This repository has been archived by the owner on Feb 12, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(apparmor): Add AppArmor profile
Introduce AppArmor profile, designed to work with AppArmor version 2.13.2 (Debian Buster).
- Loading branch information
Showing
2 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
@{qtox_prefix} = /usr /usr/local | ||
|
||
# Allow to read & write into mounted media, etc. | ||
# for convenient sending & receiving of files. | ||
@{qtox_additional_rw_dirs} = /mnt /media | ||
|
||
# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as | ||
# needed, such as: | ||
# @{qtox_prefix} += @{HOME}/opt/qtox | ||
# @{qtox_additional_rw_dirs} = /data/nfs_storage | ||
#include if exists <tunables/usr.bin.qtox.d/> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
#include <tunables/global> | ||
#include <tunables/usr.bin.qtox> | ||
|
||
# using variables in profile name is not yet recommended due to issues with | ||
# AppArmor tools | ||
# TODO: use this alternative in the future when available | ||
#profile qtox @{qtox_prefix}/bin/qtox { | ||
profile qtox /usr{,/local}/bin/qtox { | ||
#include <abstractions/audio> | ||
#include <abstractions/base> | ||
#include <abstractions/dbus-session-strict> | ||
#include <abstractions/dri-enumerate> | ||
#include <abstractions/gnome> | ||
#include <abstractions/kde-globals-write> | ||
#include <abstractions/kde-icon-cache-write> | ||
#include <abstractions/kde> | ||
#include <abstractions/mesa> | ||
#include <abstractions/nameservice> | ||
#include <abstractions/qt5-compose-cache-write> | ||
#include <abstractions/qt5-settings-write> | ||
#include <abstractions/recent-documents-write> | ||
#include <abstractions/video> | ||
|
||
# Site-specific additions and overrides. See local/README for details. | ||
#include if exists <local/usr.bin.qtox> | ||
|
||
# Main executable | ||
|
||
@{qtox_prefix}/bin mr, | ||
|
||
# Other executables | ||
|
||
#TODO: use xdg-open abstraction when it's available | ||
/usr/bin/xdg-open PUx, | ||
|
||
# Networking | ||
|
||
network tcp, | ||
network udp, | ||
|
||
# System files | ||
|
||
@{qtox_additional_rw_dirs}/ r, | ||
@{qtox_additional_rw_dirs}/** rw, | ||
|
||
# Sensitive directory access!!! | ||
# Allow navigating directories with file dialog, to access directory you | ||
# can write (read) file to, for most convenience (though against maximum | ||
# security). Note: this allows reading only directory contents (list), | ||
# not the files itself. | ||
/{,**/} r, | ||
|
||
/dev/ r, | ||
/dev/dri/ r, | ||
/dev/video[0-9]* rw, # webcam | ||
/etc/fstab r, # file dialog | ||
/etc/xdg/menus/ r, # file dialog | ||
/proc/sys/kernel/core_pattern r, # for KCrash::initialize() | ||
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction? | ||
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog) | ||
/sys/bus/ r, # file dialog | ||
/sys/bus/usb/devices/ r, # file dialog | ||
/sys/class/ r, # file dialog | ||
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so | ||
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so | ||
/usr/share/emoticons/{,**} r, | ||
/usr/share/kservices5/{,**} r, # file dialog | ||
/usr/share/mime/ r, # file dialog | ||
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? | ||
/usr/share/sounds/ r, # file dialog (alert) | ||
|
||
# User files | ||
|
||
# Sensitive file access!!! | ||
# Allow reading & writing into $HOME, EXCEPT for dot files and directories, | ||
# for most convenience (though against maximum security). | ||
owner @{HOME}/ r, | ||
owner @{HOME}/[^.]* rw, | ||
owner @{HOME}/[^.]*/{,**} rw, | ||
# QSaveFile security measures? While saving log file | ||
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9], | ||
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9], | ||
|
||
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog | ||
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog | ||
owner @{HOME}/.cache/Tox/ w, | ||
owner @{HOME}/.cache/Tox/qTox/{,**} rw, | ||
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail? | ||
owner @{HOME}/.config/menus/ r, # file dialog | ||
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog | ||
owner @{HOME}/.config/qToxrc rw, | ||
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile? | ||
owner @{HOME}/.config/qToxrc.lock rwk, | ||
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile? | ||
owner @{HOME}/.config/tox/{,**} rwk, | ||
owner @{HOME}/.local/share/user-places.xbel r, # file dialog | ||
owner @{PROC}/@{pid}/cmdline r, | ||
|
||
# Backport from more recent qt5-compose-cache-write abstraction | ||
# commit 1250402471d9d83134b0faa90239a733a37f23f0 | ||
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], | ||
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) | ||
} |