Vincas Dargis
11a32e3371
fix(apparmor): Make network rules more strict
...
Explicitly define allowed network domain.
2019-03-25 20:14:01 +02:00
Vincas Dargis
4d9cc7216a
fix(apparmor): Fix typo in file path
...
File rule to allow loading the executable itself has typo - no
executable name itself is present. Profile still works OK but it might
fail on some older kernels.
Fix file rule by specifying full path to the executable.
2019-03-25 20:14:01 +02:00
Vincas Dargis
5304ba4cb0
fix(apparmor): Fix screenshot capture under AppArmor
...
AppArmor denies creating screenshot file:
```
type=AVC msg=audit(1552817813.136:554): apparmor="DENIED"
operation="mkdir" profile="qtox"
name="/home/vincas/.local/share/Tox/qTox/images/" pid=16100 comm="qtox"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
```
Add file rule to allow creating desktop screenshot.
2019-03-25 20:14:01 +02:00
Vincas Dargis
f6c11c9b6d
fix(apparmor): Backport fix from dri-common abstraction
...
AppArmor produces denies:
```
type=AVC msg=audit(1552817150.513:371): apparmor="DENIED"
operation="open" profile="qtox"
name="/usr/share/drirc.d/00-mesa-defaults.conf" pid=5895 comm="qtox"
requested_mas k="r" denied_mask="r" fsuid=1000 ouid=0
```
Fix is available in upstream.
Backport AppArmor commit 2d8d2f06d5697d9692330686bb5ddb0095621144 to fix
dri-related denies.
2019-03-25 20:14:01 +02:00
Vincas Dargis
7a1fb927ec
fix(apparmor): Fix openSUSE-related AppArmor denies
...
Add file rules for denies detected only in openSUSE desktop.
2019-03-25 20:14:01 +02:00
Vincas Dargis
488b8a8696
fix(apparmor): Fix font-related denies on openSUSE
...
Add file rules to fix numerous AppArmor denies related to fonts.
2019-03-25 20:14:01 +02:00
Vincas Dargis
4565ac1b19
fix(apparmor): fix file dialog denies
...
Add dbus and file rules to fix numerous denies when File Dialog is used
to select file for sending.
2019-03-25 20:14:01 +02:00
Vincas Dargis
dffe00b4e3
fix(apparmor): fix file dialog on KDE desktop
...
Opening file dialog produces error:
```
type=AVC msg=audit(1549805942.022:1474): apparmor="DENIED"
operation="exec" profile="qtox"
name="/usr/lib/x86_64-linux-gnu/libexec/kf5/kioslave" pid=2784
comm="qtox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
```
Add rule to allow launching kioslave helper.
2019-03-25 20:14:01 +02:00
Vincas Dargis
e1ba972d8b
fix(apparmor): backport kde abstraction
...
AppArmor upstream has new rules useful for running applications in KDE
desktop.
Backport rules from update kde abstraction to fix AppArmor denies.
2019-03-25 20:14:01 +02:00
Vincas Dargis
c8eb34f028
fix(apparmor): Fix spam of DENIED messages on openSUSE
...
AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```
These appears to be libpcre2 mmaped shared memory, related to jitting.
Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
2019-03-25 20:14:01 +02:00
Vincas Dargis
1d120b15c2
fix(apparmor): Fix DBUS denies on Kubuntu 18.04
...
AppArmor denies access to systray on Kubuntu 18.04.
Add DBUS rules to make systray icon work.
2019-03-25 20:14:01 +02:00
Vincas Dargis
e13b8a973e
fix(apparmor): Fix .local/share/qTox/ access
...
Capturing desktop screenshot produces this DENIED messages:
```
type=AVC msg=audit(1548516170.837:3146): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.local/share/qTox/"
pid=12605 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid= 1000
```
Add rule to allow writing to .local/share/qTox/
2019-03-25 20:14:01 +02:00
Vincas Dargis
514cd36826
fix(apparmor): Fix access to openssl configuration
...
AppArmor denies access to openssl configuration files:
```
type=AVC msg=audit(1548516028.121:3031): apparmor="DENIED"
operation="open" profile="qtox" name="/etc/ssl/openssl.cnf" pid=12416
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Fix deny by including openssl abstraction.
2019-03-25 20:14:01 +02:00
Vincas Dargis
a6c01eb007
fix(apparmor): Fix dbus access
...
Add rules to allow DBus access (send & receive) to various DBus
interfaces. Detected on Ubuntu 18.04.
2019-03-25 20:14:01 +02:00
Vincas Dargis
577aeb8fa3
fix(apparmor): Fix hunspell access
...
AppArmor denies access to hunspell files:
```
type=AVC msg=audit(1548511779.241:1773): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.aff"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
type=AVC msg=audit(1548511779.241:1774): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.dic"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```
Add rule to allow reading hunspell dictionaries.
2019-03-25 20:14:01 +02:00
Vincas Dargis
a67faf2976
fix(apparmor): Fix accessibility DBus access
...
AppArmor denies access to a11y:
```
Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon: apparmor="DENIED"
operation="dbus_method_call" bus="accessibility"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="Hello" mask="send" name="org.freedesktop.DBus" pid=8011
label="qtox" peer_label="unconfined"
Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon[1474]: apparmor="DENIED"
operation="dbus_method_call" bus="session" path="/org/a11y/bus"
interface="org.freedesktop.DBus.Properties" member="Get" mask="send"
name="org.a11y.Bus" pid=8011 label="qtox" peer_pid=1620
peer_label="unconfined"
```
Include dbus-accessibility abstraction and one addition dbus rule to fix
denies.
2019-03-25 20:14:01 +02:00
Vincas Dargis
aef4705636
fix(apparmor): Fix qTox cache access
...
AppAmor denies access to qTox cache directory:
```
type=AVC msg=audit(1548508759.153:640): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.cache/qTox/"
pid=7802 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
```
Add rule to allow access to qTox cache directory.
2019-03-25 20:14:01 +02:00
Vincas Dargis
9fc8933883
fix(apparmor): Add ibus abstraction
...
IBus-related rules are needed detected on Gnome-based desktop (Ubuntu
18.40):
```
type=AVC msg=audit(1548508639.169:546): apparmor="DENIED"
operation="open" profile="qtox"
name="/home/vincas/.config/ibus/bus/c3d8689228fc49d8867d4e63e4408e23-unix-0"
pid=7653 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```
Include ibus abstraction to fix IBus functionality.
2019-03-25 20:14:01 +02:00
Vincas Dargis
5fad77b9f8
fix(apparmor): Fix loading libraries from custom install prefix
...
If qtox is installed in /usr/local prefix (for example), launching qTox
fails because loading libraries from @{qtox_prefix} directory was not
allowed.
Add rule to allow loading libraries from @{qtox_prefix}/lib directory.
2019-03-25 20:14:01 +02:00
Vincas Dargis
89514eee6d
feat(apparmor): Add AppArmor profile
...
Introduce AppArmor profile, designed to work with AppArmor version
2.13.2 (Debian Buster).
2019-03-25 20:14:00 +02:00