readers

2025-01-18 08:58:15 +01:00 · 2023-04-03 01:41:31 +00:00 · 2023-04-03 01:41:31 +00:00 · 2a20b69c65
commit 2a20b69c65
parent 9b51f26500
5 changed files with 204 additions and 10 deletions
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -33,15 +33,60 @@ profile calibre @{exec_path} {
  include <abstractions/ssl_certs>
  include <abstractions/devices-usb>
  include <abstractions/chromium-common>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/nvidia>

  capability sys_ptrace,

  network netlink raw,
+  # also denies network mounts
+  deny network inet,
+  deny network inet6,
+
+  unix (send, receive) type=stream peer=(addr=none, label=xorg),
+  unix (bind, listen)  type=stream addr="@*-calibre-gui.socket",
+  unix (bind)          type=stream addr="@calibre-*",
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=EventListenerDeregistered
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus),
+
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(name=:*),

  @{exec_path} mrix,
  /{usr/,}bin/python3.[0-9]* r,

-  /{usr/,}{s,}bin/ldconfig     rix,
+  /{usr/,}{s,}bin/ldconfig{,.real} rix,
  /{usr/,}bin/{,ba,da}sh       rix,
  /{usr/,}bin/file             rix,
  /{usr/,}bin/uname            rix,
@ -58,16 +103,16 @@ profile calibre @{exec_path} {
  /usr/share/hwdata/pnp.ids r,
  /usr/share/qt5/**.pak r,
  /usr/share/qt5ct/** r,
+  /usr/share/zoneinfo-icu/**.res r,

  /etc/fstab r,
  /etc/inputrc r,
  /etc/magic r,
  /etc/mime.types r,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
  owner @{HOME}/ r,
+  owner "@{HOME}/Calibre Library/{,**}" rw,
+  owner "@{HOME}/Calibre Library/metadata.db" rwk,
  owner @{user_documents_dirs}/{,**} rwl,
  owner @{user_books_dirs}/{,**} rwl,
  owner @{user_torrents_dirs}/{,**} rwl,
@ -98,7 +143,8 @@ profile calibre @{exec_path} {
  owner /tmp/calibre_*_tmp_*/{,**} rw,
  owner /tmp/calibre-*/{,**} rw,
  owner /tmp/[0-9]*-*/ rw,
-  owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,
+  owner /tmp/[0-9]*-*/** rwl,
+#  owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,  # newer AA version
  owner /tmp/* rw,

  owner /dev/shm/#[0-9]*[0-9] rw,
@ -106,19 +152,21 @@ profile calibre @{exec_path} {
  @{sys}/devices/pci[0-9]*/**/irq r,

             @{PROC}/ r,
-             @{PROC}/@{pid}/net/route r,
+             @{PROC}/@{pids}/net/route r,
             @{PROC}/sys/fs/inotify/max_user_watches r,
             @{PROC}/sys/kernel/yama/ptrace_scope r,
             @{PROC}/vmstat r,
       owner @{PROC}/@{pid}/fd/ r,
       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
-       owner @{PROC}/@{pids}/stat r,
-       owner @{PROC}/@{pids}/task/ r,
-       owner @{PROC}/@{pids}/task/@{tid}/status r,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
+       owner @{PROC}/@{pid}/stat{,m} r,
+       owner @{PROC}/@{pid}/comm r,
+       owner @{PROC}/@{pid}/task/ r,
+       owner @{PROC}/@{pid}/task/@{tid}/status r,
+       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  deny owner @{PROC}/@{pid}/cmdline r,
  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  deny       @{PROC}/sys/kernel/random/boot_id r,

  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -49,6 +49,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd                          rPUx,
  /{usr/,}lib/ibus/ibus-*                                                 rPx,
  /{usr/,}lib/telepathy/mission-control-5                                 rPx,
+  /{usr/,}lib/atril/atrild                                                rPx,
  /usr/share/gnome-documents/org.gnome.Documents                          rPx,
  /usr/share/org.gnome.Characters/org.gnome.Characters                    rPx,
  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService  rPx,
--- a/apparmor.d/profiles-a-f/atril
+++ b/apparmor.d/profiles-a-f/atril
@ -17,9 +17,51 @@ profile atril @{exec_path} {
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
+  include <abstractions/X-strict>
+  include <abstractions/ibus>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-accessibility-strict>

  network netlink raw,

+  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=EventListenerDeregistered
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/mate/atril/{,**}
+       peer=(name=org.freedesktop.DBus, label=atrild),  # all interfaces and members
+
+  dbus send bus=session path=/org/mate/atril/Daemon
+       interface=org.mate.atril.Daemon
+       member={RegisterDocument,UnregisterDocument}
+       peer=(name=org.mate.atril.Daemon),  # no peer's labels
+
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh      rix,
@ -44,6 +86,8 @@ profile atril @{exec_path} {

  owner @{user_cache_dirs}/atril/{,**} rw,

+  owner @{user_share_dirs}/ r,
+
  owner /tmp/gtkprint_* rw,
  owner /tmp/settings*.ini rw,
  owner /tmp/settings*.ini.* rw,
@ -65,3 +109,9 @@ profile atril @{exec_path} {

  include if exists <local/atril>
 }
+
+profile /{usr/,}bin/atril-previewer {
+  include <abstractions/base>
+
+  include if exists <local/atril-previewer>
+}
--- a/apparmor.d/profiles-a-f/atrild
+++ b/apparmor.d/profiles-a-f/atrild
@ -9,6 +9,18 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/atril/atrild
 profile atrild @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  dbus send bus=session path=/org/freedesktop/DBus
+     interface=org.freedesktop.DBus
+     member={RequestName,ReleaseName}
+     peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  dbus (send, receive) bus=session path=/org/mate/atril/**
+       peer=(name="{:*,org.freedesktop.DBus}", label=atril),  # all interfaces and members
+
+  dbus bind bus=session
+       name=org.mate.atril.Daemon,

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@ -15,10 +15,70 @@ profile evince @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/user-read>
  include <abstractions/user-write>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/ibus>

+  # also denies network mounts
  deny network inet,
  deny network inet6,

+  dbus send    bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send    bus=session path=/org/gtk/vfs/metadata
+       interface=org.gtk.vfs.Metadata
+       member={Set,GetTreeFromDevice}
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Settings
+       member=Read
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/gnome/evince/Daemon
+       interface=org.gnome.evince.Daemon
+       member=RegisterDocument
+       peer=(name=org.gnome.evince.Daemon), # no peer's labels
+
+  dbus (send, receive) bus=session path=/org/gnome/evince/{,**}
+       peer=(name="{org.gnome.evince.Daemon,org.freedesktop.DBus,:*}", label=@{profile_name}), # all interfaces and members
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus send    bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+
+  dbus receive bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=EventListenerDeregistered
+       peer=(name=:*, label=at-spi2-registryd),
+
+  dbus bind bus=session
+       name=org.gnome.evince.Daemon,
+
  @{exec_path} rix,

  /{usr/,}bin/{,ba,da}sh          rix,
@ -51,3 +111,26 @@ profile evince @{exec_path} {

  include if exists <local/evince>
 }
+
+profile evince-previewer /{,usr/}bin/evince-previewer {
+  include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
+
+  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label=xorg),
+
+  /{,usr/}bin/evince-previewer mr,
+
+  # X-tiny
+  owner @{HOME}/.Xauthority r,
+
+  include if exists <local/evince-previewer>
+}
+
+profile evince-thumbnailer /{,usr/}bin/evince-thumbnailer {
+  include <abstractions/base>
+
+  /{,usr/}bin/evince-thumbnailer mr,
+
+  include if exists <local/evince-thumbnailer>
+}