StarMirror
/
qTox
mirror of https://github.com/qTox/qTox
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
8,298 Commits
3 Branches
42 Tags
60 MiB
Commit Graph

39 Commits (master)

Author SHA1 Message Date
Vincas Dargis 6a21d96214 fix(apparmor): Allow access to Aspell personal dictionaries 
Running qTox under AppArmor confinement produces these `DENIED` messages:

```
type=AVC msg=audit(1589897925.045:793): apparmor="DENIED"
operation="open" profile="qtox" name="/home/vincas/.aspell.en.pws"
pid=36671 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```
```
type=AVC msg=audit(1589897925.045:794): apparmor="DENIED"
operation="open" profile="qtox" name="/home/vincas/.aspell.en.prepl"
pid=36671 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```
```
type=AVC msg=audit(1589996245.245:1193): apparmor="DENIED"
operation="file_lock" profile="qtox" name="/home/vincas/.aspell.en.pws"
pid=53202 comm="qtox" requested_mask="k" denied_mask="k" fsuid=1000
ouid=1000
```
```
type=AVC msg=audit(1589996245.245:1194): apparmor="DENIED"
operation="file_lock" profile="qtox"
name="/home/vincas/.aspell.en.prepl" pid=53202 comm="qtox"
requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
```

Add file rule to allow reading and locking Aspell-specific user files [0].

[0] http://aspell.net/man-html/Format-of-the-Personal-and-Replacement-Dictionaries.html
 2020-05-20 20:44:44 +03:00
Vincas Dargis 2ebf51b5b7 fix(apparmor): Allow spellchecking 
qTox 1.17.2 produces these DENIED messages on Debian Sid:

```
type=AVC msg=audit(1588944857.534:854): apparmor="DENIED"
operation="open" profile="qtox"
name="/usr/share/hspell/hebrew.wgz.sizes" pid=29172 comm="qtox"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

```
type=AVC msg=audit(1588945073.014:885): apparmor="DENIED"
operation="open" profile="qtox"
name="/usr/share/kf5/sonnet/trigrams.map" pid=29334 comm="qtox" req
uested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

```
type=AVC msg=audit(1588945273.590:905): apparmor="DENIED"
operation="open" profile="qtox" name="/var/lib/aspell/sl.rws" pid=29391
comm="qtox" requested_mask=
"r" denied_mask="r" fsuid=1000 ouid=0
```

Add file read rules to allow reading spellcheck-related files.
 2020-05-19 09:14:37 +03:00
Vincas Dargis fa86413b1b docs(apparmor): Update AppArmor documentation. 
Ubuntu 19.10 (and latest Debian, openSUSE rolling releases) has AppArmor
2.13.3. Recommend to use latest AppArmor profile for these distribution
releases.
 2019-09-29 15:44:51 +03:00
Vincas Dargis a01d31445f feat(apparmor): Update AppArmor 2.13.3 profile 
AppArmor 2.13.3 now has updated abstractions, and that means we no
longer need manual backports in qTox profile.

Remove redundant rules from qTox profile that are already available in
AppArmor 2.13.3.
 2019-09-29 15:42:26 +03:00
Vincas Dargis 2d22a76ed3 feat(apparmor): Add AppArmor 2.13.3 profile 
Copy 2.13.2 into 2.13.3 for updated AppArmor profile.
 2019-09-29 15:39:28 +03:00
jenli669 f390e70e00
docs(copyright): Added copyright to apparmor .qtox files 2019-06-28 01:18:45 +02:00
jenli669 04a9bc46f4
docs(copyright): update and add copyright info 
zealously updates and adds qTox copyright information.

Fixes #5713
 2019-06-28 01:18:26 +02:00
Vincas Dargis 22d4a41b91 docs(apparmor): Update AppArmor documentation about Ubuntu 
Ubuntu 19.04 was released with AppArmor 2.13.2 [0].

Update documentation to hint users that they can use AppArmor profile
with latest AppArmor features on Ubuntu 19.04 release.

[0] https://packages.ubuntu.com/disco/admin/apparmor
 2019-04-27 16:38:19 +03:00
Vincas Dargis ef2e7128ee docs(apparmor): Fix grammar 
Fix documentation text errors detected in review.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 0df815fd2c docs(apparmor): Fix line lengths 
Wrap text to 80 chars per line to conform to qTox documentation
guidelines.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 52883bbbe3 docs(apparmor): Refactor links 
Move links to the bottom of the document to conform to the qTox
documentation guidelines.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 11a32e3371 fix(apparmor): Make network rules more strict 
Explicitly define allowed network domain.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 4d9cc7216a fix(apparmor): Fix typo in file path 
File rule to allow loading the executable itself has typo - no
executable name itself is present. Profile still works OK but it might
fail on some older kernels.

Fix file rule by specifying full path to the executable.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 3c7b0075f7 docs(apparmor): Fix custom install prefix example 
AppArmor profile attachement example is wrong because it does not use {
} "alternations" to make comma define alternative executable path.

Update example to make it actually work in custom install prefix case.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 5899b0de09 docs(apparmor): Simplify install script usage 
security/apparmor/install.sh scripts does not need to `cd` into it's
directory to work correctly.

Simplify example to invoke `install.sh` without `cd`.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 2e682c6e6a feat(apparmor): Add AppArmor profile install scripts 
Add scripts for installing AppArmor profiles.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 137cce19bc docs(apparmor): Add README about AppArmor 
Document AppArmor profile usage, troubleshooting and other concerns.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 5304ba4cb0 fix(apparmor): Fix screenshot capture under AppArmor 
AppArmor denies creating screenshot file:
```
type=AVC msg=audit(1552817813.136:554): apparmor="DENIED"
operation="mkdir" profile="qtox"
name="/home/vincas/.local/share/Tox/qTox/images/" pid=16100 comm="qtox"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
```

Add file rule to allow creating desktop screenshot.
 2019-03-25 20:14:01 +02:00
Vincas Dargis f6c11c9b6d fix(apparmor): Backport fix from dri-common abstraction 
AppArmor produces denies:
```
type=AVC msg=audit(1552817150.513:371): apparmor="DENIED"
operation="open" profile="qtox"
name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=5895 comm="qtox"
requested_mas k="r" denied_mask="r" fsuid=1000 ouid=0
```

Fix is available in upstream.

Backport AppArmor commit 2d8d2f06d5697d9692330686bb5ddb0095621144 to fix
dri-related denies.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 7a1fb927ec fix(apparmor): Fix openSUSE-related AppArmor denies 
Add file rules for denies detected only in openSUSE desktop.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 488b8a8696 fix(apparmor): Fix font-related denies on openSUSE 
Add file rules to fix numerous AppArmor denies related to fonts.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 4565ac1b19 fix(apparmor): fix file dialog denies 
Add dbus and file rules to fix numerous denies when File Dialog is used
to select file for sending.
 2019-03-25 20:14:01 +02:00
Vincas Dargis dffe00b4e3 fix(apparmor): fix file dialog on KDE desktop 
Opening file dialog produces error:
```
type=AVC msg=audit(1549805942.022:1474): apparmor="DENIED"
operation="exec" profile="qtox"
name="/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave" pid=2784
comm="qtox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
```

Add rule to allow launching kioslave helper.
 2019-03-25 20:14:01 +02:00
Vincas Dargis e1ba972d8b fix(apparmor): backport kde abstraction 
AppArmor upstream has new rules useful for running applications in KDE
desktop.

Backport rules from update kde abstraction to fix AppArmor denies.
 2019-03-25 20:14:01 +02:00
Vincas Dargis c8eb34f028 fix(apparmor): Fix spam of DENIED messages on openSUSE 
AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```

These appears to be libpcre2 mmaped shared memory, related to jitting.

Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
 2019-03-25 20:14:01 +02:00
Vincas Dargis 1d120b15c2 fix(apparmor): Fix DBUS denies on Kubuntu 18.04 
AppArmor denies access to systray on Kubuntu 18.04.

Add DBUS rules to make systray icon work.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 79f800b39a fix(apparmor): Backport dri-enumerate abstraction 
AppArmor 2.12 (Ubuntu 18.04) does not have dri-enumerate abstraction,
so policy compilation fails.

Backport dri-enumerate abstraction as inline rules.
 2019-03-25 20:14:01 +02:00
Vincas Dargis e13b8a973e fix(apparmor): Fix .local/share/qTox/ access 
Capturing desktop screenshot produces this DENIED messages:
```
type=AVC msg=audit(1548516170.837:3146): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.local/share/qTox/"
pid=12605 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid= 1000
```

Add rule to allow writing to .local/share/qTox/
 2019-03-25 20:14:01 +02:00
Vincas Dargis 514cd36826 fix(apparmor): Fix access to openssl configuration 
AppArmor denies access to openssl configuration files:
```
type=AVC msg=audit(1548516028.121:3031): apparmor="DENIED"
operation="open" profile="qtox" name="/etc/ssl/openssl.cnf" pid=12416
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Fix deny by including openssl abstraction.
 2019-03-25 20:14:01 +02:00
Vincas Dargis a6c01eb007 fix(apparmor): Fix dbus access 
Add rules to allow DBus access (send & receive) to various DBus
interfaces. Detected on Ubuntu 18.04.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 577aeb8fa3 fix(apparmor): Fix hunspell access 
AppArmor denies access to hunspell files:
```
type=AVC msg=audit(1548511779.241:1773): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.aff"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0

type=AVC msg=audit(1548511779.241:1774): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.dic"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```

Add rule to allow reading hunspell dictionaries.
 2019-03-25 20:14:01 +02:00
Vincas Dargis a67faf2976 fix(apparmor): Fix accessibility DBus access 
AppArmor denies access to a11y:
```
Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon: apparmor="DENIED"
operation="dbus_method_call"  bus="accessibility"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="Hello" mask="send" name="org.freedesktop.DBus" pid=8011
label="qtox" peer_label="unconfined"

Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon[1474]: apparmor="DENIED"
operation="dbus_method_call"  bus="session" path="/org/a11y/bus"
interface="org.freedesktop.DBus.Properties" member="Get" mask="send"
name="org.a11y.Bus" pid=8011 label="qtox" peer_pid=1620
peer_label="unconfined"
```

Include dbus-accessibility abstraction and one addition dbus rule to fix
denies.
 2019-03-25 20:14:01 +02:00
Vincas Dargis aef4705636 fix(apparmor): Fix qTox cache access 
AppAmor denies access to qTox cache directory:
```
type=AVC msg=audit(1548508759.153:640): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.cache/qTox/"
pid=7802 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
```

Add rule to allow access to qTox cache directory.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 9fc8933883 fix(apparmor): Add ibus abstraction 
IBus-related rules are needed detected on Gnome-based desktop (Ubuntu
18.40):
```
type=AVC msg=audit(1548508639.169:546): apparmor="DENIED"
operation="open" profile="qtox"
name="/home/vincas/.config/ibus/bus/c3d8689228fc49d8867d4e63e4408e23-unix-0"
pid=7653 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```

Include ibus abstraction to fix IBus functionality.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 6aa4435d17 fix(apparmor): Backport qt5 abstraction for v2.12.1 profile 
AppArmor 2.12.1 does not have qt5 abstraction, with Qt5-related rules.

Backport qt5 abstraction from AppArmor upstream as inline rules.
 2019-03-25 20:14:01 +02:00
Vincas Dargis 5fad77b9f8 fix(apparmor): Fix loading libraries from custom install prefix 
If qtox is installed in /usr/local prefix (for example), launching qTox
fails because loading libraries from @{qtox_prefix} directory was not
allowed.

Add rule to allow loading libraries from @{qtox_prefix}/lib directory.
 2019-03-25 20:14:01 +02:00
Vincas Dargis f8f7a2d145 fix(apparmor): Fix AppArmor profile for version 2.12.1 
* Remove `include if exists` usage.
* Remove @{uid} usage.
* Backport missing AppArmor abstractions as inline rules.
 2019-03-25 20:14:00 +02:00
Vincas Dargis d6ef3d2eae feat(apparmor): Add AppArmor v2.12.1 profile 
Copy 2.13.2 profile into 2.12.1 place to be the starting point for
modifying (backporting) AppArmor profile for version 2.12.1 (on Ubuntu
18.04, Debian Stretch, etc).

At this point 2.12.1 profile does not work, as AppArmor v2.12.1 does not
have needed abstractions and policy language features (such as `include
if exists`). Followup commits will fix these issues.
 2019-03-25 20:14:00 +02:00
Vincas Dargis 89514eee6d feat(apparmor): Add AppArmor profile 
Introduce AppArmor profile, designed to work with AppArmor version
2.13.2 (Debian Buster).
 2019-03-25 20:14:00 +02:00