From 8ba25a3f6ea7114027912677f2c74bf17f8b6121 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 15 Jan 2023 18:57:35 +0000 Subject: [PATCH] feat(profile): rewrite keepassxc. See: #102 --- apparmor.d/profiles-g-l/keepassxc | 143 ++++++++++-------------- apparmor.d/profiles-g-l/keepassxc-proxy | 3 +- apparmor.d/tunables/xdg-user-dirs | 2 + 3 files changed, 61 insertions(+), 87 deletions(-) diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 399102ad..59d57d4b 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -1,30 +1,33 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{KP_DB} = @{HOME}/keepass-baza - @{exec_path} = /{usr/,}bin/keepassxc profile keepassxc @{exec_path} { include - include - include - include + include + include + include + include include + include + include include include - include - include include - include - include + include include + include + include include - include + include + include + include network inet dgram, network inet6 dgram, @@ -35,102 +38,70 @@ profile keepassxc @{exec_path} { @{exec_path} mrix, + # Allowed apps to open + /{usr/,}bin/geany rPUx, + /{usr/,}bin/xdg-open rCx -> child-open, + /{usr/,}lib/firefox/firefox rPx, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, + /usr/share/libdrm/*.ids r, + /usr/share/qt*/{,**} r, - owner @{user_config_dirs}/keepassxc/ rw, - owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9], + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/keepassxc/ rw, - owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9], - - # Database location - / r, - /home/ r, owner @{HOME}/ r, - owner @{KP_DB}/ r, - owner @{KP_DB}/#[0-9]*[0-9] rw, - owner @{KP_DB}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9], - #For export to a CSV file - owner @{KP_DB}/*.csv rw, - - # For SSH keys + owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, + owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, + owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, + # Database locations + owner @{user_cache_dirs}/keepassxc/ rw, + owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9], + owner @{user_config_dirs}/keepassxc/ rw, + owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9], + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/*.csv rw, + owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9], + owner @{user_password_store_dirs}/#[0-9]*[0-9] rw, + + owner /tmp/.[a-zA-Z]*/{,s} rw, + owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#[0-9]*[0-9] rw, owner /tmp/keepassxc-*.lock{,.rmlock} rwk, owner /tmp/keepassxc-*.socket rw, - # When $USER is not set owner /tmp/keepassxc.lock rw, owner /tmp/keepassxc.socket rw, - owner /tmp/.[a-zA-Z]*/{,s} rw, - - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9], - - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pids}/comm r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /dev/shm/#[0-9]*[0-9] rw, - - # For browser integration - owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, owner @{run}/user/@{uid}/kpxc_server rw, + @{PROC}/@{pids}/comm r, + @{PROC}/modules r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + + owner @{run}/user/@{pid}/app/ w, + owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - /{usr/,}bin/xdg-open rCx -> open, - - # file_inherit + /dev/shm/#[0-9]*[0-9] rw, + /dev/tty rw, owner /dev/tty[0-9]* rw, - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - /{usr/,}bin/geany rPUx, - - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - /{usr/,}bin/geany rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index b518f128..5af7c132 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -24,7 +24,9 @@ profile keepassxc-proxy @{exec_path} { /usr/share/icons/*/index.theme r, + owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/org.keepassxc.KeePassXC.BrowserServer rw, + owner @{run}/user/@{pid}/org.keepassxc.KeePassXC/ rw, # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, @@ -39,7 +41,6 @@ profile keepassxc-proxy @{exec_path} { deny owner /tmp/tmpaddon r, deny owner @{user_config_dirs}/google-chrome/** rw, deny owner @{user_config_dirs}/chromium/** rw, - owner @{HOME}/.xsession-errors w, /dev/dri/renderD128 rw, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 248b3f0d..b32ceac6 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -34,6 +34,7 @@ # User personal keyrings @{XDG_SSH_DIR}=".ssh" @{XDG_GPG_DIR}=".gnupg" +@{XDP_PASSWORD_STORE_DIR}=".password-store" # Definition of local user configuration directories @{XDG_CACHE_HOME}=".cache" @@ -70,6 +71,7 @@ @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} +@{user_password_store_dirs}=@{HOME}/@{XDP_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDP_PASSWORD_STORE_DIR} # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories