diff --git a/security/apparmor/2.12.1/tunables/usr.bin.qtox b/security/apparmor/2.12.1/tunables/usr.bin.qtox new file mode 100644 index 000000000..993b20cbe --- /dev/null +++ b/security/apparmor/2.12.1/tunables/usr.bin.qtox @@ -0,0 +1,12 @@ +@{qtox_prefix} = /usr /usr/local + +# Allow to read & write into mounted media, etc. +# for convenient sending & receiving of files. +@{qtox_additional_rw_dirs} = /mnt /media + +# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as +# needed, such as: +# @{qtox_prefix} += @{HOME}/opt/qtox +# @{qtox_additional_rw_dirs} = /data/nfs_storage +#include if exists + diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox new file mode 100644 index 000000000..be2e0208c --- /dev/null +++ b/security/apparmor/2.12.1/usr.bin.qtox @@ -0,0 +1,103 @@ +#include +#include + +# using variables in profile name is not yet recommended due to issues with +# AppArmor tools +# TODO: use this alternative in the future when available +#profile qtox @{qtox_prefix}/bin/qtox { +profile qtox /usr{,/local}/bin/qtox { + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + # Site-specific additions and overrides. See local/README for details. + #include if exists + + # Main executable + + @{qtox_prefix}/bin mr, + + # Other executables + + #TODO: use xdg-open abstraction when it's available + /usr/bin/xdg-open PUx, + + # Networking + + network tcp, + network udp, + + # System files + + @{qtox_additional_rw_dirs}/ r, + @{qtox_additional_rw_dirs}/** rw, + + # Sensitive directory access!!! + # Allow navigating directories with file dialog, to access directory you + # can write (read) file to, for most convenience (though against maximum + # security). Note: this allows reading only directory contents (list), + # not the files itself. + /{,**/} r, + + /dev/ r, + /dev/dri/ r, + /dev/video[0-9]* rw, # webcam + /etc/fstab r, # file dialog + /etc/xdg/menus/ r, # file dialog + /proc/sys/kernel/core_pattern r, # for KCrash::initialize() + /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction? + /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog) + /sys/bus/ r, # file dialog + /sys/bus/usb/devices/ r, # file dialog + /sys/class/ r, # file dialog + /sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so + /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so + /usr/share/emoticons/{,**} r, + /usr/share/kservices5/{,**} r, # file dialog + /usr/share/mime/ r, # file dialog + /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? + /usr/share/sounds/ r, # file dialog (alert) + + # User files + + # Sensitive file access!!! + # Allow reading & writing into $HOME, EXCEPT for dot files and directories, + # for most convenience (though against maximum security). + owner @{HOME}/ r, + owner @{HOME}/[^.]* rw, + owner @{HOME}/[^.]*/{,**} rw, + # QSaveFile security measures? While saving log file + owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9], + owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9], + + owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog + owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog + owner @{HOME}/.cache/Tox/ w, + owner @{HOME}/.cache/Tox/qTox/{,**} rw, + owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail? + owner @{HOME}/.config/menus/ r, # file dialog + owner @{HOME}/.config/menus/applications-merged/ r, # file dialog + owner @{HOME}/.config/qToxrc rw, + owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile? + owner @{HOME}/.config/qToxrc.lock rwk, + owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile? + owner @{HOME}/.config/tox/{,**} rwk, + owner @{HOME}/.local/share/user-places.xbel r, # file dialog + owner @{PROC}/@{pid}/cmdline r, + + # Backport from more recent qt5-compose-cache-write abstraction + # commit 1250402471d9d83134b0faa90239a733a37f23f0 + owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], + owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) +}