Skip to content
This repository has been archived by the owner on Feb 12, 2023. It is now read-only.

Commit

Permalink
feat(apparmor): Add AppArmor v2.12.1 profile
Browse files Browse the repository at this point in the history 
Copy 2.13.2 profile into 2.12.1 place to be the starting point for
modifying (backporting) AppArmor profile for version 2.12.1 (on Ubuntu
18.04, Debian Stretch, etc).

At this point 2.12.1 profile does not work, as AppArmor v2.12.1 does not
have needed abstractions and policy language features (such as `include
if exists`). Followup commits will fix these issues.
  • Loading branch information
@Talkless
Talkless committed Mar 25, 2019
1 parent 89514ee commit d6ef3d2
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 0 deletions.
12 changes: 12 additions & 0 deletions security/apparmor/2.12.1/tunables/usr.bin.qtox
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
@{qtox_prefix} = /usr /usr/local

# Allow to read & write into mounted media, etc.
# for convenient sending & receiving of files.
@{qtox_additional_rw_dirs} = /mnt /media

# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
# needed, such as:
# @{qtox_prefix} += @{HOME}/opt/qtox
# @{qtox_additional_rw_dirs} = /data/nfs_storage
#include if exists <tunables/usr.bin.qtox.d/>

103 changes: 103 additions & 0 deletions security/apparmor/2.12.1/usr.bin.qtox
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
#include <tunables/global>
#include <tunables/usr.bin.qtox>

# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
#include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/kde-globals-write>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
#include <abstractions/recent-documents-write>
#include <abstractions/video>

# Site-specific additions and overrides. See local/README for details.
#include if exists <local/usr.bin.qtox>

# Main executable

@{qtox_prefix}/bin mr,

# Other executables

#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,

# Networking

network tcp,
network udp,

# System files

@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,

# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,

/dev/ r,
/dev/dri/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)

# User files

# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],

owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,

# Backport from more recent qt5-compose-cache-write abstraction
# commit 1250402471d9d83134b0faa90239a733a37f23f0
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
}

0 comments on commit d6ef3d2

Please sign in to comment.