mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): rewrite the signal-desktop profile.

Browse Source
This commit is contained in:
Alexandre Pujol 2023-08-17 18:37:36 +01:00
parent 5911c43930
commit f7b9ff959a
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
1 changed files with 45 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
apparmor.d/groups/apps/signal-desktop
View File

@ -1,28 +1,30 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" @{name} = signal-desktop{,-beta}
@{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}" @{lib_dirs} = "/opt/Signal{, Beta}"
@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
#@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} # (#FIXME#) @{exec_path} = @{lib_dirs}/@{name}
@{exec_path} = "/opt/Signal{, Beta}/signal-desktop{,-beta}" # (#FIXME#) profile signal-desktop @{exec_path} {
profile signal-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/chromium-common>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/chromium-common>
# Needed? # Needed?
deny capability sys_ptrace, deny capability sys_ptrace,
@ -35,53 +37,45 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
# Signal installation dir (#FIXME#) @{bin}/getconf rix,
@{SIGNAL_INSTALLDIR}/ r, @{bin}/xdg-settings rPx,
@{SIGNAL_INSTALLDIR}/** r,
@{SIGNAL_INSTALLDIR}/libnode.so mr,
@{SIGNAL_INSTALLDIR}/libffmpeg.so mr,
@{SIGNAL_INSTALLDIR}/{swiftshader/,}libGLESv2.so mr,
@{SIGNAL_INSTALLDIR}/{swiftshader/,}libEGL.so mr,
@{SIGNAL_INSTALLDIR}/chrome-sandbox rPx,
@{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.node mr,
@{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so mr,
@{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
# Signal home dirs @{lib_dirs}/ r,
@{SIGNAL_HOMEDIR}/ rw, @{lib_dirs}/{swiftshader/,}libEGL.so mr,
@{SIGNAL_HOMEDIR}/** rwk, @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
@{lib_dirs}/** r,
# Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in @{lib_dirs}/chrome-sandbox rPx,
# your system, use the TMPDIR variable to set some other tmp dir. @{lib_dirs}/libffmpeg.so mr,
owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw, @{lib_dirs}/libnode.so mr,
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
@{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r, @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{sys}/fs/cgroup/** r,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/vmstat r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
# Allow systemd-inhibit owner @{config_dirs}/ rw,
owner @{config_dirs}/** rwk,
owner @{config_dirs}/tmp/.org.chromium.Chromium.* mrw,
@{run}/systemd/inhibit/*.ref rw, @{run}/systemd/inhibit/*.ref rw,
# No new privs @{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r,
@{bin}/xdg-settings rPx, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{sys}/fs/cgroup/** r,
@{bin}/getconf rix, @{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pids}/statm r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
include if exists <local/signal-desktop> include if exists <local/signal-desktop>
} }