2
# ------------------------------------------------------------------
4
# Copyright (C) 2002-2009 Novell/SUSE
5
# Copyright (C) 2009-2011 Canonical Ltd.
7
# This program is free software; you can redistribute it and/or
8
# modify it under the terms of version 2 of the GNU General Public
9
# License published by the Free Software Foundation.
11
# ------------------------------------------------------------------
15
# (Note that the ldd profile has inlined this file; if you make
16
# modifications here, please consider including them in the ldd
19
# The __canary_death_handler function writes a time-stamped log
20
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
21
# and localisations of date should be available EVERYWHERE, so
22
# StackGuard, FormatGuard, etc., alerts can be properly logged.
29
/usr/share/locale-langpack/** r,
30
/usr/share/locale/** r,
31
/usr/share/**/locale/** r,
32
/usr/share/zoneinfo/ r,
33
/usr/share/zoneinfo/** r,
34
/usr/share/X11/locale/** r,
36
/usr/lib{,32,64}/locale/** mr,
37
/usr/lib{,32,64}/gconv/*.so mr,
38
/usr/lib{,32,64}/gconv/gconv-modules* mr,
39
/usr/lib/@{multiarch}/gconv/*.so mr,
40
/usr/lib/@{multiarch}/gconv/gconv-modules mr,
42
# used by glibc when binding to ephemeral ports
43
/etc/bindresvport.blacklist r,
45
# ld.so.cache and ld are used to load shared libraries; they are best
46
# available everywhere
48
/lib{,32,64}/ld{,32,64}-*.so mrix,
49
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
50
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
51
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
52
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
53
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
55
# we might as well allow everything to use common libraries
57
/lib{,32,64}/lib*.so* mr,
58
/lib{,32,64}/**/lib*.so* mr,
59
/lib/@{multiarch}/** r,
60
/lib/@{multiarch}/lib*.so* mr,
61
/lib/@{multiarch}/**/lib*.so* mr,
62
/usr/lib{,32,64}/** r,
63
/usr/lib{,32,64}/*.so* mr,
64
/usr/lib{,32,64}/**/lib*.so* mr,
65
/usr/lib/@{multiarch}/** r,
66
/usr/lib/@{multiarch}/lib*.so* mr,
67
/usr/lib/@{multiarch}/**/lib*.so* mr,
68
/lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
69
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr,
71
# /dev/null is pretty harmless and frequently used
75
# recent glibc uses /dev/full in preference to /dev/null for programs
76
# that don't have open fds at exec()
79
# Sometimes used to determine kernel/user interfaces to use
80
@{PROC}/sys/kernel/version r,
81
# Depending on which glibc routine uses this file, base may not be the
82
# best place -- but many profiles require it, and it is quite harmless.
83
@{PROC}/sys/kernel/ngroups_max r,
85
# glibc's sysconf(3) routine to determine free memory, etc
90
# glibc's *printf protections read the maps file
93
# libgcrypt reads some flags from /proc
94
@{PROC}/sys/crypto/* r,
96
# some applications will display license information
97
/usr/share/common-licenses/** r,
100
@{PROC}/filesystems r,
102
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
103
# filesystems generally. This does not appreciably decrease security with
104
# Ubuntu profiles because the user is expected to have access to files owned
105
# by him/her. Exceptions to this are explicit in the profiles. While this rule
106
# grants access to those exceptions, the intended privacy is maintained due to
107
# the encrypted contents of the files in this directory. Files in this
108
# directory will also use filename encryption by default, so the files are
109
# further protected. Also, with the use of 'owner', this rule properly
110
# prevents access to the files from processes running under a different uid.
112
# encrypted ~/.Private and old-style encrypted $HOME
113
owner @{HOME}/.Private/** mrixwlk,
114
# new-style encrypted $HOME
115
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,