update apparmor profiles

parent 744c3843
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# #include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
#include <abstractions/X>
#include <abstractions/audio> # for alert messages
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
#include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# Deny DBus
# for GTK error message dialog, not required exo-open to work.
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# #include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# #include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
#include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
#include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# #include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# #include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# #include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
#include <abstractions/audio> # for alert messages
#include <abstractions/base>
#include <abstractions/dbus-accessibility-strict>
#include <abstractions/dbus-network-manager-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
#include <abstractions/openssl>
#include <abstractions/qt5>
#include <abstractions/recent-documents-write>
#include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via xdg-open helper. xdg-open abstraction
# will allow to use gio-open, kde-open5 and other helpers of the different
# desktop environments.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/xdg-open rPx -> foo//xdg-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//xdg-open {
# #include <abstractions/xdg-open>
#
# # Enable a11y support if considered required by
# # profile author for (rare) error message boxes.
# #include <abstractions/dbus-accessibility>
#
# # Enable gstreamer support if considered required by
# # profile author for (rare) error message boxes.
# #include if exists <abstractions/gstreamer>
#
# # needed for ubuntu-* abstractions
# #include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# #include <abstractions/ubuntu-browsers>
# #include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
#include <abstractions/base>
# for openin with `exo-open`
#include <abstractions/exo-open>
# for opening with `gio open <uri>`
#include <abstractions/gio-open>
# for opening with gvfs-open (deprecated)
#include <abstractions/gvfs-open>
# for opening with kde-open5
##include <abstractions/kde-open5>
# Main executables
/{,usr/}bin/{b,d}ash mr,
/usr/bin/xdg-open r,
# Additional executables
/usr/bin/xdg-mime rix,
/{,usr/}bin/cut rix, # for xdg-mime
/{,usr/}bin/head rix, # for xdg-mime
/{,usr/}bin/sed rix, # for xdg-open
/{,usr/}bin/tr rix, # for xdg-mime
/{,usr/}bin/which rix, # for xdg-open
/{,usr/}bin/{grep,egrep} rix, # for xdg-open
# System files
/dev/pts/[0-9]* rw,
/dev/tty w,
/etc/gnome/defaults.list r, # for grep
/usr/share/applications/mimeinfo.cache r, # for grep
/usr/share/terminfo/s/screen r, # for bash on openSUSE
/usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
/var/lib/menu-xdg/applications/ r, # for xdg-mime
# Usr files
owner @{HOME}/.local/share/applications/{,*.desktop} r,
......@@ -37,13 +37,11 @@ profile anki @{exec_path} {
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/ r,
/{usr/,}bin/xdg-open rPUx,
# Need more transitions (#FIXME#)
#/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/mpv rCx -> mpv,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/mpv rCx -> mpv,
# For recording sounds while creating decks
/{usr/,}bin/lame rCx -> lame,
/{usr/,}bin/lame rCx -> lame,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**/*.pak r,
......@@ -175,5 +173,21 @@ profile anki @{exec_path} {
}
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/anki_open>
}
#include <local/anki>
}
......@@ -73,14 +73,14 @@ profile atom @{exec_path} {
#/{usr/,}bin/dash rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/git rPUx,
# Needed to sign commits
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
# /home/ r,
# Reading of the user home dir is required or the following error will be printed:
......@@ -187,5 +187,21 @@ profile atom @{exec_path} {
}
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/atom_open>
}
#include <local/atom>
}
......@@ -76,7 +76,7 @@ profile brave @{exec_path} {
# no new privs
#deny /{usr/,}bin/xdg-desktop-menu rx,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-mime rPUx,
......@@ -200,5 +200,21 @@ profile brave @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/brave_open>
}
#include <local/brave>
}
......@@ -56,7 +56,7 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-desktop-menu rPUx,
/{usr/,}bin/xdg-icon-resource rPUx,
......@@ -175,5 +175,22 @@ profile chromium-chromium @{exec_path} {
# Silencer
deny @{CHROMIUM_INSTALLDIR}/** w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/chromium-chromium_open>
}
#include <local/chromium-chromium>
}
......@@ -40,7 +40,7 @@ profile discord @{exec_path} {
/{usr/,}bin/dash rix,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
@{DISCORD_LIBDIR}/ r,
@{DISCORD_LIBDIR}/** r,
......@@ -168,5 +168,21 @@ profile discord @{exec_path} {
}
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/discord_open>
}
#include <local/discord>
}
......@@ -124,11 +124,8 @@ profile dropbox @{exec_path} {
deny @{sys}/module/apparmor/parameters/enabled r,
# External apps
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
/{usr/,}lib/@{multiarch}/xfce4/notifyd/xfce4-notifyd rPUx,
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
profile dbus {
......@@ -139,5 +136,21 @@ profile dropbox @{exec_path} {
}
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/dropbox_open>
}
#include <local/dropbox>
}
......@@ -26,10 +26,10 @@ profile engrampa @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cp rix,
# Archivers
/{usr/,}bin/7z rix,
......@@ -45,7 +45,8 @@ profile engrampa @{exec_path} {
# For deb packages
/{usr/,}bin/dpkg-deb rix,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPUx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/{usr/,}bin/xdg-open rCx -> open,
owner @{HOME}/.config/engrampa/ rw,
......@@ -73,5 +74,24 @@ profile engrampa @{exec_path} {
/etc/fstab r,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}bin/engrampa rPUx,
/{usr/,}bin/geany rPUx,
/{usr/,}bin/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/engrampa_open>
}
#include <local/engrampa>
}
......@@ -29,9 +29,9 @@ profile flameshot @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/whoami rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
# Flameshot home files
owner @{HOME}/.config/Dharkael/flameshot.ini rw,
......@@ -68,5 +68,22 @@ profile flameshot @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include <local/flameshot_open>
}
#include <local/flameshot>
}
......@@ -38,9 +38,8 @@ profile freetube @{exec_path} {
owner @{PROC}/@{pid}/uid_map w,
# Needed?
deny capability sys_ptrace,
ptrace (read) peer=xdg-open,
#deny capability sys_ptrace,
#ptrace (read) peer=xdg-open,
@{exec_path} mrix,
......@@ -103,7 +102,25 @@ profile freetube @{exec_path} {
# no new privs
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-open rPUx,
/{usr/,}bin/xdg-open rCx -> open,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,