1
0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00

Merge pull request #5855

Vincas Dargis (3):
      feat(apparmor): Add AppArmor 2.13.3 profile
      feat(apparmor): Update AppArmor 2.13.3 profile
      docs(apparmor): Update AppArmor documentation.
This commit is contained in:
sudden6 2020-03-22 12:04:39 +01:00
commit be80fcf6f3
No known key found for this signature in database
GPG Key ID: 279509B499E032B9
4 changed files with 409 additions and 3 deletions

View File

@ -0,0 +1,48 @@
#!/usr/bin/env bash
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
set -e -u pipefail
readonly SCRIPT_DIR=$(dirname $(readlink -f $0))
if [[ $(id -u) != 0 ]]
then
>&2 echo "Please run as root."
exit 1
fi
if [[ -z $(which apparmor_parser) ]]
then
>&2 echo "AppArmor not found."
exit 1
fi
#NOTE: we do not need to create /etc/apparmor.d/tunables/usr.bin.qtox.d/ or
#/etc/apparmor.d/local/usr.bin.qtox because AppArmor >2.13 support #include if
#exists
echo "Copying AppArmor files..."
cp -v "${SCRIPT_DIR}/tunables/usr.bin.qtox" "/etc/apparmor.d/tunables/"
cp -v "${SCRIPT_DIR}/usr.bin.qtox" "/etc/apparmor.d/"
echo "Restarting AppArmor..."
systemctl restart apparmor
echo "Done."

View File

@ -0,0 +1,28 @@
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
@{qtox_prefix} = /usr /usr/local
# Allow to read & write into mounted media, etc.
# for convenient sending & receiving of files.
@{qtox_additional_rw_dirs} = /mnt /media
# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
# needed, such as:
# @{qtox_prefix} += @{HOME}/opt/qtox
# @{qtox_additional_rw_dirs} = /data/nfs_storage
#include if exists <tunables/usr.bin.qtox.d/>

View File

@ -0,0 +1,327 @@
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
#include <tunables/global>
#include <tunables/usr.bin.qtox>
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde-globals-write>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
#include <abstractions/recent-documents-write>
#include <abstractions/video>
# Site-specific additions and overrides. See local/README for details.
#include if exists <local/usr.bin.qtox>
# Main executable
@{qtox_prefix}/bin/qtox mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
#TODO: use named profile or abstraction when it's available
/usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network inet udp,
network inet6 udp,
network inet tcp,
network inet6 tcp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=GetLayout
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,Event}
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewIcon,NewToolTip}
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,drives}/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label=unconfined),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(label=unconfined),
dbus send
bus=session
path=/
interface=org.kde.KDirNotify
member={enteredDirectory,leftDirectory}
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.kde.KDirNotify
member=FilesAdded
peer=(label=unconfined),
dbus send
bus=session
path=/KLauncher
interface=org.kde.KSlaveLauncher
member=requestSlave
peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# libfontconfig bug? Should not write to root-owned dirs.
deny /usr/share/fonts/** w,
deny /var/cache/fontconfig/ w,
# System files
/usr/share/hunspell/* r,
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/**/uevent r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
/usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
/{,var/}run/udev/data/* r, # file dialog
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/fontconfig/** rwk,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.fonts/.uuid* rw,
owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
owner @{HOME}/.fonts/.uuid.*/ rw,
owner @{HOME}/.local/share/Tox/{,**} rw,
owner @{HOME}/.local/share/qTox/{,**} rw,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
}

View File

@ -29,10 +29,13 @@ Select AppArmor profile from appropriate `security/apparmor/X` subdirectory
depending on what AppArmor version is available for your Linux distribution
release:
- 2.13.2
- Debian 10 (buster) (or newer)
- Ubuntu 19.04 (Disco Dingo) (or newer)
- 2.13.3
- Debian 11 (bullseye) (or newer)
- Ubuntu 19.10 (or newer)
- openSUSE Tumbleweed
- 2.13.2
- Debian 10 (buster)
- Ubuntu 19.04 (Disco Dingo)
- 2.12.1
- Debian 9 (stretch) or older
- Ubuntu 18.10 or older