#include #include # using variables in profile name is not yet recommended due to issues with # AppArmor tools # TODO: use this alternative in the future when available #profile qtox @{qtox_prefix}/bin/qtox { profile qtox /usr{,/local}/bin/qtox { #include #include #include #include #include #include #include #include #include #include # Site-specific additions and overrides. See local/README for details. #include # Main executable @{qtox_prefix}/bin mr, # Other executables #TODO: use xdg-open abstraction when it's available /usr/bin/xdg-open PUx, # Additional libraries # Allow /usr/local/lib/libtoxcore.so... @{qtox_prefix}/lib/*.so* mr, # Networking network tcp, network udp, # DBus dbus send bus=session path=/org/a11y/bus interface=org.freedesktop.DBus.Properties member=Get peer=(label=unconfined), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(label=unconfined), dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=GetDevices peer=(label=unconfined), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=PropertiesChanged peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll peer=(label=unconfined), dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* interface=org.freedesktop.NetworkManager.Connection.Active member=PropertiesChanged peer=(label=unconfined), dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/[0-9]* interface=org.freedesktop.DBus.Properties member=GetAll peer=(label=unconfined), # System files /usr/share/hunspell/* r, @{qtox_additional_rw_dirs}/ r, @{qtox_additional_rw_dirs}/** rw, # Sensitive directory access!!! # Allow navigating directories with file dialog, to access directory you # can write (read) file to, for most convenience (though against maximum # security). Note: this allows reading only directory contents (list), # not the files itself. /{,**/} r, /dev/ r, /dev/dri/ r, /dev/video[0-9]* rw, # webcam /etc/fstab r, # file dialog /etc/xdg/menus/ r, # file dialog /proc/sys/kernel/core_pattern r, # for KCrash::initialize() /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction? /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog) /sys/bus/ r, # file dialog /sys/bus/usb/devices/ r, # file dialog /sys/class/ r, # file dialog /sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so /usr/share/emoticons/{,**} r, /usr/share/kservices5/{,**} r, # file dialog /usr/share/mime/ r, # file dialog /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? /usr/share/sounds/ r, # file dialog (alert) # User files # Sensitive file access!!! # Allow reading & writing into $HOME, EXCEPT for dot files and directories, # for most convenience (though against maximum security). owner @{HOME}/ r, owner @{HOME}/[^.]* rw, owner @{HOME}/[^.]*/{,**} rw, # QSaveFile security measures? While saving log file owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9], owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9], owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog owner @{HOME}/.cache/Tox/ w, owner @{HOME}/.cache/Tox/qTox/{,**} rw, owner @{HOME}/.cache/qTox/{,**} rw, owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail? owner @{HOME}/.config/menus/ r, # file dialog owner @{HOME}/.config/menus/applications-merged/ r, # file dialog owner @{HOME}/.config/qToxrc rw, owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile? owner @{HOME}/.config/qToxrc.lock rwk, owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile? owner @{HOME}/.config/tox/{,**} rwk, owner @{HOME}/.local/share/qTox/{,**} rw, owner @{HOME}/.local/share/user-places.xbel r, # file dialog owner @{PROC}/@{pid}/cmdline r, # Backport from more recent qt5-compose-cache-write abstraction # commit 1250402471d9d83134b0faa90239a733a37f23f0 owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) # Backport kde-globals-write abstraction # commit fae93f1b6c7a28bb77ad186ab1de41372630272b owner @{HOME}/.config/#[0-9]* rw, owner @{HOME}/.config/kdeglobals rw, owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*, owner @{HOME}/.config/kdeglobals.lock rwk, # Backport kde-icon-cache-write abstraction # commit 94014c09f09fc63229bb10fea3f0727113fe5bae owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader # Backport mesa abstraction # commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3 # System files /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() /usr/share/drirc.d/{,*.conf} r, # User files owner @{HOME}/.cache/ w, # if user clears all caches owner @{HOME}/.cache/mesa_shader_cache/ w, owner @{HOME}/.cache/mesa_shader_cache/index rw, owner @{HOME}/.cache/mesa_shader_cache/??/ w, owner @{HOME}/.cache/mesa_shader_cache/??/* rwk, # End of backported mesa abstraction # Backport qt5 abstraction # commit 67816c42cfbadd85aa5cbb086284076c4c289881 # Additional libraries /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr, /usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr, /usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules # System files /etc/xdg/QtProject/qtlogging.ini r, /usr/share/qt5/translations/*.qm r, /usr/lib{,64,/@{multiarch}}/qt5/plugins/** r, /usr/lib{,64,/@{multiarch}}/qt5/qml/** r, # User files owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access) owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins # End of backported qt5 abstractions # Backport qt5-compose-cache-write abstraction # commit 1250402471d9d83134b0faa90239a733a37f23f0 owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) # Backport qt5-settings-write abstraction # commit 8f6a8fb1942122705af4c45168922c4afd696c8a owner @{HOME}/.config/#[0-9]*[0-9] rw, owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9], # for temporary files like QtProject.conf.Aqrgeb owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], owner @{HOME}/.config/QtProject.conf.lock rwk, # Backport recent-documents-write # commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a owner @{HOME}/.local/share/RecentDocuments/ rw, owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw, owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*, owner @{HOME}/.local/share/RecentDocuments/*.lock rwk, # Backport dri-enumerate abstraction # commit b0456adbd86aab73e4a19013fdfed22da98ed455 /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, }