From 4f3864a9b6e78c585dfb52bc0fb0cc0031b36182 Mon Sep 17 00:00:00 2001
From: nobody43 <nobody43@users.noreply.github.com>
Date: Wed, 11 Jan 2023 22:44:37 +0300
Subject: [PATCH] rustdesk

---
 apparmor.d/profiles-g-l/hbbr           |  25 +++++
 apparmor.d/profiles-g-l/hbbs           |  30 ++++++
 apparmor.d/profiles-m-r/rustdesk       | 143 +++++++++++++++++++++++++
 apparmor.d/profiles-m-r/rustdesk-utils |  20 ++++
 4 files changed, 218 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/hbbr
 create mode 100644 apparmor.d/profiles-g-l/hbbs
 create mode 100644 apparmor.d/profiles-m-r/rustdesk
 create mode 100644 apparmor.d/profiles-m-r/rustdesk-utils

diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr
new file mode 100644
index 00000000..79904251
--- /dev/null
+++ b/apparmor.d/profiles-g-l/hbbr
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}{,local/}bin/hbbr
+profile hbbr @{exec_path} {
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  owner /var/lib/rustdesk-server/ r,
+  owner /var/lib/rustdesk-server/id_ed25519.pub r,
+  # Unknown non-essential purpose
+#  owner /var/lib/rustdesk-server/id_ed25519 r,
+
+  include if exists <local/hbbr>
+}
diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs
new file mode 100644
index 00000000..b7fdfd6c
--- /dev/null
+++ b/apparmor.d/profiles-g-l/hbbs
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}{,local/}bin/hbbs
+profile hbbs @{exec_path} {
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
+  @{exec_path} r,
+
+  owner /var/lib/rustdesk-server/ rw,
+  owner /var/lib/rustdesk-server/id_ed25519 rw,
+  owner /var/lib/rustdesk-server/id_ed25519.pub rw,
+  owner /var/lib/rustdesk-server/db_v2.sqlite3 rwk,
+  owner /var/lib/rustdesk-server/db_v2.sqlite3-journal rw,
+  owner /var/lib/rustdesk-server/db_v2.sqlite3-wal rw,
+  owner /var/lib/rustdesk-server/db_v2.sqlite3-shm rwk,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/hbbs>
+}
diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
new file mode 100644
index 00000000..8fd30049
--- /dev/null
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -0,0 +1,143 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}{,local/}bin/rustdesk
+profile rustdesk @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/X-strict>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-gtk>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,  # discovery
+
+  @{exec_path} mrix,
+
+  /{,usr/}bin/ps       rPx,
+  /{,usr/}bin/whoami   rPx,
+  /{,usr/}bin/loginctl rPx,
+  /{,usr/}bin/curl     rix,
+
+  /{,usr/}bin/python3.[0-9]* rCx -> python,
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*),
+
+  owner /tmp/[rR]ust[dD]esk/{,**} rw,
+
+  owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
+  owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,
+
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
+
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r,
+
+        @{PROC}/uptime r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+
+  # pulse
+  /dev/shm/ r,
+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,*} r,
+  owner @{run}/user/@{uid}/pulse/ r,
+  owner @{run}/user/@{uid}/pulse/native rw,
+  owner @{user_config_dirs}/pulse/ rw,
+  owner @{user_config_dirs}/pulse/cookie rwk,
+
+  # gtk-tiny
+  /etc/gtk-3.0/settings.ini r,
+  /usr/share/themes/*/gtk-3.0/gtk.css r,
+
+  # file transfer
+  owner @{HOME}/ r,  # fails otherwise
+  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,
+
+  # file_inherit, X-strict
+  owner @{HOME}/.xsession-errors w,
+
+  # excessive?
+  deny @{PROC} r,
+#  @{PROC} r,
+#  capability sys_ptrace,
+#  ptrace (read),
+#  owner @{PROC}/@{pid}/stat r,
+#  owner @{PROC}/@{pid}/environ r,
+#  owner @{PROC}/@{pid}/io r,
+#  owner @{PROC}/@{pid}/task/ r,
+#  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+#  owner @{PROC}/@{pid}/task/@{tid}/io r,
+#  owner @{PROC}/@{pid}/task/@{tid}/status r,
+
+  profile python {
+    include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/openssl>
+
+    /{,usr/}bin/python3.[0-9]* r,
+
+    /{,usr/}bin/{,ba,da}sh rix,
+    /{,usr/}bin/chmod rix,
+    /{,usr/}bin/uname rPx,
+    /usr/share/rustdesk/files/pynput_service.py rPx,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+    /usr/share/rustdesk/files/{,**} r,
+    owner /tmp/[rR]ust[dD]esk/ w,
+    owner /tmp/[rR]ust[dD]esk/pynput_service rw,
+
+    # X-tiny
+    /tmp/.X11-unix/* rw,
+    owner @{HOME}/.xsession-errors w,
+    owner @{HOME}/.Xauthority r,
+
+    # python.d?
+    /usr/share/dpkg/cputable r,
+
+    # Silencer
+    deny /etc/apt/{,**} r,
+
+    include if exists <local/rustdesk_python>
+  }
+
+  include if exists <local/rustdesk>
+}
+
+profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py {
+  include <abstractions/base>
+
+  @{exec_path} r,
+
+  include if exists <local/rustdesk_pynput_service>
+}
diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils
new file mode 100644
index 00000000..8c5817b1
--- /dev/null
+++ b/apparmor.d/profiles-m-r/rustdesk-utils
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils
+profile rustdesk-utils @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  include if exists <local/rustdesk-utils>
+}