abstractions¶
Use of dangerous or deprecated abstractions
Problematic rule¶
Correct rule¶
Rationale¶
Some abstractions provide more access than required, do not integrate with profiles defined in apparmor.d or with non-Ubuntu systems.
The following abstractions are considered dangerous:
dbus: Full dbus accessdbus-accessibility: Full dbus accessibility accessdbus-session: Full dbus session accessdbus-system: Full dbus system accessuser-tmp: Full access to user temporary files (See too-wide check)
Deprecated abstractions:
bash->shell:bashdoes not cover all shells.nameservice->nameservice-strict:nameservicegives network access which is not required in most cases.
Deprecated abstractions, would conflict with apparmor.d integration
dbus-accessibility-strict->bus-accessibilitydbus-network-manager-strict->network-manager-observedbus-session-strict->bus-sessiondbus-system-strict->bus-systemgnome->gnome-strictkde->kde-strictX->X-strict
Exceptions¶
None