mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 16:03:51 +01:00
feat(profile): modernize a few app profiles.
This commit is contained in:
Alexandre Pujol
parent
acd6a9794d
commit
407c71b133
@ -7,31 +7,24 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{DISCORD_LIBDIR} = /usr/share/discord
|
||||
@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
|
||||
@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
|
||||
|
||||
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
|
||||
@{name} = discord
|
||||
@{lib_dirs} = /usr/share/@{name} /opt/@{name}
|
||||
@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
|
||||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
||||
@{exec_path} = @{lib_dirs}/chrome-sandbox
|
||||
profile discord-chrome-sandbox @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
# For kernel unprivileged user namespaces
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
|
||||
# optional
|
||||
capability sys_resource,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# Do not strip env to avoid errors like the following:
|
||||
# /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
|
||||
# shared object file: No such file or directory
|
||||
# [1] 777862 trace trap discord
|
||||
@{DISCORD_LIBDIR}/Discord rpx,
|
||||
@{lib_dirs}/Discord rpx,
|
||||
|
||||
@{PROC}/@{pids}/ r,
|
||||
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
|
||||
@ -7,143 +7,77 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
|
||||
@{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
|
||||
@{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/
|
||||
@{name} = dropbox
|
||||
@{config_dirs}=@{HOME}/.@{name}/
|
||||
@{share_dirs}=@{HOME}/Dropbox*/
|
||||
@{demon_dirs}=@{HOME}/.dropbox-dist/
|
||||
|
||||
@{exec_path} = @{bin}/dropbox
|
||||
profile dropbox @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/python>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
ptrace peer=@{profile_name},
|
||||
|
||||
@{exec_path} r,
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/python3.@{int} r,
|
||||
|
||||
# Dropbox home files
|
||||
owner @{HOME}/ r,
|
||||
owner @{DROPBOX_HOME_DIR}/ rw,
|
||||
owner @{DROPBOX_HOME_DIR}/** rwk,
|
||||
|
||||
# Shared files
|
||||
owner @{DROPBOX_SHARE_DIR}/ rw,
|
||||
owner @{DROPBOX_SHARE_DIR}/{,**} rw,
|
||||
|
||||
# Dropbox proprietary demon files
|
||||
owner @{DROPBOX_DEMON_DIR}/{,**} rw,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropboxd rwix,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox rwix,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropboxd rwix,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/dropbox_py3 rwix,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/wmctrl rwix,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
|
||||
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/dirname rix,
|
||||
@{bin}/uname rix,
|
||||
@{bin}/ldconfig rix,
|
||||
@{bin}/python3.@{int} rix,
|
||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
||||
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||
@{bin}/{,@{multiarch}-}objdump rix,
|
||||
|
||||
# Needed for updating Dropbox
|
||||
owner @{tmp}/.dropbox-dist-new-*/{,**} rw,
|
||||
owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix,
|
||||
owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix,
|
||||
owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix,
|
||||
owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw,
|
||||
owner @{HOME}/.dropbox-dist-old*/{,**} rw,
|
||||
owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw,
|
||||
@{bin}/xdg-open rCx -> child-open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
||||
# For autostart
|
||||
deny owner @{user_config_dirs}/autostart/dropbox.desktop rw,
|
||||
owner @{HOME}/ r,
|
||||
owner @{config_dirs}/ rw,
|
||||
owner @{config_dirs}/** rwk,
|
||||
|
||||
# What's this for?
|
||||
@{bin}/mount mrix,
|
||||
@{sys}/devices/virtual/block/dm-@{int}/dm/name r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/ r,
|
||||
@{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
|
||||
@{run}/mount/utab r,
|
||||
owner @{share_dirs}/ rw,
|
||||
owner @{share_dirs}/{,**} rw,
|
||||
|
||||
deny @{PROC}/ r,
|
||||
# Dropbox doesn't sync without the 'stat' file
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
#
|
||||
deny owner @{PROC}/@{pid}/statm r,
|
||||
deny owner @{PROC}/@{pid}/io r,
|
||||
deny @{PROC}/@{pid}/net/tcp{,6} r,
|
||||
deny @{PROC}/@{pid}/net/udp{,6} r,
|
||||
# When "cmdline" is blocked, Dropbox has some issues while starting:
|
||||
# The Dropbox daemon is not installed! Run "dropbox start -i" to install the daemon
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
#
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/* r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm r,
|
||||
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
deny @{PROC}/version r,
|
||||
# To remove the following error:
|
||||
# RuntimeWarning: 'sin' and 'sout' swap memory stats couldn't be determined and were set to 0
|
||||
# ([Errno 13] Permission denied: '/proc/vmstat')
|
||||
@{PROC}/vmstat r,
|
||||
# Dropbox proprietary demon files
|
||||
owner @{demon_dirs}/{,**} rw,
|
||||
owner @{demon_dirs}/dropboxd rwix,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/dropbox rwix,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/dropboxd rwix,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/dropbox_py3 rwix,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/wmctrl rwix,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/*.so* mrw,
|
||||
owner @{demon_dirs}/dropbox-lnx.*/plugins/platforms/*.so mrw,
|
||||
|
||||
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
|
||||
owner @{tmp}/dropbox-antifreeze-* rw,
|
||||
owner @{tmp}/[a-zA-z0-9]* rw,
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/net/tcp{,6} r,
|
||||
@{PROC}/@{pid}/net/udp{,6} r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/fdinfo/* r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
deny @{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
# External apps
|
||||
@{bin}/xdg-open rCx -> open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
||||
# Allowed apps to open
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
||||
@{bin}/xdg-open mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/basename rix,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
# Allowed apps to open
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
}
|
||||
deny @{user_config_dirs}/autostart/dropbox.desktop rw,
|
||||
|
||||
include if exists <local/dropbox>
|
||||
}
|
||||
|
||||
@ -24,11 +24,21 @@ profile filezilla @{exec_path} {
|
||||
@{sh_path} rix,
|
||||
@{bin}/uname rix,
|
||||
|
||||
# When using SFTP protocol
|
||||
@{bin}/fzsftp rPx,
|
||||
|
||||
@{bin}/fzsftp rPx, # When using SFTP protocol
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
|
||||
/usr/share/filezilla/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
/ r,
|
||||
/*/ r,
|
||||
/*/*/ r,
|
||||
|
||||
# FTP share folder
|
||||
owner @{MOUNTS}/ftp/ r,
|
||||
owner @{MOUNTS}/ftp/** rw,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{user_config_dirs}/filezilla/ rw,
|
||||
owner @{user_config_dirs}/filezilla/* rwk,
|
||||
@ -36,36 +46,15 @@ profile filezilla @{exec_path} {
|
||||
owner @{user_cache_dirs}/filezilla/ rw,
|
||||
owner @{user_cache_dirs}/filezilla/default_*.png rw,
|
||||
|
||||
/usr/share/filezilla/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
# To remove the following error:
|
||||
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
|
||||
# (g-file-error-quark, 2)
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
# Creating new files on FTP
|
||||
/tmp/ r,
|
||||
owner @{tmp}/fz[0-9]temp-@{int}/ rw,
|
||||
owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
|
||||
owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
|
||||
|
||||
# External apps
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# FTP share folder
|
||||
owner @{MOUNTS}/ftp/ r,
|
||||
owner @{MOUNTS}/ftp/** rw,
|
||||
|
||||
# Silencer
|
||||
/ r,
|
||||
/*/ r,
|
||||
/*/*/ r,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty@{int} rw,
|
||||
|
||||
include if exists <local/filezilla>
|
||||
|
||||
@ -7,12 +7,10 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{FT_LIBDIR} = @{lib}/freetube
|
||||
@{FT_LIBDIR} += @{lib}/freetube-vue
|
||||
@{FT_LIBDIR} += /opt/FreeTube
|
||||
@{FT_LIBDIR} += /opt/FreeTube-Vue
|
||||
@{name} = {F,f}reetube{,-vue}
|
||||
@{lib_dirs} = @{lib}/@{name} /opt/@{name}
|
||||
|
||||
@{exec_path} = @{FT_LIBDIR}/chrome-sandbox
|
||||
@{exec_path} = @{lib_dirs}/chrome-sandbox
|
||||
profile freetube-chrome-sandbox @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
@ -25,7 +23,7 @@ profile freetube-chrome-sandbox @{exec_path} {
|
||||
@{exec_path} mr,
|
||||
|
||||
# Has to be lower "P"
|
||||
@{FT_LIBDIR}/freetube{,-vue} rpx,
|
||||
@{lib_dirs}/@{name} rpx,
|
||||
|
||||
@{PROC}/@{pids}/ r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj r,
|
||||
|
||||
@ -8,24 +8,17 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{name} = signal-desktop{,-beta}
|
||||
@{lib_dirs} = "/usr/lib/signal-desktop"
|
||||
@{lib_dirs} += "/opt/Signal{, Beta}"
|
||||
@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
|
||||
@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
|
||||
|
||||
@{exec_path} = @{lib_dirs}/@{name}
|
||||
profile signal-desktop @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/common/chromium>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/common/electron>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
|
||||
# Needed?
|
||||
deny capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
@ -37,46 +30,19 @@ profile signal-desktop @{exec_path} {
|
||||
@{bin}/getconf rix,
|
||||
@{bin}/xdg-settings rPx,
|
||||
|
||||
@{lib_dirs}/ r,
|
||||
@{lib_dirs}/{swiftshader/,}libEGL.so mr,
|
||||
@{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
|
||||
@{lib_dirs}/** r,
|
||||
@{lib_dirs}/chrome-sandbox rPx,
|
||||
@{lib_dirs}/libffmpeg.so mr,
|
||||
@{lib_dirs}/libnode.so mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
|
||||
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.@{int} mr,
|
||||
@{lib_dirs}/chrome_crashpad_handler rix,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{config_dirs}/ rw,
|
||||
owner @{config_dirs}/** rwk,
|
||||
owner @{config_dirs}/tmp/.org.chromium.Chromium.* mrw,
|
||||
|
||||
@{run}/systemd/inhibit/*.ref rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/fs/inotify/max_user_watches r,
|
||||
@{PROC}/sys/kernel/yama/ptrace_scope r,
|
||||
@{PROC}/vmstat r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
|
||||
owner @{PROC}/@{pids}/statm r,
|
||||
owner @{PROC}/@{pids}/task/ r,
|
||||
owner @{PROC}/@{pids}/task/@{tid}/status r,
|
||||
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
@{sys}/fs/cgroup/user.slice/** r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
|
||||
|
||||
@{PROC}/vmstat r,
|
||||
|
||||
include if exists <local/signal-desktop>
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user