Merge pull request #5577

Vincas Dargis (32): feat(apparmor): Add AppArmor profile feat(apparmor): Add AppArmor v2.12.1 profile fix(apparmor): Fix AppArmor profile for version 2.12.1 fix(apparmor): Fix loading libraries from custom install prefix fix(apparmor): Backport qt5 abstraction for v2.12.1 profile fix(apparmor): Add ibus abstraction fix(apparmor): Fix qTox cache access fix(apparmor): Fix accessibility DBus access fix(apparmor): Fix hunspell access fix(apparmor): Fix dbus access fix(apparmor): Fix access to openssl configuration fix(apparmor): Fix .local/share/qTox/ access fix(apparmor): Backport dri-enumerate abstraction fix(apparmor): Fix DBUS denies on Kubuntu 18.04 fix(apparmor): Fix spam of DENIED messages on openSUSE fix(apparmor): backport kde abstraction fix(apparmor): fix file dialog on KDE desktop fix(apparmor): fix file dialog denies fix(apparmor): Fix font-related denies on openSUSE fix(apparmor): Fix openSUSE-related AppArmor denies fix(apparmor): Backport fix from dri-common abstraction fix(apparmor): Fix screenshot capture under AppArmor docs(apparmor): Add README about AppArmor feat(apparmor): Add AppArmor profile install scripts docs(INSTALL.md): Add link to AppArmor readme. docs(apparmor): Simplify install script usage docs(apparmor): Fix custom install prefix example fix(apparmor): Fix typo in file path fix(apparmor): Make network rules more strict docs(apparmor): Refactor links docs(apparmor): Fix line lengths docs(apparmor): Fix grammar
2024-03-22 14:00:36 +08:00 · 2019-03-26 17:51:49 +01:00 · 2019-03-26 17:51:49 +01:00 · 769e239661
commit 769e239661
parent 477950737f ef2e7128ee
8 changed files with 985 additions and 0 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -26,6 +26,7 @@
  - [sqlcipher](#sqlcipher)
  - [Compile toxcore](#compile-toxcore)
  - [Compile qTox](#compile-qtox)
+  - [Security hardening with AppArmor](#security-hardening-with-apparmor)
 - [OS X](#osx)
 - [Windows](#windows)
  - [Cross-compile from Linux](#cross-compile-from-linux)
@ -585,6 +586,12 @@ After installing the required dependencies, run `bootstrap.sh` and then run the
 the packages necessary for building `.deb`s, so be prepared to type your
 password for sudo.

+---
+
+### Security hardening with AppArmor
+
+See [AppArmor] to enable confinement for increased security.
+

 <a name="osx" />

@ -817,6 +824,7 @@ Switches:
    included


+[AppArmor]: /security/apparmor/README.md
 [Atk]: https://wiki.gnome.org/Accessibility
 [Cairo]: https://www.cairographics.org/
 [Check]: https://libcheck.github.io/check/
--- a/security/apparmor/2.12.1/install.sh
+++ b/security/apparmor/2.12.1/install.sh
@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e -u pipefail
+
+readonly SCRIPT_DIR=$(dirname $(readlink -f $0))
+
+if [[ $(id -u) != 0 ]]
+then
+    >&2 echo "Please run as root."
+    exit 1
+fi
+
+if [[ -z $(which apparmor_parser) ]]
+then
+   >&2 echo "AppArmor not found."
+   exit 1
+fi
+
+echo "Copying AppArmor files..."
+[[ ! -d "/etc/apparmor.d/tunables/usr.bin.qtox.d/" ]] && mkdir -v "/etc/apparmor.d/tunables/usr.bin.qtox.d/"
+cp -v "${SCRIPT_DIR}/tunables/usr.bin.qtox" "/etc/apparmor.d/tunables/"
+cp -v "${SCRIPT_DIR}/usr.bin.qtox" "/etc/apparmor.d/"
+touch "/etc/apparmor.d/local/usr.bin.qtox"
+
+echo "Restarting AppArmor..."
+systemctl restart apparmor
+
+echo "Done."
+
--- a/security/apparmor/2.12.1/tunables/usr.bin.qtox
+++ b/security/apparmor/2.12.1/tunables/usr.bin.qtox
@ -0,0 +1,12 @@
+@{qtox_prefix} = /usr /usr/local
+
+# Allow to read & write into mounted media, etc.
+# for convenient sending & receiving of files.
+@{qtox_additional_rw_dirs} = /mnt /media
+
+# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
+# needed, such as:
+# @{qtox_prefix} += @{HOME}/opt/qtox
+# @{qtox_additional_rw_dirs} = /data/nfs_storage
+#include <tunables/usr.bin.qtox.d/>
+
--- a/security/apparmor/2.12.1/usr.bin.qtox
+++ b/security/apparmor/2.12.1/usr.bin.qtox
@ -0,0 +1,400 @@
+#include <tunables/global>
+#include <tunables/usr.bin.qtox>
+
+# using variables in profile name is not yet recommended due to issues with
+# AppArmor tools
+# TODO: use this alternative in the future when available
+#profile qtox @{qtox_prefix}/bin/qtox {
+profile qtox /usr{,/local}/bin/qtox {
+  #include <abstractions/audio>
+  #include <abstractions/base>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/kde>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/video>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.qtox>
+
+  # Main executable
+
+  @{qtox_prefix}/bin/qtox mr,
+
+  # Other executables
+
+  #TODO: use xdg-open abstraction when it's available
+  /usr/bin/xdg-open PUx,
+  #TODO: use named profile or abstraction when it's available
+  /usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
+
+  # Additional libraries
+
+  # Allow /usr/local/lib/libtoxcore.so...
+  @{qtox_prefix}/lib/*.so* mr,
+
+  # Networking
+
+  network inet udp,
+  network inet6 udp,
+  network inet tcp,
+  network inet6 tcp,
+
+  # DBus
+
+  dbus send
+    bus=session
+    path=/org/a11y/bus
+    interface=org.freedesktop.DBus.Properties
+    member=Get
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Properties
+    member=Get
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.NetworkManager
+    member=GetDevices
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.NetworkManager
+    member=PropertiesChanged
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Settings
+    interface=org.freedesktop.NetworkManager.Settings
+    member=ListConnections
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+    interface=org.freedesktop.NetworkManager.Settings.Connection
+    member=GetSettings
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=system
+    path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+    interface=org.freedesktop.NetworkManager.Connection.Active
+    member=PropertiesChanged
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.kde.StatusNotifierWatcher
+    member=RegisterStatusNotifierItem
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member=Activate
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member=GetLayout
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member={AboutToShow,Event}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member={NewIcon,NewToolTip}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UPower
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UDisks2/{block_devices,drives}/*
+    interface=org.freedesktop.DBus.Properties
+    member={Get,GetAll}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/org/freedesktop/DBus
+    interface=org.freedesktop.DBus
+    member=GetConnectionUnixUser
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/
+    interface=org.kde.KDirNotify
+    member={enteredDirectory,leftDirectory}
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/
+    interface=org.kde.KDirNotify
+    member=FilesAdded
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/KLauncher
+    interface=org.kde.KSlaveLauncher
+    member=requestSlave
+    peer=(label=unconfined),
+
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
+  # libfontconfig bug? Should not write to root-owned dirs.
+  deny /usr/share/fonts/** w,
+  deny /var/cache/fontconfig/ w,
+
+  # System files
+
+  /usr/share/hunspell/* r,
+  @{qtox_additional_rw_dirs}/ r,
+  @{qtox_additional_rw_dirs}/** rw,
+
+  # Sensitive directory access!!!
+  # Allow navigating directories with file dialog, to access directory you
+  # can write (read) file to, for most convenience (though against maximum
+  # security). Note: this allows reading only directory contents (list),
+  # not the files itself.
+  /{,**/} r,
+
+  /dev/ r,
+  /dev/dri/ r,
+  /dev/video[0-9]* rw, # webcam
+  /etc/fstab r, # file dialog
+  /etc/xdg/menus/ r, # file dialog
+  /proc/sys/kernel/core_pattern r, # for  KCrash::initialize()
+  /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
+  /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
+  /sys/bus/ r, # file dialog
+  /sys/bus/usb/devices/ r, # file dialog
+  /sys/class/ r, # file dialog
+  /sys/devices/**/uevent r, # file dialog
+  /sys/devices/system/node/ r,  # for ld-linux-x86-64.so -> libnuma1.so
+  /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
+  /usr/share/emoticons/{,**} r,
+  /usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
+  /usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
+  /usr/share/kservices5/{,**} r, # file dialog
+  /usr/share/mime/ r, # file dialog
+  /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+  /usr/share/sounds/ r, # file dialog (alert)
+  /{,var/}run/udev/data/* r, # file dialog
+
+  # User files
+
+  # Sensitive file access!!!
+  # Allow reading & writing into $HOME, EXCEPT for dot files and directories,
+  # for most convenience (though against maximum security).
+  owner @{HOME}/ r,
+  owner @{HOME}/[^.]* rw,
+  owner @{HOME}/[^.]*/{,**} rw,
+  # QSaveFile security measures? While saving log file
+  owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
+  owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
+
+  owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog
+  owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog
+  owner @{HOME}/.cache/Tox/ w,
+  owner @{HOME}/.cache/Tox/qTox/{,**} rw,
+  owner @{HOME}/.cache/fontconfig/** rwk,
+  owner @{HOME}/.cache/qTox/{,**} rw,
+  owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
+  owner @{HOME}/.config/menus/ r, # file dialog
+  owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
+  owner @{HOME}/.config/qToxrc rw,
+  owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
+  owner @{HOME}/.config/qToxrc.lock rwk,
+  owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
+  owner @{HOME}/.config/tox/{,**} rwk,
+  owner @{HOME}/.fonts/.uuid* rw,
+  owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
+  owner @{HOME}/.fonts/.uuid.*/ rw,
+  owner @{HOME}/.local/share/Tox/{,**} rw,
+  owner @{HOME}/.local/share/qTox/{,**} rw,
+  owner @{HOME}/.local/share/user-places.xbel r, # file dialog
+  owner @{PROC}/@{pid}/cmdline r,
+
+  # Backport from more recent qt5-compose-cache-write abstraction
+  # commit 1250402471d9d83134b0faa90239a733a37f23f0
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
+
+  # Backport kde-globals-write abstraction
+  # commit fae93f1b6c7a28bb77ad186ab1de41372630272b
+  owner @{HOME}/.config/#[0-9]* rw,
+  owner @{HOME}/.config/kdeglobals rw,
+  owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/kdeglobals.lock rwk,
+
+  # Backport kde-icon-cache-write abstraction
+  # commit 94014c09f09fc63229bb10fea3f0727113fe5bae
+  owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
+
+  # Backport mesa abstraction
+  # commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3
+
+  # System files
+  /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
+  /usr/share/drirc.d/{,*.conf} r,
+
+  # User files
+  owner @{HOME}/.cache/ w, # if user clears all caches
+  owner @{HOME}/.cache/mesa_shader_cache/ w,
+  owner @{HOME}/.cache/mesa_shader_cache/index rw,
+  owner @{HOME}/.cache/mesa_shader_cache/??/ w,
+  owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+  # End of backported mesa abstraction
+
+  # Backport qt5 abstraction
+  # commit 67816c42cfbadd85aa5cbb086284076c4c289881
+
+  # Additional libraries
+
+  /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
+  /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
+  /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
+
+  # System files
+
+  /etc/xdg/QtProject/qtlogging.ini r,
+  /usr/share/qt5/translations/*.qm r,
+  /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
+  /usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
+
+  # User files
+
+  owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
+  # End of backported qt5 abstractions
+
+  # Backport qt5-compose-cache-write abstraction
+  # commit 1250402471d9d83134b0faa90239a733a37f23f0
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
+
+  # Backport qt5-settings-write abstraction
+  # commit 8f6a8fb1942122705af4c45168922c4afd696c8a
+  owner @{HOME}/.config/#[0-9]*[0-9] rw,
+  owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
+  # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
+  owner @{HOME}/.config/QtProject.conf.lock rwk,
+
+  # Backport recent-documents-write
+  # commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a
+  owner @{HOME}/.local/share/RecentDocuments/ rw,
+  owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
+  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
+  owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
+
+  # Backport dri-enumerate abstraction
+  # commit b0456adbd86aab73e4a19013fdfed22da98ed455
+  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+
+  # Backport kde abstraction
+  # commit aae838faca57905d2dbc27db7bffd595c09d26f0
+  # commit dc3b73daf9f648336a6f9ab90103acc962c0bf40
+  /etc/xdg/kdeglobals r,
+  /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
+  /usr/share/kubuntu-default-settings/kf5-settings/* r,
+  owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
+  owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+  owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+  owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+  owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
+  owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+  owner @{HOME}/.config/trashrc r, # Used by KFileWidget
+
+  # Backport dri-common abstraction
+  # commit 2d8d2f06d5697d9692330686bb5ddb0095621144
+  /usr/share/drirc.d/{,*.conf} r,
+
+}
--- a/security/apparmor/2.13.2/install.sh
+++ b/security/apparmor/2.13.2/install.sh
@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -e -u pipefail
+
+readonly SCRIPT_DIR=$(dirname $(readlink -f $0))
+
+if [[ $(id -u) != 0 ]]
+then
+    >&2 echo "Please run as root."
+    exit 1
+fi
+
+if [[ -z $(which apparmor_parser) ]]
+then
+   >&2 echo "AppArmor not found."
+   exit 1
+fi
+
+#NOTE: we do not need to create /etc/apparmor.d/tunables/usr.bin.qtox.d/ or
+#/etc/apparmor.d/local/usr.bin.qtox because AppArmor >2.13 support #include if
+#exists
+
+echo "Copying AppArmor files..."
+cp -v "${SCRIPT_DIR}/tunables/usr.bin.qtox" "/etc/apparmor.d/tunables/"
+cp -v "${SCRIPT_DIR}/usr.bin.qtox" "/etc/apparmor.d/"
+
+echo "Restarting AppArmor..."
+systemctl restart apparmor
+
+echo "Done."
+
--- a/security/apparmor/2.13.2/tunables/usr.bin.qtox
+++ b/security/apparmor/2.13.2/tunables/usr.bin.qtox
@ -0,0 +1,12 @@
+@{qtox_prefix} = /usr /usr/local
+
+# Allow to read & write into mounted media, etc.
+# for convenient sending & receiving of files.
+@{qtox_additional_rw_dirs} = /mnt /media
+
+# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
+# needed, such as:
+# @{qtox_prefix} += @{HOME}/opt/qtox
+# @{qtox_additional_rw_dirs} = /data/nfs_storage
+#include if exists <tunables/usr.bin.qtox.d/>
+
--- a/security/apparmor/2.13.2/usr.bin.qtox
+++ b/security/apparmor/2.13.2/usr.bin.qtox
@ -0,0 +1,335 @@
+#include <tunables/global>
+#include <tunables/usr.bin.qtox>
+
+# using variables in profile name is not yet recommended due to issues with
+# AppArmor tools
+# TODO: use this alternative in the future when available
+#profile qtox @{qtox_prefix}/bin/qtox {
+profile qtox /usr{,/local}/bin/qtox {
+  #include <abstractions/audio>
+  #include <abstractions/base>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/dri-enumerate>
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/kde-globals-write>
+  #include <abstractions/kde-icon-cache-write>
+  #include <abstractions/kde>
+  #include <abstractions/mesa>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/qt5-compose-cache-write>
+  #include <abstractions/qt5-settings-write>
+  #include <abstractions/recent-documents-write>
+  #include <abstractions/video>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include if exists <local/usr.bin.qtox>
+
+  # Main executable
+
+  @{qtox_prefix}/bin/qtox mr,
+
+  # Other executables
+
+  #TODO: use xdg-open abstraction when it's available
+  /usr/bin/xdg-open PUx,
+  #TODO: use named profile or abstraction when it's available
+  /usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
+
+  # Additional libraries
+
+  # Allow /usr/local/lib/libtoxcore.so...
+  @{qtox_prefix}/lib/*.so* mr,
+
+  # Networking
+
+  network inet udp,
+  network inet6 udp,
+  network inet tcp,
+  network inet6 tcp,
+
+  # DBus
+
+  dbus send
+    bus=session
+    path=/org/a11y/bus
+    interface=org.freedesktop.DBus.Properties
+    member=Get
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.freedesktop.DBus.Properties
+    member=Get
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.NetworkManager
+    member=GetDevices
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=system
+    path=/org/freedesktop/NetworkManager
+    interface=org.freedesktop.NetworkManager
+    member=PropertiesChanged
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Settings
+    interface=org.freedesktop.NetworkManager.Settings
+    member=ListConnections
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+    interface=org.freedesktop.NetworkManager.Settings.Connection
+    member=GetSettings
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=system
+    path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+    interface=org.freedesktop.NetworkManager.Connection.Active
+    member=PropertiesChanged
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+    interface=org.freedesktop.DBus.Properties
+    member=GetAll
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierWatcher
+    interface=org.kde.StatusNotifierWatcher
+    member=RegisterStatusNotifierItem
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member=Activate
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member=GetLayout
+    peer=(label=unconfined),
+
+  dbus (send,receive)
+    bus=session
+    path=/MenuBar
+    interface=com.canonical.dbusmenu
+    member={AboutToShow,Event}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/StatusNotifierItem
+    interface=org.kde.StatusNotifierItem
+    member={NewIcon,NewToolTip}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UPower
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect
+    peer=(label=unconfined),
+
+  dbus send
+    bus=system
+    path=/org/freedesktop/UDisks2/{block_devices,drives}/*
+    interface=org.freedesktop.DBus.Properties
+    member={Get,GetAll}
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/org/freedesktop/DBus
+    interface=org.freedesktop.DBus
+    member=GetConnectionUnixUser
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/
+    interface=org.kde.KDirNotify
+    member={enteredDirectory,leftDirectory}
+    peer=(label=unconfined),
+
+  dbus receive
+    bus=session
+    path=/
+    interface=org.kde.KDirNotify
+    member=FilesAdded
+    peer=(label=unconfined),
+
+  dbus send
+    bus=session
+    path=/KLauncher
+    interface=org.kde.KSlaveLauncher
+    member=requestSlave
+    peer=(label=unconfined),
+
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
+  # libfontconfig bug? Should not write to root-owned dirs.
+  deny /usr/share/fonts/** w,
+  deny /var/cache/fontconfig/ w,
+
+  # System files
+
+  /usr/share/hunspell/* r,
+  @{qtox_additional_rw_dirs}/ r,
+  @{qtox_additional_rw_dirs}/** rw,
+
+  # Sensitive directory access!!!
+  # Allow navigating directories with file dialog, to access directory you
+  # can write (read) file to, for most convenience (though against maximum
+  # security). Note: this allows reading only directory contents (list),
+  # not the files itself.
+  /{,**/} r,
+
+  /dev/ r,
+  /dev/dri/ r,
+  /dev/video[0-9]* rw, # webcam
+  /etc/fstab r, # file dialog
+  /etc/xdg/menus/ r, # file dialog
+  /proc/sys/kernel/core_pattern r, # for  KCrash::initialize()
+  /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
+  /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
+  /sys/bus/ r, # file dialog
+  /sys/bus/usb/devices/ r, # file dialog
+  /sys/class/ r, # file dialog
+  /sys/devices/**/uevent r, # file dialog
+  /sys/devices/system/node/ r,  # for ld-linux-x86-64.so -> libnuma1.so
+  /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
+  /usr/share/emoticons/{,**} r,
+  /usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
+  /usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
+  /usr/share/kservices5/{,**} r, # file dialog
+  /usr/share/mime/ r, # file dialog
+  /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+  /usr/share/sounds/ r, # file dialog (alert)
+  /{,var/}run/udev/data/* r, # file dialog
+
+  # User files
+
+  # Sensitive file access!!!
+  # Allow reading & writing into $HOME, EXCEPT for dot files and directories,
+  # for most convenience (though against maximum security).
+  owner @{HOME}/ r,
+  owner @{HOME}/[^.]* rw,
+  owner @{HOME}/[^.]*/{,**} rw,
+  # QSaveFile security measures? While saving log file
+  owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
+  owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
+
+  owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
+  owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
+  owner @{HOME}/.cache/Tox/ w,
+  owner @{HOME}/.cache/Tox/qTox/{,**} rw,
+  owner @{HOME}/.cache/fontconfig/** rwk,
+  owner @{HOME}/.cache/qTox/{,**} rw,
+  owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
+  owner @{HOME}/.config/menus/ r, # file dialog
+  owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
+  owner @{HOME}/.config/qToxrc rw,
+  owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
+  owner @{HOME}/.config/qToxrc.lock rwk,
+  owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
+  owner @{HOME}/.config/tox/{,**} rwk,
+  owner @{HOME}/.fonts/.uuid* rw,
+  owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
+  owner @{HOME}/.fonts/.uuid.*/ rw,
+  owner @{HOME}/.local/share/Tox/{,**} rw,
+  owner @{HOME}/.local/share/qTox/{,**} rw,
+  owner @{HOME}/.local/share/user-places.xbel r, # file dialog
+  owner @{PROC}/@{pid}/cmdline r,
+
+  # Backport from more recent qt5-compose-cache-write abstraction
+  # commit 1250402471d9d83134b0faa90239a733a37f23f0
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
+
+  # Backport kde abstraction
+  # commit aae838faca57905d2dbc27db7bffd595c09d26f0
+  # commit dc3b73daf9f648336a6f9ab90103acc962c0bf40
+  /etc/xdg/kdeglobals r,
+  /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
+  /usr/share/kubuntu-default-settings/kf5-settings/* r,
+  owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
+  owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+  owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+  owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+  owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
+  owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+  owner @{HOME}/.config/trashrc r, # Used by KFileWidget
+
+  # Backport dri-common abstraction
+  # commit 2d8d2f06d5697d9692330686bb5ddb0095621144
+  /usr/share/drirc.d/{,*.conf} r,
+
+}
--- a/security/apparmor/README.md
+++ b/security/apparmor/README.md
@ -0,0 +1,158 @@
+# Hardening qTox with AppArmor
+
+qTox can be confined with AppArmor on Linux to reduce attack vectors in case
+remote code execution exploit is being used. Please note that [MAC's] (of
+course) does not guarantee perfect security, but it will:
+- Deny access to your `~/.bashrc`, `~/.ssh/*`
+  `~/.config/path/to/your/password/manager/file`, etc.
+- Deny creating autostart entries (in `~/.config/autostart`, etc).
+- Deny launching random executables (like `sudo`, `su`, etc...).
+- And more.
+
+Consider using additional security measures like [Firejail] to improve security
+even more.
+
+Please also note that not all distributions have full AppArmor feature set
+available. For example, Debian (at least up to Debian 10 (buster)) does not have
+network, DBus mediation available. Also, X Server, shared user configuration
+files (like `~/.config/QtProject.conf`, caches, etc), opening web links via
+unconfined browsers introduces additional attack vectors, too. So please be
+cautious even with number of security measures applied.
+
+**AppArmor profile attaches only to `/usr/bin/qtox` and `/usr/local/bin/qtox`
+executables by default**. See [Tuning permissions](#tuning-permissions) for
+custom setups.
+
+## Installing profile
+
+Select AppArmor profile from appropriate `security/apparmor/X` subdirectory
+depending on what AppArmor version is available for your Linux distribution
+release:
+
+- 2.13.2
+  - Debian 10 (buster) (or newer)
+  - openSUSE Tumbleweed
+- 2.12.1
+  - Debian 9 (stretch) or older
+  - Ubuntu 19.04 or older
+
+To enable AppArmor profile on your system, run prepared install script:
+
+```
+sudo security/apparmor/x.y.z/install.sh
+```
+Restart `qTox` if it was already running before enabling AppArmor profile.
+
+## Checking if qTox is actually confined
+
+Run `aa-status` command line utility and check if `qTox` is listed within `X
+processes are in enforced mode.` list:
+```
+sudo aa-status
+   ...
+21 processes are in enforce mode.
+   /usr/lib/ipsec/charon (2421)            
+   /usr/sbin/cups-browsed (839)
+   ...
+   /usr/bin/qtox (16315) qtox
+   ...
+```
+
+Alternatively, use `ps` and `grep`:
+
+```
+ps auxZ | fgrep qtox
+qtox (enforce)                  vincas   16315  2.0  1.1 1502292 180220 ?      SLl  12:21   0:38 /usr/bin/qtox
+```
+
+If OK it's marked as `(enforce)`. `unconfined` means AppArmor profile is not
+attached to the process, no confinement is being applied.
+
+## Troubleshooting
+
+If you believe that some feature is unavailable, or some files you need access
+to are inaccessible due to enforced AppArmor profile, check system logs for the
+hints.
+
+On Debian/Ubuntu:
+
+```
+sudo fgrep DENIED /var/log/syslog
+```
+
+On openSUSE, OR if you have `auditd` daemon installed:
+```
+sudo fgrep DENIED /var/log/audit/audit.log
+```
+
+You will see messages like this:
+```
+type=AVC msg=audit(1549793273.269:149): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/klanguageove
+rridesrc" pid=3037 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
+```
+
+This means that `r`ead access was denied to the file
+`/home/vincas/.config/klanguageoverridesrc`, owned by you (ouid 1000), by
+AppArmor profile `qtox` (available in `/etc/apparmor.d/usr.bin.qtox`).
+
+Please create issue if you detect new AppArmor `DENIED` messages and you believe
+that these denials are relevant for other users too. Meanwhile, workaround by
+adding manual rule. DO NOT modify `/etc/apparmor.d/usr.bin.qtox` directly! See
+[Tuning permissions](#tuning-permissions) for fixing access issues.
+
+## Tuning permissions
+
+If you need access to files (for file sharing) other than from your `$HOME` or
+mounted media, create/modify `/etc/apparmor.d/tunables/usr.bin.qtox.d/local`
+file and append writable path variable:
+
+```
+@{qtox_additional_rw_dirs} += /path/to/some/directory
+```
+
+Alternatively, if you need more custom/advanced rules (not only for file
+access), create/modify `/etc/apparmor.d/local/usr.bin.qtox` file.
+
+Rule example for reading only, recursively (note the comma!):
+
+```
+/path/to/directory/** r,
+```
+
+For reading and writing, recursively:
+```
+/path/to/directory/** rw,
+```
+
+Restart AppArmor to reload profiles after modifications:
+
+```
+sudo systemctl restart apparmor
+```
+
+If AppArmor restart fails, check syntax errors by invoking AppArmor parser
+directly:
+
+```
+sudo apparmor_parser -r /etc/apparmor.d/usr.bin.qtox
+```
+
+For custom installations, when `qTox` executable is not `/usr/bin/qtox` or
+`/usr/local/bin/qtox`:
+1. create `/etc/apparmor.d/tunables/usr.bin.qtox.d/local`, adding
+   `@{qtox_prefix} += /path/to/your/custom/install/prefix` line.
+2. modify `/etc/apparmor.d/usr.bin.qtox` profile attachement path: `profile qtox
+   /{usr{,local}/bin/qtox,path/to/your/qtox_executable} {`
+
+Restart AppArmor and [check](#checking-if-qtox-is-actually-confined) if `qTox`
+process under custom path is actually confined.
+
+## Other resources
+
+Check [Debian], [Ubuntu], [Upstream AppArmor] Wiki pages for more info.
+
+[Debian]: https://wiki.debian.org/AppArmor
+[Firejail]: https://firejail.wordpress.com
+[MAC's]: https://en.wikipedia.org/wiki/Mandatory_access_control
+[Ubuntu]: https://wiki.ubuntu.com/AppArmor
+[Upstream AppArmor]: https://gitlab.com/apparmor/apparmor/wikis/home