StarMirror/qTox
1
0
Fork 0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00
Code Issues Projects Releases Wiki Activity
c8eb34f028
qTox/security/apparmor/2.12.1/usr.bin.qtox
Vincas Dargis c8eb34f028 fix(apparmor): Fix spam of DENIED messages on openSUSE 
AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```

These appears to be libpcre2 mmaped shared memory, related to jitting.

Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
2019-03-25 20:14:01 +02:00

317 lines
10 KiB
Plaintext
Raw Blame History

#include <tunables/global>
#include <tunables/usr.bin.qtox>
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/video>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.qtox>
# Main executable
@{qtox_prefix}/bin mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network tcp,
network udp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=GetLayout
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,Event}
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewIcon,NewToolTip}
peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# System files
/usr/share/hunspell/* r,
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/dri/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/[0-9]*[0-9]/qTox*.slave-socket rwl -> /{,var/}run/user/[0-9]*[0-9]/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.local/share/qTox/{,**} rw,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
# Backport from more recent qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Backport kde-globals-write abstraction
# commit fae93f1b6c7a28bb77ad186ab1de41372630272b
owner @{HOME}/.config/#[0-9]* rw,
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
# Backport kde-icon-cache-write abstraction
# commit 94014c09f09fc63229bb10fea3f0727113fe5bae
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# Backport mesa abstraction
# commit b5be5964609b4e0927af7c9e4f0276e50ccdc3e3
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
/usr/share/drirc.d/{,*.conf} r,
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
owner @{HOME}/.cache/mesa_shader_cache/ w,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
owner @{HOME}/.cache/mesa_shader_cache/??/ w,
owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
# End of backported mesa abstraction
# Backport qt5 abstraction
# commit 67816c42cfbadd85aa5cbb086284076c4c289881
# Additional libraries
/usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.so mr,
/usr/lib{,64,/@{multiarch}}/qt5/qml/**.{qmlc,jsc} mr, # Precompiled QML/JavaScript modules
# System files
/etc/xdg/QtProject/qtlogging.ini r,
/usr/share/qt5/translations/*.qm r,
/usr/lib{,64,/@{multiarch}}/qt5/plugins/** r,
/usr/lib{,64,/@{multiarch}}/qt5/qml/** r,
# User files
owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
# End of backported qt5 abstractions
# Backport qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
# Backport qt5-settings-write abstraction
# commit 8f6a8fb1942122705af4c45168922c4afd696c8a
owner @{HOME}/.config/#[0-9]*[0-9] rw,
owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
# for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/QtProject.conf.lock rwk,
# Backport recent-documents-write
# commit 4fe8ae97c43d72d7f5a948c7149f5ea35339832a
owner @{HOME}/.local/share/RecentDocuments/ rw,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# Backport dri-enumerate abstraction
# commit b0456adbd86aab73e4a19013fdfed22da98ed455
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
}
Reference in New Issue View Git Blame Copy Permalink