# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#    Copyright (C) 2014 Hewlett-Packard Development Company, L.P.
#    Copyright (C) 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# ------------------------------------------------------------------



  # (Note that the ldd profile has inlined this file; if you make
  # modifications here, please consider including them in the ldd
  # profile as well.)

  # The __canary_death_handler function writes a time-stamped log
  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  # and localisations of date should be available EVERYWHERE, so
  # StackGuard, FormatGuard, etc., alerts can be properly logged.
  /dev/log                       w,
  /dev/random                    r,
  /dev/urandom                   r,
  /etc/locale/**                 r,
  /etc/locale.alias              r,
  /etc/localtime                 r,
  /usr/share/locale-langpack/**  r,
  /usr/share/locale/**           r,
  /usr/share/**/locale/**        r,
  /usr/share/zoneinfo/           r,
  /usr/share/zoneinfo/**         r,
  # Uncomment to allow use of X11
  #/usr/share/X11/locale/**       r,

  /usr/lib{,32,64}/locale/**             mr,
  /usr/lib{,32,64}/gconv/*.so            mr,
  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
  /usr/lib/@{multiarch}/gconv/*.so           mr,
  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,

  # used by glibc when binding to ephemeral ports
  /etc/bindresvport.blacklist    r,

  # ld.so.cache and ld are used to load shared libraries; they are best
  # available everywhere
  /etc/ld.so.cache               mr,
  /lib{,32,64}/ld{,32,64}-*.so   mrix,
  /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
  /lib/@{multiarch}/ld{,32,64}-*.so    mrix,
  /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
  /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,

  # we might as well allow everything to use common libraries
  /lib{,32,64}/**                r,
  /lib{,32,64}/lib*.so*          mr,
  /lib{,32,64}/**/lib*.so*       mr,
  /lib/@{multiarch}/**            r,
  /lib/@{multiarch}/lib*.so*      mr,
  /lib/@{multiarch}/**/lib*.so*   mr,
  /usr/lib{,32,64}/**            r,
  /usr/lib{,32,64}/*.so*         mr,
  /usr/lib{,32,64}/**/lib*.so*   mr,
  /usr/lib/@{multiarch}/**          r,
  /usr/lib/@{multiarch}/lib*.so*    mr,
  /usr/lib/@{multiarch}/**/lib*.so* mr,
  /lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so*    mr,

  # /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
  # Write access to /dev/zero is not needed
  /dev/zero                      r,
  # recent glibc uses /dev/full in preference to /dev/null for programs
  # that don't have open fds at exec()
  /dev/full                      rw,

  # Sometimes used to determine kernel/user interfaces to use
  @{PROC}/sys/kernel/version     r,
  # Depending on which glibc routine uses this file, base may not be the
  # best place -- but many profiles require it, and it is quite harmless.
  @{PROC}/sys/kernel/ngroups_max r,

  # glibc's sysconf(3) routine to determine free memory, etc
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,
  /sys/devices/system/cpu/online r,

  # glibc's *printf protections read the maps file
  @{PROC}/*/maps                 r,

  # libgcrypt reads some flags from /proc
  @{PROC}/sys/crypto/*           r,

  # some applications will display license information
  /usr/share/common-licenses/**  r,

  # glibc statvfs
  @{PROC}/filesystems            r,

  # glibc malloc (man 5 proc)
  @{PROC}/sys/vm/overcommit_memory r,

  # Uncomment to allow KVM to look at encrypted /home
  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  # filesystems generally. This does not appreciably decrease security when
  # enabled because the user is expected to have access to files owned by him/her.
  # Exceptions to this are explicit in the profiles. While this rule grants access
  # to those exceptions, the intended privacy is maintained due to the encrypted
  # contents of the files in this directory. Files in this directory will also use
  # filename encryption by default, so the files are further protected. Also, with
  # the use of 'owner', this rule properly # prevents access to the files from
  # processes running under a different uid.

  # encrypted ~/.Private and old-style encrypted $HOME
  #owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  #owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

