From f8f7a2d14554919b424929403fb74f665c50a6fd Mon Sep 17 00:00:00 2001 From: Vincas Dargis Date: Sat, 26 Jan 2019 14:50:12 +0200 Subject: [PATCH] fix(apparmor): Fix AppArmor profile for version 2.12.1 * Remove `include if exists` usage. * Remove @{uid} usage. * Backport missing AppArmor abstractions as inline rules. --- .../apparmor/2.12.1/tunables/usr.bin.qtox | 2 +- security/apparmor/2.12.1/usr.bin.qtox | 59 ++++++++++++++++--- 2 files changed, 51 insertions(+), 10 deletions(-) diff --git a/security/apparmor/2.12.1/tunables/usr.bin.qtox b/security/apparmor/2.12.1/tunables/usr.bin.qtox index 993b20cbe..287b27759 100644 --- a/security/apparmor/2.12.1/tunables/usr.bin.qtox +++ b/security/apparmor/2.12.1/tunables/usr.bin.qtox @@ -8,5 +8,5 @@ # needed, such as: # @{qtox_prefix} += @{HOME}/opt/qtox # @{qtox_additional_rw_dirs} = /data/nfs_storage -#include if exists +#include diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox index be2e0208c..fb3f55abd 100644 --- a/security/apparmor/2.12.1/usr.bin.qtox +++ b/security/apparmor/2.12.1/usr.bin.qtox @@ -11,18 +11,12 @@ profile qtox /usr{,/local}/bin/qtox { #include #include #include - #include - #include #include - #include #include - #include - #include - #include #include # Site-specific additions and overrides. See local/README for details. - #include if exists + #include # Main executable @@ -81,8 +75,8 @@ profile qtox /usr{,/local}/bin/qtox { owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9], owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9], - owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog - owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog + owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog + owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog owner @{HOME}/.cache/Tox/ w, owner @{HOME}/.cache/Tox/qTox/{,**} rw, owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail? @@ -100,4 +94,51 @@ profile qtox /usr{,/local}/bin/qtox { # commit 1250402471d9d83134b0faa90239a733a37f23f0 owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) + + # Backport kde-globals-write abstraction + # commit fae93f1b6c7a28bb77ad186ab1de41372630272b + owner @{HOME}/.config/#[0-9]* rw, + owner @{HOME}/.config/kdeglobals rw, + owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*, + owner @{HOME}/.config/kdeglobals.lock rwk, + + # Backport kde-icon-cache-write abstraction + # commit 94014c09f09fc63229bb10fea3f0727113fe5bae + owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader + + # Backport mesa abstraction + # commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3 + + # System files + /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() + /usr/share/drirc.d/{,*.conf} r, + + # User files + owner @{HOME}/.cache/ w, # if user clears all caches + owner @{HOME}/.cache/mesa_shader_cache/ w, + owner @{HOME}/.cache/mesa_shader_cache/index rw, + owner @{HOME}/.cache/mesa_shader_cache/??/ w, + owner @{HOME}/.cache/mesa_shader_cache/??/* rwk, + # End of backported mesa abstraction + + # Backport qt5-compose-cache-write abstraction + # commit 1250402471d9d83134b0faa90239a733a37f23f0 + owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], + owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) + + # Backport qt5-settings-write abstraction + # commit 8f6a8fb1942122705af4c45168922c4afd696c8a + owner @{HOME}/.config/#[0-9]*[0-9] rw, + owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9], + # for temporary files like QtProject.conf.Aqrgeb + owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], + owner @{HOME}/.config/QtProject.conf.lock rwk, + + # Backport recent-documents-write + # commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a + owner @{HOME}/.local/share/RecentDocuments/ rw, + owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw, + owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*, + owner @{HOME}/.local/share/RecentDocuments/*.lock rwk, + }