From ca9a8d47f83d497d31bdd561ec4b336653986e82 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 11 Jun 2024 23:16:19 +0100 Subject: [PATCH] feat(profile): add protonmail-bridge --- apparmor.d/profiles-m-r/protonmail-bridge | 82 ++++++------------ .../profiles-m-r/protonmail-bridge-core | 85 +++++++++++++++++++ 2 files changed, 109 insertions(+), 58 deletions(-) create mode 100644 apparmor.d/profiles-m-r/protonmail-bridge-core diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 92a5eb13..f6e8c8e4 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,80 +2,46 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: only the protonmail-bridge CLI and service are supported, NOT the GUI. - abi , include -@{exec_path} = @{bin}/protonmail-bridge -profile protonmail-bridge @{exec_path} { - include - include +@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 +@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" +@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 - network inet dgram, - network inet6 dgram, +@{exec_path} = @{lib}/protonmail/bridge/bridge-gui +profile protonmail-bridge @{exec_path} { + include + include + include + include + include + include + + # network inet dgram, + # network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, + # network netlink raw, @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{lib}/protonmail/bridge/bridge rPx, + @{open_path} rPx -> child-open-strict, - /etc/lsb-release r, /etc/machine-id r, - owner /var/tmp/etilqs_@{hex} rw, + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwlk -> @{config_dirs}/**, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{user_cache_dirs}/protonmail/{,**} rwk, - owner @{user_config_dirs}/protonmail/{,**} rwk, - owner @{user_share_dirs}/protonmail/{,**} rwk, + owner @{share_dirs}/ rw, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, - @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pid}/cgroup r, - - # Force the use of the Gnome Keyring or Kwallet secret-service. - # Comment these lines and add the commented lines in your local/protonmail-bridge - # to allow the use of pass as secret-service. - # of pass as secret store - # deny @{bin}/pass rmx, - # deny owner @{user_password_store_dirs}/** r, - - profile pass { - include - include - - @{bin}/pass mr, - - @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/getopt rix, - @{bin}/git rPx -> pass//git, - @{bin}/gpg{,2} rPx -> pass//gpg, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, - - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, - - /dev/tty rw, - - include if exists - } + owner @{PROC}/@{pid}/cmdline r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core new file mode 100644 index 00000000..ef7ec136 --- /dev/null +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# following lines in your local/protonmail-bridge-core file: +# deny @{bin}/pass x, +# deny owner @{user_password_store_dirs}/** r, + +abi , + +include + +@{exec_path} = @{lib}/protonmail/bridge/bridge +profile protonmail-bridge-core @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/pass rCx -> pass, + + /etc/lsb-release r, + /etc/machine-id r, + + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + + owner @{user_cache_dirs}/protonmail/{,**} rwk, + owner @{user_config_dirs}/protonmail/{,**} rwk, + owner @{user_share_dirs}/protonmail/{,**} rwk, + + owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, + + owner @{tmp}/bridge@{int} rw, + owner @{tmp}/user/@{uid}/etilqs_@{hex} rw, + owner /var/tmp/etilqs_@{hex} rw, + + @{PROC}/ r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/cgroup r, + + deny @{bin}/pass x, + deny owner @{user_password_store_dirs}/** r, + + profile pass { + include + include + + @{bin}/pass mr, + + @{sh_path} rix, + @{bin}/base64 rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/getopt rix, + @{bin}/git rpx -> pass//git, + @{bin}/gpg{,2} rpx -> pass//gpg, + @{bin}/mkdir rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/tail rix, + @{bin}/tree rix, + @{bin}/tty rix, + @{bin}/which rix, + + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/.gpg-id r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_password_store_dirs}/**/ r, + + /dev/tty rw, + + include if exists + } + + include if exists +} \ No newline at end of file