From 76cd5c7029de6e693c2bf31b40fd7fe4d35380c6 Mon Sep 17 00:00:00 2001
From: Mikhail Morfikov <mmorfikov@gmail.com>
Date: Sat, 8 Jan 2022 13:41:21 +0100
Subject: [PATCH] update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
---
 apparmor.d/groups/apps/telegram-desktop       |  3 +
 apparmor.d/groups/apt/dpkg-genchanges         |  2 +-
 apparmor.d/groups/browsers/chromium-chromium  |  5 +-
 .../groups/browsers/chromium-crashpad-handler | 26 +++++++
 apparmor.d/profiles-m-r/qbittorrent           | 11 +--
 apparmor.d/profiles-m-r/qbittorrent-nox       |  9 ++-
 apparmor.d/profiles-s-z/sudo                  |  2 +
 apparmor.d/profiles-s-z/syncthing             |  1 +
 apparmor.d/profiles-s-z/transmission-qt       | 67 +++++++++++++++++
 apparmor.d/profiles-s-z/yt-dlp                | 73 +++++++++++++++++++
 10 files changed, 187 insertions(+), 12 deletions(-)
 create mode 100644 apparmor.d/groups/browsers/chromium-crashpad-handler
 create mode 100644 apparmor.d/profiles-s-z/transmission-qt
 create mode 100644 apparmor.d/profiles-s-z/yt-dlp

diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop
index 88ef11d6..feadd8a9 100644
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@@ -60,6 +60,9 @@ profile telegram-desktop @{exec_path} {
   # Autostart
   owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
 
+  owner /tmp/[0-9a-f]*-* rwk,
+  owner @{run}/user/@{uid}/[0-9a-f]*-* rwk,
+
   /dev/shm/#[0-9]*[0-9] rw,
 
        owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges
index 12f2fd16..eabef350 100644
--- a/apparmor.d/groups/apt/dpkg-genchanges
+++ b/apparmor.d/groups/apt/dpkg-genchanges
@@ -20,7 +20,7 @@ profile dpkg-genchanges @{exec_path} flags=(complain) {
   /usr/share/dpkg/tupletable r,
 
   # For package building
-  owner @{user_build_dirs}/** r,
+  owner @{user_build_dirs}/** rw,
 
   include if exists <local/dpkg-genchanges>
 }
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index a3a1b4e6..ab46efb0 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -52,8 +52,9 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx,
-  /{usr/,}bin/chrome-gnome-shell        rPx,
+  /{usr/,}bin/chrome-gnome-shell          rPx,
+  @{CHROMIUM_INSTALLDIR}/chrome-sandbox   rPx,
+  @{CHROMIUM_INSTALLDIR}/crashpad_handler rPx,
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler
new file mode 100644
index 00000000..dd2326de
--- /dev/null
+++ b/apparmor.d/groups/browsers/chromium-crashpad-handler
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
+@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
+@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium
+
+@{exec_path} = /{usr/,}lib/chromium/crashpad_handler
+
+profile chromium-crashpad_handler @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
+
+  @{exec_path} mrix,
+
+  owner "@{HOME}/.config/chromium/Crash Reports/settings.dat" rwk,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  include if exists <local/chromium-crashpad_handler>
+}
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index 30cea3d5..e3fcc2ec 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -46,8 +46,10 @@ profile qbittorrent @{exec_path} {
   # Qbittorrent home dirs
   owner @{user_config_dirs}/qBittorrent/ rw,
   owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
-  owner @{user_share_dirs}/data/qBittorrent/ rw,
-  owner @{user_share_dirs}/data/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
+  owner @{user_share_dirs}/qBittorrent/ rw,
+  owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/qBittorrent/**/#[0-9]*[0-9],
+  # Old dir, not recommended to use:
+  deny owner  @{user_share_dirs}/data/qBittorrent/ rw,
 
   # Cache dir
   owner @{user_cache_dirs}/ rw,
@@ -86,8 +88,7 @@ profile qbittorrent @{exec_path} {
   owner /tmp/qtsingleapp-qBitto-* rw,
   owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
   owner /tmp/.qBittorrent/ rw,
-  owner /tmp/.qBittorrent/#[0-9]*[0-9] rw,
-  owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9],
+  owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
   owner /tmp/mozilla_*/*.torrent rw,
   owner /tmp/*.torrent rw,
   # To load/add torrents from the search engine
@@ -131,7 +132,7 @@ profile qbittorrent @{exec_path} {
 
     /{usr/,}bin/python3.[0-9]* r,
 
-    owner @{user_share_dirs}/data/qBittorrent/nova[0-9]/{,**} rw,
+    owner @{user_share_dirs}/qBittorrent/nova[0-9]/{,**} rw,
 
     # Used while searching for torrents
     owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9],
diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox
index f0e237b0..53f31752 100644
--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@@ -28,8 +28,10 @@ profile qbittorrent-nox @{exec_path} {
   # Qbittorrent home dirs
   owner @{user_config_dirs}/qBittorrent/ rw,
   owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
-  owner @{user_share_dirs}/data/qBittorrent/ rw,
-  owner @{user_share_dirs}/data/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
+  owner @{user_share_dirs}/qBittorrent/ rw,
+  owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
+  # Old dir, not recommended to use:
+  deny owner @{user_share_dirs}/data/qBittorrent/ rw,
 
   # Cache dir
   owner @{user_cache_dirs}/ rw,
@@ -63,8 +65,7 @@ profile qbittorrent-nox @{exec_path} {
   owner /tmp/qtsingleapp-qBitto-* rw,
   owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
   owner /tmp/.qBittorrent/ rw,
-  owner /tmp/.qBittorrent/#[0-9]*[0-9] rw,
-  owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9],
+  owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
   owner /tmp/mozilla_*/*.torrent rw,
   owner /tmp/*.torrent rw,
   owner /tmp/.*/{,s} rw,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 0f058b77..347b8496 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -32,6 +32,7 @@ profile sudo @{exec_path} {
   signal,
 
   @{exec_path} mr,
+  @{libexec}/sudo/** mr,
 
   # Shells to use
   /{usr/,}bin/{,b,d,rb}ash rpux,
@@ -58,6 +59,7 @@ profile sudo @{exec_path} {
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pids}/stat r,
+  @{PROC}/1/limits r,
 
   # File Inherit
   owner /dev/tty[0-9]* rw,
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index 0e1bee5f..8bbf6a07 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -28,6 +28,7 @@ profile syncthing @{exec_path} {
   /usr/share/mime/{,*} r,
 
   /etc/mime.types r,
+  /usr/share/mime/globs2 r,
 
   owner @{user_config_dirs}/syncthing/{,**} rwk,
   owner @{HOME}/@{XDG_DATA_HOME}/syncthing/{,**} rwk,
diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt
new file mode 100644
index 00000000..6a749097
--- /dev/null
+++ b/apparmor.d/profiles-s-z/transmission-qt
@@ -0,0 +1,67 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{TORRENT_DIR} = /media/*/torrent
+
+@{exec_path} = /{usr/,}bin/transmission-qt
+profile transmission-qt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/qt5>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  # Torrent files
+        /media/ r,
+  owner /media/*/ r,
+  owner @{TORRENT_DIR}/ r,
+  owner @{TORRENT_DIR}/** rw,
+
+  owner @{HOME}/.config/transmission/ rw,
+  owner @{HOME}/.config/transmission/** rwk,
+
+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/transmission/ rw,
+  owner @{HOME}/.cache/transmission/** rwk,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  deny owner @{PROC}/@{pid}/cmdline r,
+       owner @{PROC}/@{pid}/mountinfo r,
+       owner @{PROC}/@{pid}/mounts r,
+             @{PROC}/@{pid}/net/route r,
+             @{PROC}/sys/kernel/random/uuid r,
+
+  # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
+  owner @{HOME}/.config/qt5ct/{,**} r,
+  /usr/share/qt5ct/** r,
+
+  /usr/share/hwdata/pnp.ids r,
+
+  include if exists <local/transmission-qt>
+}
diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp
new file mode 100644
index 00000000..2c510f2b
--- /dev/null
+++ b/apparmor.d/profiles-s-z/yt-dlp
@@ -0,0 +1,73 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# Video/audio extensions:
+# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
+# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
+# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a
+@{ytdlp_ext}  = [aA]{52,[aA][cC],[cC]3}
+@{ytdlp_ext} += [mM][kK][aA]
+@{ytdlp_ext} += [fF][lL][aA][cC]
+@{ytdlp_ext} += [mM][pP][123cC]
+@{ytdlp_ext} += [oO][gGmM][aA]
+@{ytdlp_ext} += [wW]{,[aA]}[vV]
+@{ytdlp_ext} += [wW][mM]{,[aA]}
+@{ytdlp_ext} += 3[gG]{[2pP],[pP][2pP]}
+@{ytdlp_ext} += [aA][sS][fF]
+@{ytdlp_ext} += [aA][vV][iI]
+@{ytdlp_ext} += [dD][iI][vV][xX]
+@{ytdlp_ext} += [mM][124][vV]
+@{ytdlp_ext} += [mM][kKoO][vV]
+@{ytdlp_ext} += [mM][pP][4aAeEgG]
+@{ytdlp_ext} += [mM][pP][eE][gG]{,[124]}
+@{ytdlp_ext} += [oO][gG][gGmMxXvV]
+@{ytdlp_ext} += [rR][mM]{,[vV][bB]}
+@{ytdlp_ext} += [wW][eE][bB][mM]
+@{ytdlp_ext} += [wW][mMtT][vV]
+@{ytdlp_ext} += [mM][pP]2[tT]
+@{ytdlp_ext} += [mM]4[aA]
+
+# The ytdl specific file extensions
+# ytdl, part, tmp, temp
+@{ytdlp_ext} += [yY][tT][dD][lL]
+@{ytdlp_ext} += part{,-*}
+@{ytdlp_ext} += [tT]{,[eE]}[mM][pP]
+
+@{exec_path} = /{usr/,}bin/yt-dlp
+profile yt-dlp @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /{usr/,}bin/ r,
+  /{usr/,}bin/file rix,
+
+  # Which files yt-dlp should be able to open
+  owner /media/**/ r,
+  owner /media/**.@{ytdlp_ext} rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  /etc/magic r,
+
+
+  include if exists <local/yt-dlp>
+}