# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see
#include
#include
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
# Site-specific additions and overrides. See local/README for details.
#include if exists
# Main executable
@{qtox_prefix}/bin/qtox mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
#TODO: use named profile or abstraction when it's available
/usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network inet udp,
network inet6 udp,
network inet tcp,
network inet6 tcp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=GetLayout
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,Event}
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewIcon,NewToolTip}
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,drives}/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label=unconfined),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(label=unconfined),
dbus send
bus=session
path=/
interface=org.kde.KDirNotify
member={enteredDirectory,leftDirectory}
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.kde.KDirNotify
member=FilesAdded
peer=(label=unconfined),
dbus send
bus=session
path=/KLauncher
interface=org.kde.KSlaveLauncher
member=requestSlave
peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# libfontconfig bug? Should not write to root-owned dirs.
deny /usr/share/fonts/** w,
deny /var/cache/fontconfig/ w,
# System files
/usr/share/hunspell/* r,
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/dri/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/**/uevent r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/hspell/* r, # for spellchecking
/usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
/usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
/usr/share/kf5/sonnet/* r, # for spellchecking
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
/var/lib/aspell/* r, # for spellchecking
/{,var/}run/udev/data/* r, # file dialog
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
owner @{HOME}/.aspell.??.{pws,prepl} rk, # for spellchecking
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/fontconfig/** rwk,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.fonts/.uuid* rw,
owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
owner @{HOME}/.fonts/.uuid.*/ rw,
owner @{HOME}/.local/share/Tox/{,**} rw,
owner @{HOME}/.local/share/qTox/{,**} rw,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
# Backport from more recent qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Backport kde abstraction
# commit aae838faca57905d2dbc27db7bffd595c09d26f0
# commit dc3b73daf9f648336a6f9ab90103acc962c0bf40
/etc/xdg/kdeglobals r,
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
/usr/share/kubuntu-default-settings/kf5-settings/* r,
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
# Backport dri-common abstraction
# commit 2d8d2f06d5697d9692330686bb5ddb0095621144
/usr/share/drirc.d/{,*.conf} r,
}