/xbmc forked from xbmc/xbmc

Permalink
Switch branches/tags
Nothing to show
Find file
xbmc/tools/Linux/apparmor-snap.kodi.kodi
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
465 lines (395 sloc) 13.4 KB
# Description: Allows access to app-specific directories and basic runtime
# Usage: common
# vim:syntax=apparmor
#include <tunables/global>
@{APP_NAME}="kodi"
@{SNAP_NAME}="kodi"
@{SNAP_REVISION}="100001"
@{INSTALL_DIR}="/snap"
profile "snap.kodi.kodi" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# for python apps/services
#include <abstractions/python>
/usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
deny /usr/lib/python3*/{,**/}__pycache__/ w, # noisy
deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
# for perl apps/services
#include <abstractions/perl>
/usr/bin/perl{,5*} ixr,
# TODO: we must remove these since things like 'container-management' will be
# broken if we have explicit denies. However, the development tools need to be
# clear that these can't be allowed.
# Explicitly deny ptrace for now since it can be abused to break out of the
# seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
# audit deny ptrace (trace),
# Explicitly deny capability mknod so apps can't create devices
# audit deny capability mknod,
# Explicitly deny mount, remount and umount so apps can't modify things in
# their namespace
# audit deny mount,
# audit deny remount,
# audit deny umount,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
/bin/bash ixr,
/bin/dash ixr,
/etc/bash.bashrc r,
/etc/{passwd,group,nsswitch.conf} r, # very common
/etc/libnl-3/{classid,pktloc} r, # apps that use libnl
/var/lib/extrausers/{passwd,group} r,
/etc/profile r,
/usr/share/terminfo/** r,
/etc/inputrc r,
deny @{HOME}/.inputrc r,
# Common utilities for shell scripts
/{,usr/}bin/{,g,m}awk ixr,
/{,usr/}bin/basename ixr,
/{,usr/}bin/bunzip2 ixr,
/{,usr/}bin/bzcat ixr,
/{,usr/}bin/bzdiff ixr,
/{,usr/}bin/bzgrep ixr,
/{,usr/}bin/bzip2 ixr,
/{,usr/}bin/cat ixr,
/{,usr/}bin/chmod ixr,
/{,usr/}bin/cmp ixr,
/{,usr/}bin/cp ixr,
/{,usr/}bin/cpio ixr,
/{,usr/}bin/cut ixr,
/{,usr/}bin/date ixr,
/{,usr/}bin/dd ixr,
/{,usr/}bin/diff{,3} ixr,
/{,usr/}bin/dir ixr,
/{,usr/}bin/dirname ixr,
/{,usr/}bin/echo ixr,
/{,usr/}bin/{,e,f,r}grep ixr,
/{,usr/}bin/env ixr,
/{,usr/}bin/expr ixr,
/{,usr/}bin/false ixr,
/{,usr/}bin/find ixr,
/{,usr/}bin/fmt ixr,
/{,usr/}bin/getopt ixr,
/{,usr/}bin/groups ixr,
/{,usr/}bin/gzip ixr,
/{,usr/}bin/head ixr,
/{,usr/}bin/hostname ixr,
/{,usr/}bin/id ixr,
/{,usr/}bin/igawk ixr,
/{,usr/}bin/kill ixr,
/{,usr/}bin/ldd ixr,
/{,usr/}bin/less{,file,pipe} ixr,
/{,usr/}bin/ln ixr,
/{,usr/}bin/line ixr,
/{,usr/}bin/link ixr,
/{,usr/}bin/logger ixr,
/{,usr/}bin/ls ixr,
/{,usr/}bin/md5sum ixr,
/{,usr/}bin/mkdir ixr,
/{,usr/}bin/mktemp ixr,
/{,usr/}bin/more ixr,
/{,usr/}bin/mv ixr,
/{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
/{,usr/}bin/pgrep ixr,
/{,usr/}bin/printenv ixr,
/{,usr/}bin/printf ixr,
/{,usr/}bin/ps ixr,
/{,usr/}bin/pwd ixr,
/{,usr/}bin/readlink ixr,
/{,usr/}bin/realpath ixr,
/{,usr/}bin/rev ixr,
/{,usr/}bin/rm ixr,
/{,usr/}bin/rmdir ixr,
/{,usr/}bin/sed ixr,
/{,usr/}bin/seq ixr,
/{,usr/}bin/sleep ixr,
/{,usr/}bin/sort ixr,
/{,usr/}bin/stat ixr,
/{,usr/}bin/tac ixr,
/{,usr/}bin/tail ixr,
/{,usr/}bin/tar ixr,
/{,usr/}bin/tee ixr,
/{,usr/}bin/test ixr,
/{,usr/}bin/tempfile ixr,
/{,usr/}bin/tset ixr,
/{,usr/}bin/touch ixr,
/{,usr/}bin/tr ixr,
/{,usr/}bin/true ixr,
/{,usr/}bin/uname ixr,
/{,usr/}bin/uniq ixr,
/{,usr/}bin/unlink ixr,
/{,usr/}bin/unxz ixr,
/{,usr/}bin/unzip ixr,
/{,usr/}bin/vdir ixr,
/{,usr/}bin/wc ixr,
/{,usr/}bin/which ixr,
/{,usr/}bin/xargs ixr,
/{,usr/}bin/xz ixr,
/{,usr/}bin/yes ixr,
/{,usr/}bin/zcat ixr,
/{,usr/}bin/z{,e,f}grep ixr,
/{,usr/}bin/zip ixr,
/{,usr/}bin/zipgrep ixr,
# uptime
/{,usr/}bin/uptime ixr,
@{PROC}/uptime r,
@{PROC}/loadavg r,
# this is an information leak
deny /{,var/}run/utmp r,
# java
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/auxv r,
@{PROC}/@{pid}/version_signature r,
@{PROC}/@{pid}/version r,
@{PROC}/sys/vm/zone_reclaim_mode r,
/etc/lsb-release r,
/sys/devices/**/read_ahead_kb r,
/sys/devices/system/cpu/** r,
/sys/kernel/mm/transparent_hugepage/enabled r,
/sys/kernel/mm/transparent_hugepage/defrag r,
# NOTE: this leaks running process and java seems to want it, but operates
# ok without it. Deny for now to silence the denial but we could allow
# owner match until AppArmor kernel var is available to solve this properly.
deny @{PROC}/@{pid}/cmdline r,
#owner @{PROC}/@{pid}/cmdline r,
# Miscellaneous accesses
/etc/mime.types r,
@{PROC}/ r,
/etc/{,writable/}hostname r,
/etc/{,writable/}localtime r,
/etc/{,writable/}timezone r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/fs/file-max r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/uuid r,
# Eases hardware assignment (doesn't give anything away)
/etc/udev/udev.conf r,
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
# this leaks interface names and stats, but not in a way that is traceable
# to the user/device
@{PROC}/net/dev r,
# Read-only for the install directory
@{INSTALL_DIR}/@{SNAP_NAME}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/** mrklix,
# Don't log noisy python denials (see LP: #1496895 for more details)
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/ w,
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/*.pyc.[0-9]* w,
# Read-only home area for other versions
owner @{HOME}/snap/@{SNAP_NAME}/ r,
owner @{HOME}/snap/@{SNAP_NAME}/** mrkix,
# Writable home area for this version.
owner @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
# Read-only system area for other versions
/var/snap/@{SNAP_NAME}/ r,
/var/snap/@{SNAP_NAME}/** mrkix,
# Writable system area only for this version
/var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
# The ubuntu-core-launcher creates an app-specific private restricted /tmp
# and will fail to launch the app if something goes wrong. As such, we can
# simply allow full access to /tmp.
/tmp/ r,
/tmp/** mrwlkix,
# Also do the same for shm
/{dev,run}/shm/snap/@{SNAP_NAME}/ r,
/{dev,run}/shm/snap/@{SNAP_NAME}/** rk,
/{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
/{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** mrwlkix,
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
unix peer=(label=snap.@{SNAP_NAME}.*),
# Allow apps from the same package to signal each other via signals
signal peer=snap.@{SNAP_NAME}.*,
# for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
/{,s}bin/udevadm ixr,
/etc/udev/udev.conf r,
/{,var/}run/udev/tags/snappy-assign/ r,
@{PROC}/cmdline r,
/sys/devices/**/uevent r,
# LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
# requires:
# /run/udev/data/* r,
# but that reveals too much about the system and cannot be granted to apps
# by default at this time.
# For convenience, allow apps to see what is in /dev even though cgroups
# will block most access
/dev/ r,
/dev/**/ r,
# Do the same with /sys/devices and /sys/class to help people using hw-assign
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
# Description: Can access the network as a client.
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@{PROC}/sys/net/core/somaxconn r,
# Description: Can access Unity7. Restricted because Unity 7 runs on X and
# requires access to various DBus services and this enviroment does not prevent
# eavesdropping or apps interfering with one another.
# Usage: reserved
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/X>
#include <abstractions/fonts>
/var/cache/fontconfig/ r,
/var/cache/fontconfig/** mr,
# subset of gnome abstraction
/etc/gnome/defaults.list r,
/usr/share/gnome/applications/ r,
/usr/share/applications/mimeinfo.cache r,
/etc/gtk-*/* r,
/usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/ r,
/usr/share/icons/** r,
/usr/share/icons/*/index.theme rk,
/usr/share/pixmaps/ r,
/usr/share/pixmaps/** r,
/usr/share/unity/icons/** r,
/usr/share/thumbnailer/icons/** r,
/usr/share/themes/** r,
#owner @{HOME}/.themes/ r,
#owner @{HOME}/.themes/** r,
# subset of ibus abstraction
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
# accessibility
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(label=unconfined),
# unfortunate, but org.a11y.atspi is not designed for separation
dbus (receive, send)
bus=accessibility
path=/org/a11y/atspi/**
peer=(label=unconfined),
# org.freedesktop.Accounts
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=FindUserById
peer=(label=unconfined),
# Get() is an information leak
# TODO: verify what it is leaking
dbus (receive, send)
bus=system
path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member={Get,PropertiesChanged}
peer=(label=unconfined),
# TODO: pull in modern items from ubuntu-unity7-base abstraction, eg, HUD,
# AppMenu, gmenu, and freedesktop notifications
# Description: Can access the network as a server.
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
# These probably shouldn't be something that apps should use, but this offers
# no information disclosure since the files are in the read-only part of the
# system.
/etc/hosts.deny r,
/etc/hosts.allow r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
# LP: #1496906: java apps need these for some reason and they leak the IPv6 IP
# addresses and routes. Until we find another way to handle them (see the bug
# for some options), we need to allow them to avoid developer confusion.
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
# java apps request this but seem to work fine without it. Netlink sockets
# are used to talk to kernel subsystems though and since apps run as root,
# allowing blanket access needs to be carefully considered. Kernel capabilities
# checks (which apparmor mediates) *should* be enough to keep abuse down,
# however Linux capabilities can be quite broad and there have been CVEs in
# this area. The issue is complicated because reservied policy groups like
# 'network-admin' and 'network-firewall' have legitimate use for this rule,
# however a network facing server shouldn't typically be running with these
# policy groups. For now, explicitly deny to silence the denial. LP: #1499897
deny network netlink dgram,
# Description: Can access the X server. Restricted because X does not prevent
# eavesdropping or apps interfering with one another.
# Usage: reserved
#include <abstractions/X>
# Description: Can access opengl.
# Usage: reserved
# specific gl libs
/var/lib/snapd/lib/gl/** rm,
# nvidia
/proc/driver/nvidia/params r,
/sys/bus/pci/devices/** r,
/dev/nvidiactl rw,
/proc/modules r,
/dev/nvidia-modeset rw,
/dev/nvidia* rw,
# kodi specific
# devices
/sys/devices/virtual/hwmon/hwmon*/temp*_input r,
/proc/@{pid}/net/dev r,
/sys/devices/pci*/*/* r,
# pulse audio
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r,
owner /{run,dev}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner /{,var/}run/user/*/pulse/ rw,
owner /{,var/}run/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
# alsa
/dev/snd/* rw,
/dev/sound/* rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,
/usr/share/sounds/** r,
owner @{HOME}/.asoundrc r,
# CEC
/sys/bus/**/devices/ r,
/sys/devices/*/*/*/** r,
#/run/udev/data/+pci:* r,
#/run/udev/data/+acpi:* r,
/run/udev/data/* r,
# mounts
/etc/fstab r,
/dev/cdrom* r,
/dev/dvd* r,
/proc/@{pid}/mounts r,
owner @{HOME}/ r,
#owner /home/*/Videos r,
#owner /home/*/Videos/** rw,
owner @{HOME}/Videos/** rw,
/media/ r,
owner /media/** rw,
}