ejabberd 18.01-2 / etc / apparmor.d / usr.sbin.ejabberdctl

This file is indexed.

/etc/apparmor.d/usr.sbin.ejabberdctl is in ejabberd 18.01-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
#include <tunables/global>

/usr/sbin/ejabberdctl flags=(complain) {
	#include <abstractions/base>
	#include <abstractions/consoles>
	#include <abstractions/nameservice>

	capability net_bind_service,
	capability dac_override,
	capability dac_read_search, # for sed

	/{,usr/}bin/bash				rmix,
	/{,usr/}bin/cat					ix,
	/{,usr/}bin/dash				rmix,
	/{,usr/}bin/date				ix,
	/{,usr/}bin/df					ix,
	/{,usr/}bin/{,p}grep			ix,
	/{,usr/}bin/ps					ix,
	/{,usr/}bin/sed					ix,
	/{,usr/}bin/sleep				ix,


	/{,usr/}bin/su					px -> /usr/sbin/ejabberdctl//su,
	profile su {
		#include <abstractions/authentication>
		#include <abstractions/base>
		#include <abstractions/nameservice>
		#include <abstractions/wutmp>

		deny capability net_admin, # setsockopt() with SO_RCVBUFFORCE

		capability audit_write,
		capability setgid,
		capability setuid,
		capability sys_resource,

		@{PROC}/@{pid}/loginuid			r,
		@{PROC}/1/limits			r,

		/{,usr/}bin/bash			px -> /usr/sbin/ejabberdctl,
		/{,usr/}bin/dash			px -> /usr/sbin/ejabberdctl,
		/{,usr/}bin/su				rm,

		/etc/environment			r,
		/etc/default/locale			r,
		/etc/security/limits.d**		r,

		/lib/@{multiarch}/libpam.so*		rm,
	}


	/etc/default/ejabberd				r,
	/etc/ejabberd**					r,
	/etc/ImageMagick**				r,

	/run/ejabberd**					rw,

	/sys/devices/system/cpu**			r,
	/sys/devices/system/node**			r,
	/proc/sys/kernel/osrelease			r, # for pgrep
	/proc/sys/kernel/random/uuid		r,
	@{PROC}/							r, # for pgrep
	owner @{PROC}/@{pid}/mountinfo		r, # for df
	owner @{PROC}/@{pid}/mounts			r, # for df

	/usr/bin/cut					ix,
	/usr/bin/erl					ix,
	/usr/bin/expr					ix,
	/usr/bin/flock					ix,
	/usr/bin/getent					ix,
	/usr/bin/id					ix,
	/usr/bin/inotifywait			ix,
	/usr/bin/seq					ix,
	/usr/bin/uuidgen				ix,

	/usr/lib/erlang/bin/erl				ix,
	/usr/lib/erlang/erts-*/bin/beam*		ix,
	/usr/lib/erlang/erts-*/bin/child_setup		ix,
	/usr/lib/erlang/erts-*/bin/epmd			ix,
	/usr/lib/erlang/erts-*/bin/erl_child_setup	ix,
	/usr/lib/erlang/erts-*/bin/erlexec		ix,
	/usr/lib/erlang/erts-*/bin/inet_gethost		ix,
	/usr/lib/erlang/lib/**.so			rm,
	/usr/lib/erlang/lib/os_mon*/priv/bin/memsup ix,
	/usr/lib/erlang/lib/p1_eimp*/priv/bin/eimp  ix,
	/usr/lib/erlang/p1_pam/bin/epam			px -> /usr/sbin/ejabberdctl//su,

	/usr/lib/x86_64-linux-gnu/ImageMagick-*/**	ix,

	/usr/sbin/ejabberdctl				r,

	/usr/share/ImageMagick-*/**			rix,

	/var/backups/					rw,
	/var/backups/ejabberd**				rwlk,
	/var/lib/ejabberd**				rw,
	/var/log/ejabberd/*				rwlk,

	/var/run/ejabberd**				rw,

	# Site-specific additions and overrides. See local/README for details.
	#include <local/usr.sbin.ejabberdctl>
}

APT Browse - Built by Thomas Orozco.