| Apache/2.4.7 (Ubuntu) Linux sman1baleendah 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 uid=33(www-data) gid=33(www-data) groups=33(www-data) safemode : OFF MySQL: ON | Perl: ON | cURL: OFF | WGet: ON > / etc / apparmor.d / abstractions / | server ip : 104.21.89.46 your ip : 172.69.130.125 H O M E |
| Filename | /etc/apparmor.d/abstractions/ubuntu-helpers |
| Size | 2.95 kb |
| Permission | rw-r--r-- |
| Owner | root : root |
| Create time | 27-Apr-2025 09:56 |
| Last modified | 04-Apr-2014 14:27 |
| Last accessed | 05-Jul-2025 18:44 |
| Actions | edit | rename | delete | download (gzip) |
| View | text | code | image |
# Lenient profile that is intended to be used when 'Ux' is desired but
# does not provide enough environment sanitizing. This effectively is an
# open profile that blacklists certain known dangerous files and also
# does not allow any capabilities. For example, it will not allow 'm' on files
# owned be the user invoking the program. While this provides some additional
# protection, please use with care as applications running under this profile
# are effectively running without any AppArmor protection. Use this profile
# only if the process absolutely must be run (effectively) unconfined.
#
# Usage:
# Because this abstraction defines the sanitized_helper profile, it must only
# be #included once. Therefore this abstraction should typically not be
# included in other abstractions so as to avoid parser errors regarding
# multiple definitions.
#
# Limitations:
# 1. This does not work for root owned processes, because of the way we use
# owner matching in the sanitized helper. We could do a better job with
# this to support root, but it would make the policy harder to understand
# and going unconfined as root is not desirable any way.
#
# 2. For this sanitized_helper to work, the program running in the sanitized
# environment must open symlinks directly in order for AppArmor to mediate
# it. This is confirmed to work with:
# - compiled code which can load shared libraries
# - python imports
# It is known not to work with:
# - perl includes
# 3. Sanitizing ruby and java
#
# Use at your own risk. This profile was developed as an interim workaround for
# LP: #851986 until AppArmor utilizes proper environment filtering.
profile sanitized_helper {
#include <abstractions/base>
# Allow all networking
network inet,
network inet6,
# Allow all DBus communications
dbus,
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
/bin/* Pixr,
/sbin/* Pixr,
/usr/bin/* Pixr,
/usr/local/bin/* Pixr,
/usr/sbin/* Pixr,
# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
/usr/{,local/}lib*/{,**/}* Pixr,
# Allow exec of software-center scripts. We may need to allow wider
# permissions for /usr/share, but for now just do this. (LP: #972367)
/usr/share/software-center/* Pixr,
# While the chromium and chrome sandboxes are setuid root, they only link
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
/usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
/opt/google/chrome/chrome-sandbox PUxr,
/opt/google/chrome/google-chrome Pixr,
/opt/google/chrome/chrome Pixr,
/opt/google/chrome/lib*.so{,.*} m,
# Full access
/ r,
/** rwkl,
/{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
audit deny owner /**/*.py* r, # python imports
}
# does not provide enough environment sanitizing. This effectively is an
# open profile that blacklists certain known dangerous files and also
# does not allow any capabilities. For example, it will not allow 'm' on files
# owned be the user invoking the program. While this provides some additional
# protection, please use with care as applications running under this profile
# are effectively running without any AppArmor protection. Use this profile
# only if the process absolutely must be run (effectively) unconfined.
#
# Usage:
# Because this abstraction defines the sanitized_helper profile, it must only
# be #included once. Therefore this abstraction should typically not be
# included in other abstractions so as to avoid parser errors regarding
# multiple definitions.
#
# Limitations:
# 1. This does not work for root owned processes, because of the way we use
# owner matching in the sanitized helper. We could do a better job with
# this to support root, but it would make the policy harder to understand
# and going unconfined as root is not desirable any way.
#
# 2. For this sanitized_helper to work, the program running in the sanitized
# environment must open symlinks directly in order for AppArmor to mediate
# it. This is confirmed to work with:
# - compiled code which can load shared libraries
# - python imports
# It is known not to work with:
# - perl includes
# 3. Sanitizing ruby and java
#
# Use at your own risk. This profile was developed as an interim workaround for
# LP: #851986 until AppArmor utilizes proper environment filtering.
profile sanitized_helper {
#include <abstractions/base>
# Allow all networking
network inet,
network inet6,
# Allow all DBus communications
dbus,
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
/bin/* Pixr,
/sbin/* Pixr,
/usr/bin/* Pixr,
/usr/local/bin/* Pixr,
/usr/sbin/* Pixr,
# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
/usr/{,local/}lib*/{,**/}* Pixr,
# Allow exec of software-center scripts. We may need to allow wider
# permissions for /usr/share, but for now just do this. (LP: #972367)
/usr/share/software-center/* Pixr,
# While the chromium and chrome sandboxes are setuid root, they only link
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
/usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
/opt/google/chrome/chrome-sandbox PUxr,
/opt/google/chrome/google-chrome Pixr,
/opt/google/chrome/chrome Pixr,
/opt/google/chrome/lib*.so{,.*} m,
# Full access
/ r,
/** rwkl,
/{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
audit deny owner /**/*.py* r, # python imports
}