From 5a722c42a2b4b2f00b8a72fa7982838d924de3c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Jan 2023 20:02:33 +0000 Subject: [PATCH] feat(profiles): rewrite the vlc profile. --- apparmor.d/abstractions/vlc-art-cache-write | 15 -- apparmor.d/groups/apps/vlc | 175 ++++++------------ apparmor.d/profiles-a-f/amarok | 192 -------------------- 3 files changed, 57 insertions(+), 325 deletions(-) delete mode 100644 apparmor.d/abstractions/vlc-art-cache-write delete mode 100644 apparmor.d/profiles-a-f/amarok diff --git a/apparmor.d/abstractions/vlc-art-cache-write b/apparmor.d/abstractions/vlc-art-cache-write deleted file mode 100644 index 1acb215e..00000000 --- a/apparmor.d/abstractions/vlc-art-cache-write +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/vlc/ rw, - owner @{user_cache_dirs}/vlc/art/ rw, - owner @{user_cache_dirs}/vlc/art/artistalbum/ rw, - owner @{user_cache_dirs}/vlc/art/artistalbum/**/ rw, - owner @{user_cache_dirs}/vlc/art/artistalbum/**/art rw, - owner @{user_cache_dirs}/vlc/art/artistalbum/**/art.jpg rw, - - include if exists \ No newline at end of file diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index b09d5c8a..adddbb90 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -1,79 +1,30 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t -@{vlc_ext} = [aA]{52,[aA][cC],[cC]3} -@{vlc_ext} += [mM][kK][aA] -@{vlc_ext} += [fF][lL][aA][cC] -@{vlc_ext} += [mM][pP][123cC] -@{vlc_ext} += [oO][gGmM][aA] -@{vlc_ext} += [wW]{,[aA]}[vV] -@{vlc_ext} += [wW][mM]{,[aA]} -@{vlc_ext} += 3[gG]{[2pP],[pP][2pP]} -@{vlc_ext} += [aA][sS][fF] -@{vlc_ext} += [aA][vV][iI] -@{vlc_ext} += [dD][iI][vV][xX] -@{vlc_ext} += [mM][124][vV] -@{vlc_ext} += [mM][kKoO][vV] -@{vlc_ext} += [mM][pP][4aAeEgG] -@{vlc_ext} += [mM][pP][eE][gG]{,[124]} -@{vlc_ext} += [oO][gG][gGmMxXvV] -@{vlc_ext} += [rR][mM]{,[vV][bB]} -@{vlc_ext} += [wW][eE][bB][mM] -@{vlc_ext} += [wW][mMtT][vV] -@{vlc_ext} += [mM][pP]2[tT] - -# Image extensions -# bmp, jpg, jpeg, png, gif -@{vlc_ext} += [bB][mM][pP] -@{vlc_ext} += [jJ][pP]{,[eE]}[gG] -@{vlc_ext} += [pP][nN][gG] -@{vlc_ext} += [gG][iI][fF] - -# Subtitle extensions: -# srt, txt, sub -@{vlc_ext} += [sS][rR][tT] -@{vlc_ext} += [tT][xX][tT] -@{vlc_ext} += [sS][uU][bB] - -# Playlist extensions: -# m3u, m3u8, pls -@{vlc_ext} += [mM]3[uU]{,8} -@{vlc_ext} += [pP][lL][sS] - @{exec_path} = /{usr/,}bin/{c,}vlc profile vlc @{exec_path} { include - include - include - include - include - include - include - include - include - include - include include - include - include - include - include - include - include - include include + include include include - include + include + include + include + include + include + include + include + include + include + include signal (receive) set=(term, kill) peer=anyremote//*, @@ -194,73 +145,61 @@ profile vlc @{exec_path} { @{exec_path} mrix, - # Which media files VLC should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{vlc_ext} rw, + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, - # For SMB shares - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r, - - # VLC files - /usr/share/vlc/{,**} r, - - # VLC config files - owner @{HOME}/ r, - owner @{user_config_dirs}/vlc/ rw, - owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], - owner @{user_share_dirs}/vlc/{,**} rw, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/vlc/{,**} rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, - - /dev/snd/ r, - /dev/shm/#[0-9]*[0-9] rw, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/@{pids}/net/if_inet6 r, - deny @{PROC}/sys/kernel/random/boot_id r, - - # Udev enumeration - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{run}/udev/data/b254:[0-9]* r, # for /dev/zram* - @{run}/udev/data/b253:[0-9]* r, # for /dev/dm* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + /usr/share/vlc/{,**} r, /etc/fstab r, - /usr/share/hwdata/pnp.ids r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{HOME}/ r, + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, - # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/vlc/ rw, + owner @{user_cache_dirs}/vlc/{,**} rw, + + owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_config_dirs}/vlc/ rw, + owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], + + owner @{user_share_dirs}/vlc/{,**} rw, + + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, + + @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* + @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b254:[0-9]* r, # for /dev/zram* + @{run}/udev/data/b253:[0-9]* r, # for /dev/dm* + + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + + @{PROC}/@{pids}/net/if_inet6 r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + audit @{PROC}/sys/kernel/random/boot_id r, + audit owner @{PROC}/@{pid}/cmdline r, + + /dev/shm/#[0-9]*[0-9] rw, + owner /dev/tty[0-9]* rw, # Silencer deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, - # file_inherit - owner /dev/tty[0-9]* rw, - owner @{HOME}/.anyRemote/anyremote.stdout w, - profile xdg-screensaver { include include diff --git a/apparmor.d/profiles-a-f/amarok b/apparmor.d/profiles-a-f/amarok deleted file mode 100644 index 2a5bd0bd..00000000 --- a/apparmor.d/profiles-a-f/amarok +++ /dev/null @@ -1,192 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -# Audio extensions -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, -@{amarok_ext} = [aA]{52,[aA][cC],[cC]3} -@{amarok_ext} += [mM][kK][aA] -@{amarok_ext} += [fF][lL][aA][cC] -@{amarok_ext} += [mM][pP][123cC] -@{amarok_ext} += [oO][gGmM][aA] -@{amarok_ext} += [wW]{,[aA]}[vV] -@{amarok_ext} += [wW][mM]{,[aA]} - -# Image extensions -# bmp, jpg, jpeg, png, gif -@{amarok_ext} += [bB][mM][pP] -@{amarok_ext} += [jJ][pP]{,[eE]}[gG] -@{amarok_ext} += [pP][nN][gG] -@{amarok_ext} += [gG][iI][fF] - -# Playlist extensions -# m3u, m3u8, pls -@{amarok_ext} += [mM]3[uU]{,8} -@{amarok_ext} += [pP][lL][sS] - -@{exec_path} = /{usr/,}bin/amarok -profile amarok @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - ptrace (trace) peer=@{profile_name}, - - # Signals to kdeinit4 (unconfined) - signal (send) peer=unconfined, - - @{exec_path} mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/amarokcollectionscanner rix, - /{usr/,}bin/kde4-config rix, - - /{usr/,}lib/kde4/libexec/lnusertemp rix, - /{usr/,}lib/kde4/libexec/drkonqi rix, - - /{usr/,}bin/kglobalaccel rPUx, - /{usr/,}bin/kbuildsycoca4 rPUx, - /{usr/,}bin/kdeinit4 rPUx, - /{usr/,}bin/knotify4 rPUx, - /{usr/,}bin/ffmpeg rPUx, - - /{usr/,}bin/lsb_release rPx -> lsb_release, - - # Which media files Amarok should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{amarok_ext} rw, - - # Amarok home files - owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/** rwk, - - owner @{HOME}/.kde{,4}/share/apps/knewstuff3/amarok.knsregistry rw, - owner @{HOME}/.kde{,4}/share/config/amarokrc* rw, - owner @{HOME}/.kde{,4}/share/config/amarok_homerc* rw, - owner @{HOME}/.kde{,4}/share/config/amarok-appletsrcm* rw, - owner @{HOME}/.kde{,4}/share/config/amarok-appletsrc* rw, - - owner @{HOME}/.kde{,4}/share/config/kcookiejarrc r, - owner @{HOME}/.kde{,4}/share/config/kio_httprc r, - owner @{HOME}/.kde{,4}/share/config/kioslaverc r, - owner @{HOME}/.kde{,4}/share/config/ktimezonedrc r, - - # Phonon - /{usr/,}lib/@{multiarch}/qt4/plugins/phonon_backend/phonon_vlc.so mr, - - # VLC backend - /{usr/,}lib/@{multiarch}/vlc/plugins/plugins.dat.* r, - /usr/share/vlc/** r, - - # Cache for art images - owner @{HOME}/.kde{,4}/ rw, - owner @{HOME}/.kde{,4}/share/ rw, - owner @{HOME}/.kde{,4}/share/apps/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@@{hex} rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw, - - owner @{user_share_dirs}/user-places.xbel rw, - - owner @{user_config_dirs}/Trolltech.conf rwk, - - deny /etc/rpc r, - - deny /etc/gnome-vfs-2.0/modules/default-modules.conf r, - - deny owner @{PROC}/@{pid}/cmdline r, - deny owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - # TMP - owner /tmp/#sql_*.{MAI,MAD} rw, - owner /tmp/qipc_{systemsem,sharedmemory}_AmarokScannerMemory[a-f0-9]* rw, - owner /tmp/qt_temp.* rw, - owner /tmp/xauth-[0-9]*-_[0-9] r, - owner /tmp/kde-*/ rw, - - /usr/share/icons/*/index.theme rk, - - @{run}/user/@{uid}/ksocket-*/amarok*.slave-socket rw, - - # What's this for? - deny /etc/mysql/** r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - deny /usr/share/anyremote/** r, - owner @{HOME}/.anyRemote/anyremote.stdout w, - - # Udev silencer - deny @{sys}/bus/ r, - deny @{sys}/class/ r, - deny @{sys}/devices/ r, - deny @{sys}/devices/virtual/net/**/{uevent,type} r, - deny @{sys}/devices/virtual/sound/seq/uevent r, - deny @{sys}/devices/system/node/ r, - deny @{run}/udev/data/* r, - - # To generate the crash log info in Amarok - /{usr/,}bin/gdb rCx -> gdb, - profile gdb { - include - include - - /{usr/,}bin/gdb mr, - /usr/share/glib-2.0/gdb/{,**} r, - - @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/stat r, - owner @{PROC}/@{pids}/task/@{tid}/maps r, - owner @{PROC}/@{pids}/mem r, - - /{usr/,}bin/iconv rix, - /usr/share/gdb/python/ r, - /usr/share/gdb/python/{,**} r, - - ptrace (trace), - - /{usr/,}bin/* r, - - /usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/*.py r, - /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/*.py r, - /usr/share/gcc-[0-9]*/python/{,**} r, - - # Silencer - deny /usr/share/** w, - - } - - include if exists -}