diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e3fcc2ec..aa1912df 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -14,13 +14,20 @@ profile qbittorrent @{exec_path} { include include include + include include include include include include + include include include + include + include + include + include + include include include include @@ -28,6 +35,8 @@ profile qbittorrent @{exec_path} { include include include + include if exists + include if exists signal (send) set=(term, kill) peer=qbittorrent//python3, @@ -46,10 +55,11 @@ profile qbittorrent @{exec_path} { # Qbittorrent home dirs owner @{user_config_dirs}/qBittorrent/ rw, owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9], - owner @{user_share_dirs}/qBittorrent/ rw, - owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/qBittorrent/**/#[0-9]*[0-9], + owner @{user_share_dirs}/data/ rw, + owner @{user_share_dirs}/{,data/}qBittorrent/ rw, + owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9], # Old dir, not recommended to use: - deny owner @{user_share_dirs}/data/qBittorrent/ rw, +# deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Cache dir owner @{user_cache_dirs}/ rw, @@ -73,17 +83,15 @@ profile qbittorrent @{exec_path} { /dev/shm/#[0-9]*[0-9] rw, - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/fd/ r, + deny owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/comm r, deny @{PROC}/sys/kernel/random/boot_id r, /usr/share/hwdata/pnp.ids r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # TMP owner /tmp/qtsingleapp-qBitto-* rw, owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, @@ -97,8 +105,102 @@ profile qbittorrent @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] rw, + # file_inherit + owner /dev/tty[0-9]* rw, + + # dconf write + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/ICEauthority r, + + # DBus + deny dbus send + bus=session + path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo, + + dbus send + bus=session + path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations, + + dbus send + bus=session + path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send + bus=session + path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send + bus=session + path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher), + + dbus send + bus=session + path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=NewToolTip + peer=(name=org.freedesktop.DBus), + + dbus receive + bus=session + path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member=Activate + peer=(name=:*), + + dbus receive + bus=session + path=/MenuBar + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus send + bus=session + path=/MenuBar + interface=com.canonical.dbusmenu + member=ItemsPropertiesUpdated + peer=(name=org.freedesktop.DBus), + + dbus receive + bus=session + path=/MenuBar + interface=com.canonical.dbusmenu + member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} + peer=(name=:*), + + dbus receive + bus=session + path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), + + dbus send + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus bind + bus=session + name=org.kde.StatusNotifierItem-*, + # Launch external apps - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-{open,mime} rCx -> open, # Allowed apps to open /{usr/,}bin/spacefm rPx, @@ -110,10 +212,58 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/nautilus rPx, - # file_inherit - owner /dev/tty[0-9]* rw, + profile open { + include + include + include if exists + /{usr/,}bin/xdg-open mr, + + # Allowed apps to open + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/ebook-viewer rPx, + /{usr/,}lib/firefox/firefox rPx, + + /{usr/,}bin/{ba,da,}sh rix, + /{usr/,}bin/{g,m,}awk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/xfce4-mime-helper rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # file_inherit + owner @{MOUNTS}/*/torrent/** r, + owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw, + owner "@{MOUNTS}/*/torrent/**.!qB" rw, + + owner @{HOME}/.xsession-errors w, + + dbus send + bus=session + path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=ListMonitorImplementations, + + dbus send + bus=session + path=/org/gnome/{Nautilus,Totem,gedit} + interface=org.freedesktop.Application + member=Open + peer=(name="org.gnome.{Nautilus,Totem,gedit}"), + + include if exists + } profile python3 { include @@ -132,7 +282,7 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/python3.[0-9]* r, - owner @{user_share_dirs}/qBittorrent/nova[0-9]/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, # Used while searching for torrents owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9], @@ -146,41 +296,7 @@ profile qbittorrent @{exec_path} { owner @{MOUNTS}/*/torrent/** r, deny /dev/dri/card[0-9]* rw, - } - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, - - # file_inherit - owner @{MOUNTS}/*/torrent/** r, - owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw, - owner "@{MOUNTS}/*/torrent/**.!qB" rw, - - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists