File: //proc/676643/root/etc/apparmor/logprof.conf
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
parser = /sbin/apparmor_parser /sbin/subdomain_parser
ldd = /usr/bin/ldd
logger = /bin/logger /usr/bin/logger
# customize how file ownership permissions are presented
# 0 - off
# 1 - default of what ever mode the log reported
# 2 - force the new permissions to be user
# 3 - force all perms on the rule to be user
default_owner_prompt = 1
# custom directory locations to look for #includes
#
# each name should be a valid directory containing possible #include
# candidate files under the profile dir which by default is /etc/apparmor.d.
#
# So an entry of my-includes will allow /etc/apparmor.d/my-includes to
# be used by the yast UI and profiling tools as a source of #include
# files.
custom_includes =
[qualifiers]
# things will be painfully broken if bash has a profile
/bin/bash = icnu
/usr/bin/bash = icnu
/bin/ksh = icnu
/usr/bin/ksh = icnu
/bin/dash = icnu
/usr/bin/dash = icnu
/bin/zsh = icnu
/usr/bin/zsh = icnu
# these programs can't function if they're confined
/bin/mount = u
/usr/bin/mount = u
/etc/init.d/subdomain = u
/sbin/cardmgr = u
/usr/sbin/cardmgr = u
/sbin/subdomain_parser = u
/usr/sbin/subdomain_parser = u
/usr/sbin/genprof = u
/usr/sbin/logprof = u
/usr/lib/YaST2/servers_non_y2/ag_genprof = u
/usr/lib/YaST2/servers_non_y2/ag_logprof = u
# these ones shouln't have their own profiles
/bin/awk = icn
/usr/bin/awk = icn
/bin/cat = icn
/usr/bin/cat = icn
/bin/chmod = icn
/usr/bin/chmod = icn
/bin/chown = icn
/usr/bin/chown = icn
/bin/cp = icn
/usr/bin/cp = icn
/bin/gawk = icn
/usr/bin/gawk = icn
/bin/grep = icn
/usr/bin/grep = icn
/bin/gunzip = icn
/usr/bin/gunzip = icn
/bin/gzip = icn
/usr/bin/gzip = icn
/bin/kill = icn
/usr/bin/kill = icn
/bin/ln = icn
/usr/bin/ln = icn
/bin/ls = icn
/usr/bin/ls = icn
/bin/mkdir = icn
/usr/bin/mkdir = icn
/bin/mv = icn
/usr/bin/mv = icn
/bin/readlink = icn
/usr/bin/readlink = icn
/bin/rm = icn
/usr/bin/rm = icn
/bin/sed = icn
/usr/bin/sed = icn
/bin/touch = icn
/usr/bin/touch = icn
/sbin/killall5 = icn
/usr/sbin/killall5 = icn
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
/usr/bin/perl = icn
/usr/bin/python = icn
/usr/bin/python2 = icn
/usr/bin/python2.7 = icn
/usr/bin/python3 = icn
/usr/bin/python3.3 = icn
/usr/bin/python3.4 = icn
/usr/bin/python3.5 = icn
/usr/bin/python3.6 = icn
/usr/bin/python3.7 = icn
/usr/bin/python3.8 = icn
/usr/bin/python3.9 = icn
/usr/bin/python3.10 = icn
/usr/bin/python3.11 = icn
/usr/bin/python3.12 = icn
/usr/bin/python3.13 = icn
/usr/bin/python3.14 = icn
/usr/bin/python3.15 = icn
/usr/bin/python3.16 = icn
/usr/bin/python3.17 = icn
/usr/bin/python3.18 = icn
/usr/bin/python3.19 = icn
/usr/bin/tr = icn
[required_hats]
^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
[defaulthat]
^.+/apache(|2|2-prefork)$ = DEFAULT_URI
^.+/httpd(|2|2-prefork)$ = DEFAULT_URI
[globs]
# /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
/lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*
# strip kernel version numbers from kernel module accesses
^/lib/modules/[^\/]+\/ = /lib/modules/*/
# strip pid numbers from /proc accesses
^/proc/\d+/ = /proc/*/
# if it looks like a home directory, glob out the username
^/home/[^\/]+ = /home/*
# if they use any perl modules, grant access to all
^/usr/lib/x86_64-linux-gnu/perl5/5.34/.+$ = /usr/lib/x86_64-linux-gnu/perl5/5.34/**
^/usr/lib/[^\/]+/perl5?/.+$ = /usr/lib/@{multiarch}/perl{,5}/**
# locale foo
^/usr/lib/locale/.+$ = /usr/lib/locale/**
^/usr/share/locale/.+$ = /usr/share/locale/**
# timezone fun
^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/**
# /foobar/fonts/baz -> /foobar/fonts/**
/fonts/.+$ = /fonts/**
# turn /foo/bar/baz.8907234 into /foo/bar/baz.*
# BUGBUG - this one looked weird because it would suggest a glob for
# BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
# \.\d+$ = .*
# some various /etc/security poo -- dunno about these ones...
^/etc/security/_[^\/]+$ = /etc/security/*
^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so
^/etc/pam.d/[^\/]+$ = /etc/pam.d/*
^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh