From ce3813133f8a20f68aa9ac4f32ed421a95bde485 Mon Sep 17 00:00:00 2001
From: beroal <me@beroal.in.ua>
Date: Sun, 6 Oct 2024 22:45:17 +0300
Subject: [PATCH] the desktop version of the Briar secure messager (#545)

* the desktop version of the Briar secure messager
---
 apparmor.d/profiles-a-f/briar-desktop     | 95 +++++++++++++++++++++++
 apparmor.d/profiles-a-f/briar-desktop-tor | 65 ++++++++++++++++
 2 files changed, 160 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/briar-desktop
 create mode 100644 apparmor.d/profiles-a-f/briar-desktop-tor

diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop
new file mode 100644
index 00000000..a0b57a38
--- /dev/null
+++ b/apparmor.d/profiles-a-f/briar-desktop
@@ -0,0 +1,95 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/briar-desktop
+profile briar-desktop @{exec_path} {
+  include <abstractions/audio-client>
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+
+  ptrace read peer=briar-desktop-tor,
+  ptrace read peer=@{profile_name}//jspawnhelper,
+
+  @{exec_path} mr,
+
+  @{lib}/jvm/java*/bin/java rix,
+  @{lib}/jvm/java*/lib/** rm,
+  @{lib}/jvm/java*/lib/jspawnhelper Cx -> jspawnhelper,
+  @{sh_path} mr,
+
+  @{system_share_dirs}/java/briar-desktop.jar r,
+
+  /etc/java*/{,**} r,
+
+  owner @{HOME}/.briar/desktop/{,**} rw,
+  owner @{HOME}/.briar/desktop/db/db.mv.db k,
+
+  owner @{HOME}/.java/{,.userPrefs/{,org/}} w,
+  owner @{HOME}/.java/.userPrefs/.user.lock.@{user} wk,
+  owner @{HOME}/.java/.userPrefs/.userRootModFile.@{user} rw,
+  owner @{HOME}/.java/.userPrefs/{,org/}prefs.{xml,tmp} rw,
+  owner @{HOME}/.java/.userPrefs/org/briarproject/{,**} rw,
+
+  owner @{HOME}/.skiko/ w,
+  owner @{HOME}/.skiko/@{hex64}/{,libskiko-*.so,skiko[0-9]*} mrw,
+
+  owner @{user_pictures_dirs}/{,**} r,
+
+  owner @{user_cache_dirs}/JNA/{,**} mrw,
+
+  owner @{tmp}/hsperfdata_@{user}/ rw,
+  owner @{tmp}/hsperfdata_@{user}/@{pid} rwk,
+  owner @{tmp}/imageio@{u64}.tmp rw,
+  owner @{tmp}/jna@{u64}.tmp mrw,
+
+  @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r,
+  @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r,
+
+        @{PROC}/cgroups r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pid}/net/if_inet6 r,
+  owner @{PROC}/@{pid}/stat r,
+
+  /dev/tty rw,
+  /dev/urandom rw,
+
+  deny @{HOME}/ r,
+
+  include if exists <local/briar-desktop>
+
+  profile jspawnhelper flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    @{bin}/ldconfig ix,
+    owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor,
+
+    @{system_share_dirs}/java/briar-desktop.jar r,
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/stat r,
+
+    deny owner @{HOME}/.briar/desktop/db/db.mv.db rw, # file_inherit
+    deny network inet6 stream, # file_inherit
+
+    include if exists <local/briar-desktop_jspawnhelper>
+  }
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor
new file mode 100644
index 00000000..e78420e3
--- /dev/null
+++ b/apparmor.d/profiles-a-f/briar-desktop-tor
@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile briar-desktop-tor {
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal send set=term peer=briar-desktop-tor//obfs4proxy,
+  signal send set=term peer=briar-desktop-tor//snowflake, 
+
+  owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw,
+  owner @{HOME}/.briar/desktop/tor/.tor/lock k,
+  owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy,
+  owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake,
+  owner @{HOME}/.briar/desktop/tor/tor r,
+  owner @{HOME}/.briar/desktop/tor/torrc r,
+
+  @{PROC}/sys/kernel/random/uuid r,
+
+  include if exists <local/briar-desktop-tor>
+
+  profile obfs4proxy {
+    include <abstractions/base>
+
+    network inet stream,
+    network inet6 stream,
+
+    signal receive set=term peer=briar-desktop-tor,
+
+    owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w,
+    owner @{HOME}/.briar/desktop/tor/obfs4proxy mr,
+    @{PROC}/sys/net/core/somaxconn r,
+
+    include if exists <local/briar-desktop-tor_obfs4proxy>
+  }
+
+  profile snowflake {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet stream,
+    network inet6 dgram,
+    network inet6 stream,
+    network netlink raw,
+
+    signal receive set=term peer=briar-desktop-tor,
+
+    owner @{HOME}/.briar/desktop/tor/snowflake mr,
+    @{PROC}/sys/net/core/somaxconn r,
+
+    include if exists <local/briar-desktop-tor_snowflake>
+  }
+}
+
+# vim:syntax=apparmor