mirror of
https://github.com/qTox/qTox.git
synced 2024-03-22 14:00:36 +08:00
AppArmor upstream has new rules useful for running applications in KDE desktop. Backport rules from update kde abstraction to fix AppArmor denies.
266 lines
8.3 KiB
Plaintext
266 lines
8.3 KiB
Plaintext
#include <tunables/global>
|
|
#include <tunables/usr.bin.qtox>
|
|
|
|
# using variables in profile name is not yet recommended due to issues with
|
|
# AppArmor tools
|
|
# TODO: use this alternative in the future when available
|
|
#profile qtox @{qtox_prefix}/bin/qtox {
|
|
profile qtox /usr{,/local}/bin/qtox {
|
|
#include <abstractions/audio>
|
|
#include <abstractions/base>
|
|
#include <abstractions/dbus-accessibility>
|
|
#include <abstractions/dbus-session-strict>
|
|
#include <abstractions/dri-enumerate>
|
|
#include <abstractions/gnome>
|
|
#include <abstractions/ibus>
|
|
#include <abstractions/kde-globals-write>
|
|
#include <abstractions/kde-icon-cache-write>
|
|
#include <abstractions/kde>
|
|
#include <abstractions/mesa>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/openssl>
|
|
#include <abstractions/qt5-compose-cache-write>
|
|
#include <abstractions/qt5-settings-write>
|
|
#include <abstractions/recent-documents-write>
|
|
#include <abstractions/video>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include if exists <local/usr.bin.qtox>
|
|
|
|
# Main executable
|
|
|
|
@{qtox_prefix}/bin mr,
|
|
|
|
# Other executables
|
|
|
|
#TODO: use xdg-open abstraction when it's available
|
|
/usr/bin/xdg-open PUx,
|
|
|
|
# Additional libraries
|
|
|
|
# Allow /usr/local/lib/libtoxcore.so...
|
|
@{qtox_prefix}/lib/*.so* mr,
|
|
|
|
# Networking
|
|
|
|
network tcp,
|
|
network udp,
|
|
|
|
# DBus
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/org/a11y/bus
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=Get
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
member=Introspect
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=Get
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.NetworkManager
|
|
member=GetDevices
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.NetworkManager
|
|
member=PropertiesChanged
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Settings
|
|
interface=org.freedesktop.NetworkManager.Settings
|
|
member=ListConnections
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
|
interface=org.freedesktop.NetworkManager.Settings.Connection
|
|
member=GetSettings
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
|
|
interface=org.freedesktop.NetworkManager.Connection.Active
|
|
member=PropertiesChanged
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
|
|
interface=org.freedesktop.DBus.Properties
|
|
member=GetAll
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierWatcher
|
|
interface=org.kde.StatusNotifierWatcher
|
|
member=RegisterStatusNotifierItem
|
|
peer=(label=unconfined),
|
|
|
|
dbus receive
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.kde.StatusNotifierItem
|
|
member=Activate
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/MenuBar
|
|
interface=com.canonical.dbusmenu
|
|
member=GetLayout
|
|
peer=(label=unconfined),
|
|
|
|
dbus (send,receive)
|
|
bus=session
|
|
path=/MenuBar
|
|
interface=com.canonical.dbusmenu
|
|
member={AboutToShow,Event}
|
|
peer=(label=unconfined),
|
|
|
|
dbus send
|
|
bus=session
|
|
path=/StatusNotifierItem
|
|
interface=org.kde.StatusNotifierItem
|
|
member={NewIcon,NewToolTip}
|
|
peer=(label=unconfined),
|
|
|
|
# Denied files
|
|
|
|
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
|
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
|
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
|
# so we deny this path to protect from loading exploits from /tmp.
|
|
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
|
|
|
|
# System files
|
|
|
|
/usr/share/hunspell/* r,
|
|
@{qtox_additional_rw_dirs}/ r,
|
|
@{qtox_additional_rw_dirs}/** rw,
|
|
|
|
# Sensitive directory access!!!
|
|
# Allow navigating directories with file dialog, to access directory you
|
|
# can write (read) file to, for most convenience (though against maximum
|
|
# security). Note: this allows reading only directory contents (list),
|
|
# not the files itself.
|
|
/{,**/} r,
|
|
|
|
/dev/ r,
|
|
/dev/dri/ r,
|
|
/dev/video[0-9]* rw, # webcam
|
|
/etc/fstab r, # file dialog
|
|
/etc/xdg/menus/ r, # file dialog
|
|
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
|
|
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
|
|
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
|
|
/sys/bus/ r, # file dialog
|
|
/sys/bus/usb/devices/ r, # file dialog
|
|
/sys/class/ r, # file dialog
|
|
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
|
|
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
|
|
/usr/share/emoticons/{,**} r,
|
|
/usr/share/kservices5/{,**} r, # file dialog
|
|
/usr/share/mime/ r, # file dialog
|
|
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
|
|
/usr/share/sounds/ r, # file dialog (alert)
|
|
|
|
# User files
|
|
|
|
# Sensitive file access!!!
|
|
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
|
|
# for most convenience (though against maximum security).
|
|
owner @{HOME}/ r,
|
|
owner @{HOME}/[^.]* rw,
|
|
owner @{HOME}/[^.]*/{,**} rw,
|
|
# QSaveFile security measures? While saving log file
|
|
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
|
|
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
|
|
|
|
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
|
|
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
|
|
owner @{HOME}/.cache/Tox/ w,
|
|
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
|
|
owner @{HOME}/.cache/qTox/{,**} rw,
|
|
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
|
|
owner @{HOME}/.config/menus/ r, # file dialog
|
|
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
|
|
owner @{HOME}/.config/qToxrc rw,
|
|
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
|
|
owner @{HOME}/.config/qToxrc.lock rwk,
|
|
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
|
|
owner @{HOME}/.config/tox/{,**} rwk,
|
|
owner @{HOME}/.local/share/qTox/{,**} rw,
|
|
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
|
|
owner @{PROC}/@{pid}/cmdline r,
|
|
|
|
# Backport from more recent qt5-compose-cache-write abstraction
|
|
# commit 1250402471d9d83134b0faa90239a733a37f23f0
|
|
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
|
|
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
|
|
|
|
# Backport kde abstraction
|
|
# commit aae838faca57905d2dbc27db7bffd595c09d26f0
|
|
# commit dc3b73daf9f648336a6f9ab90103acc962c0bf40
|
|
/etc/xdg/kdeglobals r,
|
|
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
|
|
/usr/share/kubuntu-default-settings/kf5-settings/* r,
|
|
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
|
|
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
|
|
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
|
|
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
|
|
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
|
|
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
|
|
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
|
|
|
|
}
|