StarMirror/qTox
1
0
Fork 0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00
Code Issues Projects Releases Wiki Activity
a67faf2976
qTox/security/apparmor/2.12.1/usr.bin.qtox
Vincas Dargis a67faf2976 fix(apparmor): Fix accessibility DBus access 
AppArmor denies access to a11y:
```
Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon: apparmor="DENIED"
operation="dbus_method_call"  bus="accessibility"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="Hello" mask="send" name="org.freedesktop.DBus" pid=8011
label="qtox" peer_label="unconfined"

Jan 26 15:23:31 vincas-ubuntu1804 dbus-daemon[1474]: apparmor="DENIED"
operation="dbus_method_call"  bus="session" path="/org/a11y/bus"
interface="org.freedesktop.DBus.Properties" member="Get" mask="send"
name="org.a11y.Bus" pid=8011 label="qtox" peer_pid=1620
peer_label="unconfined"
```

Include dbus-accessibility abstraction and one addition dbus rule to fix
denies.
2019-03-25 20:14:01 +02:00

184 lines
6.6 KiB
Plaintext
Raw Blame History

#include <tunables/global>
#include <tunables/usr.bin.qtox>
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/video>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.qtox>
# Main executable
@{qtox_prefix}/bin mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network tcp,
network udp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
# System files
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/dri/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
# Backport from more recent qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Backport kde-globals-write abstraction
# commit fae93f1b6c7a28bb77ad186ab1de41372630272b
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Backport kde-icon-cache-write abstraction
# commit 94014c09f09fc63229bb10fea3f0727113fe5bae
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Backport mesa abstraction
# commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
/usr/share/drirc.d/{,*.conf} r,
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
# End of backported mesa abstraction
# Backport qt5 abstraction
# commit 67816c42cfbadd85aa5cbb086284076c4c289881
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
# User files
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# End of backported qt5 abstractions
# Backport qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Backport qt5-settings-write abstraction
# commit 8f6a8fb1942122705af4c45168922c4afd696c8a
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
# for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Backport recent-documents-write
# commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
}
Reference in New Issue View Git Blame Copy Permalink