From 407c71b133b23a4d0e961847badcca055fd8e18a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 15 May 2024 14:50:50 +0100
Subject: [PATCH] feat(profile): modernize a few app profiles.

---
 apparmor.d/groups/apps/discord                |   2 +-
 apparmor.d/groups/apps/discord-chrome-sandbox |  23 +--
 apparmor.d/groups/apps/dropbox                | 146 +++++-------------
 apparmor.d/groups/apps/filezilla              |  37 ++---
 .../groups/apps/freetube-chrome-sandbox       |  10 +-
 apparmor.d/groups/apps/signal-desktop         |  40 +----
 6 files changed, 69 insertions(+), 189 deletions(-)

diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord
index c703ff35..8da97455 100644
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = discord
-@{lib_dirs} = /usr/share/@{name} /opt/@{name} 
+@{lib_dirs} = /usr/share/@{name} /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/groups/apps/discord-chrome-sandbox
index 63b14a1b..1c636286 100644
--- a/apparmor.d/groups/apps/discord-chrome-sandbox
+++ b/apparmor.d/groups/apps/discord-chrome-sandbox
@@ -7,31 +7,24 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{DISCORD_LIBDIR} = /usr/share/discord
-@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
-@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
-
-@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
+@{name} = discord
+@{lib_dirs} = /usr/share/@{name} /opt/@{name} 
+@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
+@{cache_dirs} = @{user_cache_dirs}/@{name}
 
+@{exec_path} = @{lib_dirs}/chrome-sandbox
 profile discord-chrome-sandbox @{exec_path} {
   include <abstractions/base>
 
-  # For kernel unprivileged user namespaces
+  capability setgid,
+  capability setuid,
   capability sys_admin,
   capability sys_chroot,
-  capability setuid,
-  capability setgid,
-
-  # optional
   capability sys_resource,
 
   @{exec_path} mr,
 
-  # Do not strip env to avoid errors like the following:
-  #   /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
-  #   shared object file: No such file or directory
-  #   [1]    777862 trace trap  discord
-  @{DISCORD_LIBDIR}/Discord rpx,
+  @{lib_dirs}/Discord rpx,
 
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox
index c960e62f..961850c9 100644
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@@ -7,143 +7,77 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
-@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
-@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
+@{name} = dropbox
+@{config_dirs}=@{HOME}/.@{name}/
+@{share_dirs}=@{HOME}/Dropbox*/
+@{demon_dirs}=@{HOME}/.dropbox-dist/
 
 @{exec_path} = @{bin}/dropbox
 profile dropbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/python>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
   include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
 
-  ptrace peer=@{profile_name},
-
-  @{exec_path} r,
+  @{exec_path} mr,
 
   @{bin}/ r,
-  @{bin}/python3.@{int} r,
-
-  # Dropbox home files
-  owner @{HOME}/ r,
-  owner @{DROPBOX_HOME_DIR}/ rw,
-  owner @{DROPBOX_HOME_DIR}/** rwk,
-
-  # Shared files
-  owner @{DROPBOX_SHARE_DIR}/ rw,
-  owner @{DROPBOX_SHARE_DIR}/{,**} rw,
-
-  # Dropbox proprietary demon files
-  owner @{DROPBOX_DEMON_DIR}/{,**} rw,
-  owner @{DROPBOX_DEMON_DIR}/dropboxd rwix,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
-  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
-
   @{sh_path}        rix,
   @{bin}/readlink   rix,
   @{bin}/dirname    rix,
   @{bin}/uname      rix,
-  @{bin}/ldconfig rix,
+  @{bin}/ldconfig   rix,
+  @{bin}/python3.@{int}             rix,
   @{lib}/llvm-[0-9]*/bin/clang      rix,
   @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
   @{bin}/{,@{multiarch}-}objdump    rix,
 
-  # Needed for updating Dropbox
-  owner @{tmp}/.dropbox-dist-new-*/{,**} rw,
-  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix,
-  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix,
-  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix,
-  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw,
-  owner @{HOME}/.dropbox-dist-old*/{,**} rw,
-  owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
+  @{bin}/xdg-open                   rCx -> child-open,
+  @{bin}/lsb_release                rPx -> lsb_release,
 
-  # For autostart
-  deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
+  owner @{HOME}/ r,
+  owner @{config_dirs}/ rw,
+  owner @{config_dirs}/** rwk,
 
-  # What's this for?
-  @{bin}/mount mrix,
-  @{sys}/devices/virtual/block/dm-@{int}/dm/name r,
-  @{sys}/devices/virtual/block/loop[0-9]/ r,
-  @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
-  @{run}/mount/utab r,
+  owner @{share_dirs}/ rw,
+  owner @{share_dirs}/{,**} rw,
 
-  deny       @{PROC}/ r,
-  # Dropbox doesn't sync without the 'stat' file
-       owner @{PROC}/@{pid}/stat r,
-  #
-  deny owner @{PROC}/@{pid}/statm r,
-  deny owner @{PROC}/@{pid}/io r,
-  deny       @{PROC}/@{pid}/net/tcp{,6} r,
-  deny       @{PROC}/@{pid}/net/udp{,6} r,
-  # When "cmdline" is blocked, Dropbox has some issues while starting:
-  #  The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon
-             @{PROC}/@{pid}/cmdline r,
-  #
-       owner @{PROC}/@{pid}/fd/ r,
-       owner @{PROC}/@{pid}/fdinfo/* r,
-       owner @{PROC}/@{pid}/task/ r,
-       owner @{PROC}/@{pid}/task/@{tid}/stat r,
-       owner @{PROC}/@{pid}/task/@{tid}/comm r,
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-       owner @{PROC}/@{pid}/mounts r,
-       owner @{PROC}/@{pid}/mountinfo r,
-  deny       @{PROC}/version r,
-  # To remove the following error:
-  #  RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0
-  #  ([Errno 13] Permission denied: '/proc/vmstat')
-             @{PROC}/vmstat r,
+  # Dropbox proprietary demon files
+  owner @{demon_dirs}/{,**} rw,
+  owner @{demon_dirs}/dropboxd rwix,
+  owner @{demon_dirs}/dropbox-lnx.*/dropbox rwix,
+  owner @{demon_dirs}/dropbox-lnx.*/dropboxd rwix,
+  owner @{demon_dirs}/dropbox-lnx.*/dropbox_py3 rwix,
+  owner @{demon_dirs}/dropbox-lnx.*/wmctrl rwix,
+  owner @{demon_dirs}/dropbox-lnx.*/*.so* mrw,
+  owner @{demon_dirs}/dropbox-lnx.*/plugins/platforms/*.so mrw,
 
   # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
   owner @{tmp}/dropbox-antifreeze-* rw,
-  owner @{tmp}/[a-zA-z0-9]* rw,
   owner @{tmp}/#@{int} rw,
   owner /var/tmp/etilqs_@{hex} rw,
 
   @{run}/systemd/users/@{uid} r,
 
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/net/tcp{,6} r,
+        @{PROC}/@{pid}/net/udp{,6} r,
+        @{PROC}/vmstat r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fdinfo/* r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+
   deny @{sys}/module/apparmor/parameters/enabled r,
-
-  # External apps
-  @{bin}/xdg-open                                  rCx -> open,
-  @{bin}/lsb_release                               rPx -> lsb_release,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
+  deny @{user_config_dirs}/autostart/dropbox.desktop rw,
 
   include if exists <local/dropbox>
 }
diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla
index cc099ce4..0e41a5a0 100644
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@@ -24,11 +24,21 @@ profile filezilla @{exec_path} {
   @{sh_path}         rix,
   @{bin}/uname       rix,
 
-  # When using SFTP protocol
-  @{bin}/fzsftp      rPx,
-
+  @{bin}/fzsftp      rPx,  # When using SFTP protocol
   @{bin}/lsb_release rPx -> lsb_release,
 
+  /usr/share/filezilla/{,**} r,
+
+  /etc/fstab r,
+
+  / r,
+  /*/ r,
+  /*/*/ r,
+
+  # FTP share folder
+  owner @{MOUNTS}/ftp/ r,
+  owner @{MOUNTS}/ftp/** rw,
+
   owner @{HOME}/ r,
   owner @{user_config_dirs}/filezilla/ rw,
   owner @{user_config_dirs}/filezilla/* rwk,
@@ -36,36 +46,15 @@ profile filezilla @{exec_path} {
   owner @{user_cache_dirs}/filezilla/ rw,
   owner @{user_cache_dirs}/filezilla/default_*.png rw,
 
-  /usr/share/filezilla/{,**} r,
-
   owner @{PROC}/@{pid}/fd/ r,
-  # To remove the following error:
-  #  GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
-  #  (g-file-error-quark, 2)
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
 
-  /etc/fstab r,
-
-  # Creating new files on FTP
         /tmp/ r,
   owner @{tmp}/fz[0-9]temp-@{int}/ rw,
   owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
   owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
 
-  # External apps
-  @{lib}/firefox/firefox rPUx,
-
-  # FTP share folder
-  owner @{MOUNTS}/ftp/ r,
-  owner @{MOUNTS}/ftp/** rw,
-
-  # Silencer
-  / r,
-  /*/ r,
-  /*/*/ r,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
   include if exists <local/filezilla>
diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox
index a0aee6a8..d1c901e6 100644
--- a/apparmor.d/groups/apps/freetube-chrome-sandbox
+++ b/apparmor.d/groups/apps/freetube-chrome-sandbox
@@ -7,12 +7,10 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{FT_LIBDIR} =  @{lib}/freetube
-@{FT_LIBDIR} += @{lib}/freetube-vue
-@{FT_LIBDIR} += /opt/FreeTube
-@{FT_LIBDIR} += /opt/FreeTube-Vue
+@{name} = {F,f}reetube{,-vue}
+@{lib_dirs} = @{lib}/@{name} /opt/@{name} 
 
-@{exec_path} = @{FT_LIBDIR}/chrome-sandbox
+@{exec_path} = @{lib_dirs}/chrome-sandbox
 profile freetube-chrome-sandbox @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -25,7 +23,7 @@ profile freetube-chrome-sandbox @{exec_path} {
   @{exec_path} mr,
 
   # Has to be lower "P"
-  @{FT_LIBDIR}/freetube{,-vue} rpx,
+  @{lib_dirs}/@{name} rpx,
 
              @{PROC}/@{pids}/ r,
        owner @{PROC}/@{pid}/oom_{,score_}adj r,
diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop
index 8d43eb2f..4b125f55 100644
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@@ -8,24 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = signal-desktop{,-beta}
-@{lib_dirs} = "/usr/lib/signal-desktop"
-@{lib_dirs} += "/opt/Signal{, Beta}"
+@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
 @{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
 
 @{exec_path} = @{lib_dirs}/@{name}
 profile signal-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/common/chromium>
-  include <abstractions/desktop>
+  include <abstractions/common/electron>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
 
-  # Needed?
-  deny capability sys_ptrace,
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
@@ -37,46 +30,19 @@ profile signal-desktop @{exec_path} {
   @{bin}/getconf rix,
   @{bin}/xdg-settings rPx,
 
-  @{lib_dirs}/ r,
-  @{lib_dirs}/{swiftshader/,}libEGL.so mr,
-  @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
-  @{lib_dirs}/** r,
   @{lib_dirs}/chrome-sandbox rPx,
-  @{lib_dirs}/libffmpeg.so mr,
-  @{lib_dirs}/libnode.so mr,
-  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
-  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
-  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.@{int} mr,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  owner @{config_dirs}/ rw,
-  owner @{config_dirs}/** rwk,
-  owner @{config_dirs}/tmp/.org.chromium.Chromium.* mrw,
-
   @{run}/systemd/inhibit/*.ref rw,
 
-        @{PROC}/ r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/sys/fs/inotify/max_user_watches r,
-        @{PROC}/sys/kernel/yama/ptrace_scope r,
-        @{PROC}/vmstat r,
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  owner @{PROC}/@{pids}/statm r,
-  owner @{PROC}/@{pids}/task/ r,
-  owner @{PROC}/@{pids}/task/@{tid}/status r,
-
-  @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
-  @{sys}/fs/cgroup/user.slice/** r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
 
+  @{PROC}/vmstat r,
 
   include if exists <local/signal-desktop>
 }