mirror of
https://github.com/qTox/qTox.git
synced 2024-03-22 14:00:36 +08:00
4d9cc7216a
File rule to allow loading the executable itself has typo - no executable name itself is present. Profile still works OK but it might fail on some older kernels. Fix file rule by specifying full path to the executable.
399 lines
13 KiB
Plaintext
399 lines
13 KiB
Plaintext
#include <tunables/global>
|
|
#include <tunables/usr.bin.qtox>
|
|
|
|
# using variables in profile name is not yet recommended due to issues with
|
|
# AppArmor tools
|
|
# TODO: use this alternative in the future when available
|
|
#profile qtox @{qtox_prefix}/bin/qtox {
|
|
profile qtox /usr{,/local}/bin/qtox {
|
|
#include <abstractions/audio>
|
|
#include <abstractions/base>
|
|
#include <abstractions/dbus-accessibility>
|
|
#include <abstractions/dbus-session-strict>
|
|
#include <abstractions/gnome>
|
|
#include <abstractions/ibus>
|
|
#include <abstractions/kde>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/openssl>
|
|
#include <abstractions/video>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.bin.qtox>
|
|
|
|
# Main executable
|
|
|
|
@{qtox_prefix}/bin/qtox mr,
|
|
|
|
# Other executables
|
|
|
|
#TODO: use xdg-open abstraction when it's available
|
|
/usr/bin/xdg-open PUx,
|
|
#TODO: use named profile or abstraction when it's available
|
|
/usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
|
|
|
|
# Additional libraries
|
|
|
|
# Allow /usr/local/lib/libtoxcore.so...
|
|
@{qtox_prefix}/lib/*.so* mr,
|
|
|
|
# Networking
|
|
|
|
network tcp,
|
|
network udp,
|
|
|
|
# DBus
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/org/a11y/bus
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=Get
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=Get
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.NetworkManager
|
|
member=GetDevices
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.NetworkManager
|
|
member=PropertiesChanged
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Settings
|
|
interface=org.freedesktop.NetworkManager.Settings
|
|
member=ListConnections
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
|
interface=org.freedesktop.NetworkManager.Settings.Connection
|
|
member=GetSettings
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
|
interface=org.freedesktop.NetworkManager.Connection.Active
|
|
member=PropertiesChanged
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.kde.StatusNotifierWatcher
|
|
member=RegisterStatusNotifierItem
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.kde.StatusNotifierItem
|
|
member=Activate
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/MenuBar
|
|
interface=com.canonical.dbusmenu
|
|
member=GetLayout
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/MenuBar
|
|
interface=com.canonical.dbusmenu
|
|
member={AboutToShow,Event}
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.kde.StatusNotifierItem
|
|
member={NewIcon,NewToolTip}
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/UPower
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/UDisks2/{block_devices,drives}/*
|
|
interface=org.freedesktop.DBus.Properties
|
|
member={Get,GetAll}
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/org/freedesktop/DBus
|
|
interface=org.freedesktop.DBus
|
|
member=GetConnectionUnixUser
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/
|
|
interface=org.kde.KDirNotify
|
|
member={enteredDirectory,leftDirectory}
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/
|
|
interface=org.kde.KDirNotify
|
|
member=FilesAdded
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/KLauncher
|
|
interface=org.kde.KSlaveLauncher
|
|
member=requestSlave
|
|
peer=(label=unconfined),
|
|
|
|
# Denied files
|
|
|
|
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
|
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
|
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
|
# so we deny this path to protect from loading exploits from /tmp.
|
|
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
|
|
|
|
# libfontconfig bug? Should not write to root-owned dirs.
|
|
deny /usr/share/fonts/** w,
|
|
deny /var/cache/fontconfig/ w,
|
|
|
|
# System files
|
|
|
|
/usr/share/hunspell/* r,
|
|
@{qtox_additional_rw_dirs}/ r,
|
|
@{qtox_additional_rw_dirs}/** rw,
|
|
|
|
# Sensitive directory access!!!
|
|
# Allow navigating directories with file dialog, to access directory you
|
|
# can write (read) file to, for most convenience (though against maximum
|
|
# security). Note: this allows reading only directory contents (list),
|
|
# not the files itself.
|
|
/{,**/} r,
|
|
|
|
/dev/ r,
|
|
/dev/dri/ r,
|
|
/dev/video[0-9]* rw, # webcam
|
|
/etc/fstab r, # file dialog
|
|
/etc/xdg/menus/ r, # file dialog
|
|
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
|
|
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
|
|
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
|
|
/sys/bus/ r, # file dialog
|
|
/sys/bus/usb/devices/ r, # file dialog
|
|
/sys/class/ r, # file dialog
|
|
/sys/devices/**/uevent r, # file dialog
|
|
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
|
|
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
|
|
/usr/share/emoticons/{,**} r,
|
|
/usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
|
|
/usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
|
|
/usr/share/kservices5/{,**} r, # file dialog
|
|
/usr/share/mime/ r, # file dialog
|
|
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
|
|
/usr/share/sounds/ r, # file dialog (alert)
|
|
/{,var/}run/udev/data/* r, # file dialog
|
|
|
|
# User files
|
|
|
|
# Sensitive file access!!!
|
|
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
|
|
# for most convenience (though against maximum security).
|
|
owner @{HOME}/ r,
|
|
owner @{HOME}/[^.]* rw,
|
|
owner @{HOME}/[^.]*/{,**} rw,
|
|
# QSaveFile security measures? While saving log file
|
|
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
|
|
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
|
|
|
|
owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog
|
|
owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog
|
|
owner @{HOME}/.cache/Tox/ w,
|
|
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
|
|
owner @{HOME}/.cache/fontconfig/** rwk,
|
|
owner @{HOME}/.cache/qTox/{,**} rw,
|
|
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
|
|
owner @{HOME}/.config/menus/ r, # file dialog
|
|
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
|
|
owner @{HOME}/.config/qToxrc rw,
|
|
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
|
|
owner @{HOME}/.config/qToxrc.lock rwk,
|
|
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
|
|
owner @{HOME}/.config/tox/{,**} rwk,
|
|
owner @{HOME}/.fonts/.uuid* rw,
|
|
owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
|
|
owner @{HOME}/.fonts/.uuid.*/ rw,
|
|
owner @{HOME}/.local/share/Tox/{,**} rw,
|
|
owner @{HOME}/.local/share/qTox/{,**} rw,
|
|
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
|
|
owner @{PROC}/@{pid}/cmdline r,
|
|
|
|
# Backport from more recent qt5-compose-cache-write abstraction
|
|
# commit 1250402471d9d83134b0faa90239a733a37f23f0
|
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
|
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
|
|
|
# Backport kde-globals-write abstraction
|
|
# commit fae93f1b6c7a28bb77ad186ab1de41372630272b
|
|
owner @{HOME}/.config/#[0-9]* rw,
|
|
owner @{HOME}/.config/kdeglobals rw,
|
|
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
|
|
owner @{HOME}/.config/kdeglobals.lock rwk,
|
|
|
|
# Backport kde-icon-cache-write abstraction
|
|
# commit 94014c09f09fc63229bb10fea3f0727113fe5bae
|
|
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
|
|
|
|
# Backport mesa abstraction
|
|
# commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3
|
|
|
|
# System files
|
|
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
|
|
/usr/share/drirc.d/{,*.conf} r,
|
|
|
|
# User files
|
|
owner @{HOME}/.cache/ w, # if user clears all caches
|
|
owner @{HOME}/.cache/mesa_shader_cache/ w,
|
|
owner @{HOME}/.cache/mesa_shader_cache/index rw,
|
|
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
|
|
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
|
|
# End of backported mesa abstraction
|
|
|
|
# Backport qt5 abstraction
|
|
# commit 67816c42cfbadd85aa5cbb086284076c4c289881
|
|
|
|
# Additional libraries
|
|
|
|
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
|
|
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
|
|
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
|
|
|
|
# System files
|
|
|
|
/etc/xdg/QtProject/qtlogging.ini r,
|
|
/usr/share/qt5/translations/*.qm r,
|
|
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
|
|
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
|
|
|
|
# User files
|
|
|
|
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
|
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
|
|
# End of backported qt5 abstractions
|
|
|
|
# Backport qt5-compose-cache-write abstraction
|
|
# commit 1250402471d9d83134b0faa90239a733a37f23f0
|
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
|
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
|
|
|
# Backport qt5-settings-write abstraction
|
|
# commit 8f6a8fb1942122705af4c45168922c4afd696c8a
|
|
owner @{HOME}/.config/#[0-9]*[0-9] rw,
|
|
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
|
|
# for temporary files like QtProject.conf.Aqrgeb
|
|
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
|
|
owner @{HOME}/.config/QtProject.conf.lock rwk,
|
|
|
|
# Backport recent-documents-write
|
|
# commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a
|
|
owner @{HOME}/.local/share/RecentDocuments/ rw,
|
|
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
|
|
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
|
|
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
|
|
|
|
# Backport dri-enumerate abstraction
|
|
# commit b0456adbd86aab73e4a19013fdfed22da98ed455
|
|
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
|
|
|
# Backport kde abstraction
|
|
# commit aae838faca57905d2dbc27db7bffd595c09d26f0
|
|
# commit dc3b73daf9f648336a6f9ab90103acc962c0bf40
|
|
/etc/xdg/kdeglobals r,
|
|
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
|
|
/usr/share/kubuntu-default-settings/kf5-settings/* r,
|
|
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
|
|
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
|
|
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
|
|
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
|
|
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
|
|
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
|
|
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
|
|
|
|
# Backport dri-common abstraction
|
|
# commit 2d8d2f06d5697d9692330686bb5ddb0095621144
|
|
/usr/share/drirc.d/{,*.conf} r,
|
|
|
|
}
|