feat(profile): modernize a few app profiles.

2024-11-15 16:03:51 +01:00 · 2024-05-15 14:50:50 +01:00 · 2024-05-15 14:50:50 +01:00 · 407c71b133
commit 407c71b133
parent acd6a9794d
6 changed files with 69 additions and 189 deletions
--- a/apparmor.d/groups/apps/discord-chrome-sandbox
+++ b/apparmor.d/groups/apps/discord-chrome-sandbox
@ -7,31 +7,24 @@ abi <abi/3.0>,
 include <tunables/global>
-@{DISCORD_LIBDIR} = /usr/share/discord
+@{name} = discord
-@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
+@{lib_dirs} = /usr/share/@{name} /opt/@{name} 
-@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
+@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
-
+@{cache_dirs} = @{user_cache_dirs}/@{name}
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
@{exec_path} = @{lib_dirs}/chrome-sandbox
 profile discord-chrome-sandbox @{exec_path} {
  include <abstractions/base>
-  # For kernel unprivileged user namespaces
+  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_chroot,
  capability setuid,
  capability setgid,
  # optional
  capability sys_resource,
  @{exec_path} mr,
-  # Do not strip env to avoid errors like the following:
+  @{lib_dirs}/Discord rpx,
  #   /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
  #   shared object file: No such file or directory
  #   [1]    777862 trace trap  discord
  @{DISCORD_LIBDIR}/Discord rpx,
             @{PROC}/@{pids}/ r,
  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@ -7,143 +7,77 @@ abi <abi/3.0>,
 include <tunables/global>
-@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
+@{name} = dropbox
-@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
+@{config_dirs}=@{HOME}/.@{name}/
-@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
+@{share_dirs}=@{HOME}/Dropbox*/
@{demon_dirs}=@{HOME}/.dropbox-dist/
@{exec_path} = @{bin}/dropbox
 profile dropbox @{exec_path} {
  include <abstractions/base>
-  include <abstractions/X>
+  include <abstractions/desktop>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/python>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/qt5-settings-write>
  include <abstractions/ssl_certs>
-  ptrace peer=@{profile_name},
+  @{exec_path} mr,
  @{exec_path} r,
  @{bin}/ r,
  @{bin}/python3.@{int} r,
  # Dropbox home files
  owner @{HOME}/ r,
  owner @{DROPBOX_HOME_DIR}/ rw,
  owner @{DROPBOX_HOME_DIR}/** rwk,
  # Shared files
  owner @{DROPBOX_SHARE_DIR}/ rw,
  owner @{DROPBOX_SHARE_DIR}/{,**} rw,
  # Dropbox proprietary demon files
  owner @{DROPBOX_DEMON_DIR}/{,**} rw,
  owner @{DROPBOX_DEMON_DIR}/dropboxd rwix,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
  owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
  @{sh_path}        rix,
  @{bin}/readlink   rix,
  @{bin}/dirname    rix,
  @{bin}/uname      rix,
  @{bin}/ldconfig   rix,
  @{bin}/python3.@{int}             rix,
  @{lib}/llvm-[0-9]*/bin/clang      rix,
  @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
  @{bin}/{,@{multiarch}-}objdump    rix,
-  # Needed for updating Dropbox
+  @{bin}/xdg-open                   rCx -> child-open,
-  owner @{tmp}/.dropbox-dist-new-*/{,**} rw,
+  @{bin}/lsb_release                rPx -> lsb_release,
  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix,
  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix,
  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix,
  owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw,
  owner @{HOME}/.dropbox-dist-old*/{,**} rw,
  owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
-  # For autostart
+  owner @{HOME}/ r,
-  deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
+  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwk,
-  # What's this for?
+  owner @{share_dirs}/ rw,
-  @{bin}/mount mrix,
+  owner @{share_dirs}/{,**} rw,
  @{sys}/devices/virtual/block/dm-@{int}/dm/name r,
  @{sys}/devices/virtual/block/loop[0-9]/ r,
  @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
  @{run}/mount/utab r,
-  deny       @{PROC}/ r,
+  # Dropbox proprietary demon files
-  # Dropbox doesn't sync without the 'stat' file
+  owner @{demon_dirs}/{,**} rw,
-       owner @{PROC}/@{pid}/stat r,
+  owner @{demon_dirs}/dropboxd rwix,
-  #
+  owner @{demon_dirs}/dropbox-lnx.*/dropbox rwix,
-  deny owner @{PROC}/@{pid}/statm r,
+  owner @{demon_dirs}/dropbox-lnx.*/dropboxd rwix,
-  deny owner @{PROC}/@{pid}/io r,
+  owner @{demon_dirs}/dropbox-lnx.*/dropbox_py3 rwix,
-  deny       @{PROC}/@{pid}/net/tcp{,6} r,
+  owner @{demon_dirs}/dropbox-lnx.*/wmctrl rwix,
-  deny       @{PROC}/@{pid}/net/udp{,6} r,
+  owner @{demon_dirs}/dropbox-lnx.*/*.so* mrw,
-  # When "cmdline" is blocked, Dropbox has some issues while starting:
+  owner @{demon_dirs}/dropbox-lnx.*/plugins/platforms/*.so mrw,
  #  The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon
             @{PROC}/@{pid}/cmdline r,
  #
       owner @{PROC}/@{pid}/fd/ r,
       owner @{PROC}/@{pid}/fdinfo/* r,
       owner @{PROC}/@{pid}/task/ r,
       owner @{PROC}/@{pid}/task/@{tid}/stat r,
       owner @{PROC}/@{pid}/task/@{tid}/comm r,
  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
       owner @{PROC}/@{pid}/mounts r,
       owner @{PROC}/@{pid}/mountinfo r,
  deny       @{PROC}/version r,
  # To remove the following error:
  #  RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0
  #  ([Errno 13] Permission denied: '/proc/vmstat')
             @{PROC}/vmstat r,
  # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
  owner @{tmp}/dropbox-antifreeze-* rw,
  owner @{tmp}/[a-zA-z0-9]* rw,
  owner @{tmp}/#@{int} rw,
  owner /var/tmp/etilqs_@{hex} rw,
  @{run}/systemd/users/@{uid} r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/tcp{,6} r,
        @{PROC}/@{pid}/net/udp{,6} r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/* r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  deny @{sys}/module/apparmor/parameters/enabled r,
-
+  deny @{user_config_dirs}/autostart/dropbox.desktop rw,
  # External apps
  @{bin}/xdg-open                                  rCx -> open,
  @{bin}/lsb_release                               rPx -> lsb_release,
  # Allowed apps to open
  @{lib}/firefox/firefox rPUx,
  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>
    @{bin}/xdg-open mr,
    @{sh_path}             rix,
    @{bin}/{m,g,}awk       rix,
    @{bin}/readlink        rix,
    @{bin}/basename        rix,
    owner @{HOME}/ r,
    owner @{run}/user/@{uid}/ r,
    # Allowed apps to open
    @{lib}/firefox/firefox rPUx,
    # file_inherit
    owner @{HOME}/.xsession-errors w,
  }
  include if exists <local/dropbox>
 }
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@ -24,11 +24,21 @@ profile filezilla @{exec_path} {
  @{sh_path}         rix,
  @{bin}/uname       rix,
-  # When using SFTP protocol
+  @{bin}/fzsftp      rPx,  # When using SFTP protocol
  @{bin}/fzsftp      rPx,
  @{bin}/lsb_release rPx -> lsb_release,
  /usr/share/filezilla/{,**} r,
  /etc/fstab r,
  / r,
  /*/ r,
  /*/*/ r,
  # FTP share folder
  owner @{MOUNTS}/ftp/ r,
  owner @{MOUNTS}/ftp/** rw,
  owner @{HOME}/ r,
  owner @{user_config_dirs}/filezilla/ rw,
  owner @{user_config_dirs}/filezilla/* rwk,
@ -36,36 +46,15 @@ profile filezilla @{exec_path} {
  owner @{user_cache_dirs}/filezilla/ rw,
  owner @{user_cache_dirs}/filezilla/default_*.png rw,
  /usr/share/filezilla/{,**} r,
  owner @{PROC}/@{pid}/fd/ r,
  # To remove the following error:
  #  GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
  #  (g-file-error-quark, 2)
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  /etc/fstab r,
  # Creating new files on FTP
        /tmp/ r,
  owner @{tmp}/fz[0-9]temp-@{int}/ rw,
  owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
  owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
  # External apps
  @{lib}/firefox/firefox rPUx,
  # FTP share folder
  owner @{MOUNTS}/ftp/ r,
  owner @{MOUNTS}/ftp/** rw,
  # Silencer
  / r,
  /*/ r,
  /*/*/ r,
  # file_inherit
  owner /dev/tty@{int} rw,
  include if exists <local/filezilla>
--- a/apparmor.d/groups/apps/freetube-chrome-sandbox
+++ b/apparmor.d/groups/apps/freetube-chrome-sandbox
@ -7,12 +7,10 @@ abi <abi/3.0>,
 include <tunables/global>
-@{FT_LIBDIR} =  @{lib}/freetube
+@{name} = {F,f}reetube{,-vue}
-@{FT_LIBDIR} += @{lib}/freetube-vue
+@{lib_dirs} = @{lib}/@{name} /opt/@{name} 
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue
-@{exec_path} = @{FT_LIBDIR}/chrome-sandbox
+@{exec_path} = @{lib_dirs}/chrome-sandbox
 profile freetube-chrome-sandbox @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -25,7 +23,7 @@ profile freetube-chrome-sandbox @{exec_path} {
  @{exec_path} mr,
  # Has to be lower "P"
-  @{FT_LIBDIR}/freetube{,-vue} rpx,
+  @{lib_dirs}/@{name} rpx,
             @{PROC}/@{pids}/ r,
       owner @{PROC}/@{pid}/oom_{,score_}adj r,
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -8,24 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
@{name} = signal-desktop{,-beta}
-@{lib_dirs} = "/usr/lib/signal-desktop"
+@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
@{lib_dirs} += "/opt/Signal{, Beta}"
@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
@{exec_path} = @{lib_dirs}/@{name}
 profile signal-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/common/chromium>
+  include <abstractions/common/electron>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  # Needed?
  deny capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
@ -37,46 +30,19 @@ profile signal-desktop @{exec_path} {
  @{bin}/getconf rix,
  @{bin}/xdg-settings rPx,
  @{lib_dirs}/ r,
  @{lib_dirs}/{swiftshader/,}libEGL.so mr,
  @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
  @{lib_dirs}/** r,
  @{lib_dirs}/chrome-sandbox rPx,
  @{lib_dirs}/libffmpeg.so mr,
  @{lib_dirs}/libnode.so mr,
  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.@{int} mr,
  @{lib_dirs}/chrome_crashpad_handler rix,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwk,
  owner @{config_dirs}/tmp/.org.chromium.Chromium.* mrw,
  @{run}/systemd/inhibit/*.ref rw,
        @{PROC}/ r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pids}/statm r,
  owner @{PROC}/@{pids}/task/ r,
  owner @{PROC}/@{pids}/task/@{tid}/status r,
  @{sys}/devices/system/cpu/kernel_max r,
  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/fs/cgroup/user.slice/** r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
  @{PROC}/vmstat r,
  include if exists <local/signal-desktop>
 }