From f7b9ff959ad65cb88b2a40a6a75c473c89080dc9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 17 Aug 2023 18:37:36 +0100 Subject: [PATCH] feat(profiles): rewrite the signal-desktop profile. --- apparmor.d/groups/apps/signal-desktop | 96 +++++++++++++-------------- 1 file changed, 45 insertions(+), 51 deletions(-) diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index 65a5d95d..00fd822e 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -1,28 +1,30 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , include -@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" -@{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}" +@{name} = signal-desktop{,-beta} +@{lib_dirs} = "/opt/Signal{, Beta}" +@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" -#@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} # (#FIXME#) -@{exec_path} = "/opt/Signal{, Beta}/signal-desktop{,-beta}" # (#FIXME#) -profile signal-desktop @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib_dirs}/@{name} +profile signal-desktop @{exec_path} { include - include - include - include - include - include - include include + include + include + include + include + include + include include include + include include - include # Needed? deny capability sys_ptrace, @@ -35,53 +37,45 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - # Signal installation dir (#FIXME#) - @{SIGNAL_INSTALLDIR}/ r, - @{SIGNAL_INSTALLDIR}/** r, - @{SIGNAL_INSTALLDIR}/libnode.so mr, - @{SIGNAL_INSTALLDIR}/libffmpeg.so mr, - @{SIGNAL_INSTALLDIR}/{swiftshader/,}libGLESv2.so mr, - @{SIGNAL_INSTALLDIR}/{swiftshader/,}libEGL.so mr, - @{SIGNAL_INSTALLDIR}/chrome-sandbox rPx, - @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.node mr, - @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so mr, - @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{bin}/getconf rix, + @{bin}/xdg-settings rPx, - # Signal home dirs - @{SIGNAL_HOMEDIR}/ rw, - @{SIGNAL_HOMEDIR}/** rwk, - - # Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in - # your system, use the TMPDIR variable to set some other tmp dir. - owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw, - - @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - @{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r, - @{sys}/devices/virtual/tty/tty[0-9]/active r, - @{sys}/fs/cgroup/** r, - - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/vmstat r, + @{lib_dirs}/ r, + @{lib_dirs}/{swiftshader/,}libEGL.so mr, + @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, + @{lib_dirs}/** r, + @{lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/libnode.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - # Allow systemd-inhibit + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwk, + owner @{config_dirs}/tmp/.org.chromium.Chromium.* mrw, + @{run}/systemd/inhibit/*.ref rw, - # No new privs - @{bin}/xdg-settings rPx, + @{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/fs/cgroup/** r, - @{bin}/getconf rix, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pids}/statm r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, include if exists }