StarMirror/qTox
1
0
Fork 0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00
Code Issues Projects Releases Wiki Activity
8a9c89f239
qTox/security/apparmor/2.13.3/usr.bin.qtox
Vincas Dargis a01d31445f feat(apparmor): Update AppArmor 2.13.3 profile 
AppArmor 2.13.3 now has updated abstractions, and that means we no
longer need manual backports in qTox profile.

Remove redundant rules from qTox profile that are already available in
AppArmor 2.13.3.
2019-09-29 15:42:26 +03:00

328 lines
9.7 KiB
Plaintext
Raw Blame History

# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
#include <tunables/global>
#include <tunables/usr.bin.qtox>
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde-globals-write>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
#include <abstractions/recent-documents-write>
#include <abstractions/video>
# Site-specific additions and overrides. See local/README for details.
#include if exists <local/usr.bin.qtox>
# Main executable
@{qtox_prefix}/bin/qtox mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
#TODO: use named profile or abstraction when it's available
/usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network inet udp,
network inet6 udp,
network inet tcp,
network inet6 tcp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=GetLayout
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,Event}
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewIcon,NewToolTip}
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,drives}/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label=unconfined),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(label=unconfined),
dbus send
bus=session
path=/
interface=org.kde.KDirNotify
member={enteredDirectory,leftDirectory}
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.kde.KDirNotify
member=FilesAdded
peer=(label=unconfined),
dbus send
bus=session
path=/KLauncher
interface=org.kde.KSlaveLauncher
member=requestSlave
peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# libfontconfig bug? Should not write to root-owned dirs.
deny /usr/share/fonts/** w,
deny /var/cache/fontconfig/ w,
# System files
/usr/share/hunspell/* r,
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/**/uevent r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
/usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
/{,var/}run/udev/data/* r, # file dialog
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/fontconfig/** rwk,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.fonts/.uuid* rw,
owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
owner @{HOME}/.fonts/.uuid.*/ rw,
owner @{HOME}/.local/share/Tox/{,**} rw,
owner @{HOME}/.local/share/qTox/{,**} rw,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
}
Reference in New Issue View Git Blame Copy Permalink