | 354 B | 0644 |
|
| linux-sandbox | File | 383 B | 0644 |
|
| loupe | File | 336 B | 0644 |
|
| lsb_release | File | 1.35 KB | 0644 |
|
| lxc-attach | File | 351 B | 0644 |
|
| lxc-create | File | 351 B | 0644 |
|
| lxc-destroy | File | 354 B | 0644 |
|
| lxc-execute | File | 354 B | 0644 |
|
| lxc-stop | File | 345 B | 0644 |
|
| lxc-unshare | File | 354 B | 0644 |
|
| lxc-usernsexec | File | 363 B | 0644 |
|
| mmdebstrap | File | 351 B | 0644 |
|
| msedge | File | 352 B | 0644 |
|
| nautilus | File | 346 B | 0644 |
|
| notepadqq | File | 402 B | 0644 |
|
| nvidia_modprobe | File | 1.18 KB | 0644 |
|
| obsidian | File | 350 B | 0644 |
|
| opam | File | 333 B | 0644 |
|
| opera | File | 355 B | 0644 |
|
| pageedit | File | 347 B | 0644 |
|
| plasmashell | File | 680 B | 0644 |
|
| podman | File | 339 B | 0644 |
|
| polypane | File | 350 B | 0644 |
|
| privacybrowser | File | 365 B | 0644 |
|
| qcam | File | 333 B | 0644 |
|
| qmapshack | File | 348 B | 0644 |
|
| qutebrowser | File | 354 B | 0644 |
|
| rootlesskit | File | 354 B | 0644 |
|
| rpm | File | 330 B | 0644 |
|
| rssguard | File | 347 B | 0644 |
|
| runc | File | 334 B | 0644 |
|
| sbuild | File | 339 B | 0644 |
|
| sbuild-abort | File | 357 B | 0644 |
|
| sbuild-adduser | File | 364 B | 0644 |
|
| sbuild-apt | File | 351 B | 0644 |
|
| sbuild-checkpackages | File | 381 B | 0644 |
|
| sbuild-clean | File | 357 B | 0644 |
|
| sbuild-createchroot | File | 378 B | 0644 |
|
| sbuild-destroychroot | File | 382 B | 0644 |
|
| sbuild-distupgrade | File | 375 B | 0644 |
|
| sbuild-hold | File | 354 B | 0644 |
|
| sbuild-shell | File | 365 B | 0644 |
|
| sbuild-unhold | File | 360 B | 0644 |
|
| sbuild-update | File | 360 B | 0644 |
|
| sbuild-upgrade | File | 363 B | 0644 |
|
| scide | File | 355 B | 0644 |
|
| signal-desktop | File | 366 B | 0644 |
|
| slack | File | 342 B | 0644 |
|
| slirp4netns | File | 354 B | 0644 |
|
| steam | File | 363 B | 0644 |
|
| stress-ng | File | 348 B | 0644 |
|
| surfshark | File | 354 B | 0644 |
|
| systemd-coredump | File | 377 B | 0644 |
|
| thunderbird | File | 354 B | 0644 |
|
| toybox | File | 335 B | 0644 |
|
| transmission | File | 2.34 KB | 0644 |
|
| trinity | File | 342 B | 0644 |
|
| tup | File | 330 B | 0644 |
|
| tuxedo-control-center | File | 400 B | 0644 |
|
| ubuntu_pro_apt_news | File | 2.02 KB | 0644 |
|
| ubuntu_pro_esm_cache | File | 6.93 KB | 0644 |
|
| unix-chkpwd | File | 881 B | 0644 |
|
| unprivileged_userns | File | 699 B | 0644 |
|
| userbindmount | File | 360 B | 0644 |
|
| usr.bin.man | File | 3.37 KB | 0644 |
|
| usr.bin.tcpdump | File | 1.65 KB | 0644 |
|
| usr.lib.snapd.snap-confine.real | File | 31.96 KB | 0644 |
|
| usr.sbin.mariadbd | File | 730 B | 0644 |
|
| usr.sbin.named | File | 2.59 KB | 0644 |
|
| usr.sbin.rsyslogd | File | 1.69 KB | 0644 |
|
| uwsgi-core | File | 351 B | 0644 |
|
| vdens | File | 336 B | 0644 |
|
| virtiofsd | File | 352 B | 0644 |
|
| vivaldi-bin | File | 358 B | 0644 |
|
| vpnns | File | 336 B | 0644 |
|
| wike | File | 333 B | 0644 |
|
| wpcom | File | 346 B | 0644 |
|