StarMirror/qTox
1
0
Fork 0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00
Code Issues Projects Releases Wiki Activity
6,988 Commits 3 Branches 42 Tags 60 MiB
c8eb34f028
Commit Graph

14 Commits

Author SHA1 Message Date
Vincas Dargis
c8eb34f028 fix(apparmor): Fix spam of DENIED messages on openSUSE 
AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```

These appears to be libpcre2 mmaped shared memory, related to jitting.

Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
 2019-03-25 20:14:01 +02:00
Vincas Dargis
1d120b15c2 fix(apparmor): Fix DBUS denies on Kubuntu 18.04 
AppArmor denies access to systray on Kubuntu 18.04.

Add DBUS rules to make systray icon work.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
79f800b39a fix(apparmor): Backport dri-enumerate abstraction 
AppArmor 2.12 (Ubuntu 18.04) does not have dri-enumerate abstraction,
so policy compilation fails.

Backport dri-enumerate abstraction as inline rules.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
e13b8a973e fix(apparmor): Fix .local/share/qTox/ access 
Capturing desktop screenshot produces this DENIED messages:
```
type=AVC msg=audit(1548516170.837:3146): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.local/share/qTox/"
pid=12605 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid= 1000
```

Add rule to allow writing to .local/share/qTox/
 2019-03-25 20:14:01 +02:00
Vincas Dargis
514cd36826 fix(apparmor): Fix access to openssl configuration 
AppArmor denies access to openssl configuration files:
```
type=AVC msg=audit(1548516028.121:3031): apparmor="DENIED"
operation="open" profile="qtox" name="/etc/ssl/openssl.cnf" pid=12416
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Fix deny by including openssl abstraction.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
a6c01eb007 fix(apparmor): Fix dbus access 
Add rules to allow DBus access (send & receive) to various DBus
interfaces. Detected on Ubuntu 18.04.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
577aeb8fa3 fix(apparmor): Fix hunspell access 
AppArmor denies access to hunspell files:
```
type=AVC msg=audit(1548511779.241:1773): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.aff"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0

type=AVC msg=audit(1548511779.241:1774): apparmor="DENIED"
operation="open" profile="qtox" name="/usr/share/hunspell/lt_LT.dic"
pid=9833 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
```

Add rule to allow reading hunspell dictionaries.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
a67faf2976 fix(apparmor): Fix accessibility DBus access 
AppArmor denies access to a11y:
```
Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon: apparmor="DENIED"
operation="dbus_method_call"  bus="accessibility"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="Hello" mask="send" name="org.freedesktop.DBus" pid=8011
label="qtox" peer_label="unconfined"

Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon[1474]: apparmor="DENIED"
operation="dbus_method_call"  bus="session" path="/org/a11y/bus"
interface="org.freedesktop.DBus.Properties" member="Get" mask="send"
name="org.a11y.Bus" pid=8011 label="qtox" peer_pid=1620
peer_label="unconfined"
```

Include dbus-accessibility abstraction and one addition dbus rule to fix
denies.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
aef4705636 fix(apparmor): Fix qTox cache access 
AppAmor denies access to qTox cache directory:
```
type=AVC msg=audit(1548508759.153:640): apparmor="DENIED"
operation="mkdir" profile="qtox" name="/home/vincas/.cache/qTox/"
pid=7802 comm="qtox" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
```

Add rule to allow access to qTox cache directory.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
9fc8933883 fix(apparmor): Add ibus abstraction 
IBus-related rules are needed detected on Gnome-based desktop (Ubuntu
18.40):
```
type=AVC msg=audit(1548508639.169:546): apparmor="DENIED"
operation="open" profile="qtox"
name="/home/vincas/.config/ibus/bus/c3d8689228fc49d8867d4e63e4408e23-unix-0"
pid=7653 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
```

Include ibus abstraction to fix IBus functionality.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
6aa4435d17 fix(apparmor): Backport qt5 abstraction for v2.12.1 profile 
AppArmor 2.12.1 does not have qt5 abstraction, with Qt5-related rules.

Backport qt5 abstraction from AppArmor upstream as inline rules.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
5fad77b9f8 fix(apparmor): Fix loading libraries from custom install prefix 
If qtox is installed in /usr/local prefix (for example), launching qTox
fails because loading libraries from @{qtox_prefix} directory was not
allowed.

Add rule to allow loading libraries from @{qtox_prefix}/lib directory.
 2019-03-25 20:14:01 +02:00
Vincas Dargis
f8f7a2d145 fix(apparmor): Fix AppArmor profile for version 2.12.1 
* Remove `include if exists` usage.
* Remove @{uid} usage.
* Backport missing AppArmor abstractions as inline rules.
 2019-03-25 20:14:00 +02:00
Vincas Dargis
d6ef3d2eae feat(apparmor): Add AppArmor v2.12.1 profile 
Copy 2.13.2 profile into 2.12.1 place to be the starting point for
modifying (backporting) AppArmor profile for version 2.12.1 (on Ubuntu
18.04, Debian Stretch, etc).

At this point 2.12.1 profile does not work, as AppArmor v2.12.1 does not
have needed abstractions and policy language features (such as `include
if exists`). Followup commits will fix these issues.
 2019-03-25 20:14:00 +02:00