File manager

File manager - Edit - /home/c14075/dragmet-ural.ru/www/apparmor.d.tar

Back
local/usr.sbin.haveged��0000644��00000000000�15103457617�0010725 0��ustar�00��local/usr.bin.man��0000644��00000000000�15103457617�0007712 0��ustar�00��local/usr.sbin.ntpd��0000644��00000000000�15103457617�0010267 0��ustar�00��usr.sbin.haveged��0000644��00000001155�15103457617�0007647 0��ustar�00��# Last Modified: Fri Aug 21 15:23:17 2015 #include <tunables/global> /usr/sbin/haveged { #include <abstractions/base> #include <abstractions/consoles> # Required for ioctl RNDADDENTROPY capability sys_admin, owner @{PROC}/@{pid}/status r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/poolsize r, @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/cpu/cache/ r, /sys/devices/system/cpu/cpu/cache/index/{type,size,level} r, /usr/sbin/haveged mr, /run/haveged.pid w, #include <local/usr.sbin.haveged> } ��usr.sbin.mariadbd��0000644��00000001332�15103457617�0010004 0��ustar�00��# This file is intentionally empty to disable apparmor by default for newer # versions of MariaDB, while providing seamless upgrade from older versions # and from mysql, where apparmor is used. # # By default, we do not want to have any apparmor profile for the MariaDB # server. It does not provide much useful functionality/security, and causes # several problems for users who often are not even aware that apparmor # exists and runs on their system. # # Users can modify and maintain their own profile, and in this case it will # be used. # # When upgrading from previous version, users who modified the profile # will be prompted to keep or discard it, while for default installs # we will automatically disable the profile. ��usr.bin.man��0000644��00000006570�15103457617�0006642 0��ustar�00��# vim:syntax=apparmor #include <tunables/global> /usr/bin/man { #include <abstractions/base> # Use a special profile when man calls anything groff-related. We only # include the programs that actually parse input data in a non-trivial # way, not wrappers such as groff and nroff, since the latter would need a # broader profile. /usr/bin/eqn rmCx -> &man_groff, /usr/bin/grap rmCx -> &man_groff, /usr/bin/pic rmCx -> &man_groff, /usr/bin/preconv rmCx -> &man_groff, /usr/bin/refer rmCx -> &man_groff, /usr/bin/tbl rmCx -> &man_groff, /usr/bin/troff rmCx -> &man_groff, /usr/bin/vgrind rmCx -> &man_groff, # Similarly, use a special profile when man calls decompressors and other # simple filters. /{,usr/}bin/bzip2 rmCx -> &man_filter, /{,usr/}bin/gzip rmCx -> &man_filter, /usr/bin/col rmCx -> &man_filter, /usr/bin/compress rmCx -> &man_filter, /usr/bin/iconv rmCx -> &man_filter, /usr/bin/lzip.lzip rmCx -> &man_filter, /usr/bin/tr rmCx -> &man_filter, /usr/bin/xz rmCx -> &man_filter, # Allow basically anything in terms of file system access, subject to DAC. # The purpose of this profile isn't to confine man itself (that might be # nice in the future, but is tricky since it's quite configurable), but to # confine the processes it calls that parse untrusted data. /* mrixwlk, unix, capability setuid, capability setgid, # Ordinary permission checks sometimes involve checking whether the # process has this capability, which can produce audit log messages. # Silence them. deny capability dac_override, deny capability dac_read_search, signal peer=@{profile_name}, signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_filter, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.man> } profile man_groff { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> # man always runs its groff pipeline with the input file open on stdin, # so we can skip <abstractions/user-manpages>. /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, /usr/bin/preconv rm, /usr/bin/refer rm, /usr/bin/tbl rm, /usr/bin/troff rm, /usr/bin/vgrind rm, /etc/groff/ r, /etc/papersize r, /usr/lib/groff/site-tmac/ r, /usr/share/groff/** r, /tmp/groff* rw, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_groff, } profile man_filter { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> /{,usr/}bin/bzip2 rm, /{,usr/}bin/gzip rm, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm, /usr/bin/lzip.lzip rm, /usr/bin/tr rm, /usr/bin/xz rm, # Manual pages can be more or less anywhere, especially with "man -l", and # there's no harm in allowing wide read access here since the worst it can # do is feed data to the invoking man process. / r, # Allow writing cat pages. /var/cache/man/ w, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_filter, } ��usr.sbin.ntpd��0000644��00000000710�15103457617�0007205 0��ustar�00��# vim:syntax=apparmor #include <tunables/global> /usr/sbin/ntpd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> # conf /etc/openntpd/ntpd.conf r, # capabilities capability kill, capability sys_chroot, capability setgid, capability setuid, capability sys_time, capability sys_nice, /usr/sbin/ntpd mrix, /var/lib/openntpd/db/ntpd.drift rw, /var/lib/openntpd/run/ntpd.sock rw, } ��

| ver. 1.4 | Github | . | PHP 7.4.33 | Generation time: 0.26 | proxy | phpinfo | Settings