From c8eb34f028e2051cc83b877c65799c289c6dc21e Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Tue, 29 Jan 2019 20:33:45 +0200
Subject: [PATCH] fix(apparmor): Fix spam of DENIED messages on openSUSE

AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```

These appears to be libpcre2 mmaped shared memory, related to jitting.

Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
---
 security/apparmor/2.12.1/usr.bin.qtox | 8 ++++++++
 security/apparmor/2.13.2/usr.bin.qtox | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox
index 7278082ed..1ae786dd4 100644
--- a/security/apparmor/2.12.1/usr.bin.qtox
+++ b/security/apparmor/2.12.1/usr.bin.qtox
@@ -167,6 +167,14 @@ profile qtox /usr{,/local}/bin/qtox {
     member={NewIcon,NewToolTip}
     peer=(label=unconfined),
 
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
   # System files
 
   /usr/share/hunspell/* r,
diff --git a/security/apparmor/2.13.2/usr.bin.qtox b/security/apparmor/2.13.2/usr.bin.qtox
index f2bc995a0..fed03fbb9 100644
--- a/security/apparmor/2.13.2/usr.bin.qtox
+++ b/security/apparmor/2.13.2/usr.bin.qtox
@@ -174,6 +174,14 @@ profile qtox /usr{,/local}/bin/qtox {
     member={NewIcon,NewToolTip}
     peer=(label=unconfined),
 
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
   # System files
 
   /usr/share/hunspell/* r,