From f7ddca7289468531a9e23f8e0e07ee0073323977 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sun, 14 Mar 2021 19:03:30 +0100 Subject: [PATCH] add bt apparmor profiles --- apparmor.d/blueman | 115 ++++++++++++++++++++++++++++++ apparmor.d/blueman-mechanism | 53 ++++++++++++++ apparmor.d/blueman-rfcomm-watcher | 31 ++++++++ apparmor.d/bluemoon | 23 ++++++ apparmor.d/obex-folder-listing | 28 ++++++++ apparmor.d/obexautofs | 47 ++++++++++++ apparmor.d/obexctl | 28 ++++++++ apparmor.d/obexd | 33 +++++++++ apparmor.d/obexfs | 34 +++++++++ apparmor.d/obexpush-atd | 23 ++++++ apparmor.d/obexpushd | 34 +++++++++ 11 files changed, 449 insertions(+) create mode 100644 apparmor.d/blueman create mode 100644 apparmor.d/blueman-mechanism create mode 100644 apparmor.d/blueman-rfcomm-watcher create mode 100644 apparmor.d/bluemoon create mode 100644 apparmor.d/obex-folder-listing create mode 100644 apparmor.d/obexautofs create mode 100644 apparmor.d/obexctl create mode 100644 apparmor.d/obexd create mode 100644 apparmor.d/obexfs create mode 100644 apparmor.d/obexpush-atd create mode 100644 apparmor.d/obexpushd diff --git a/apparmor.d/blueman b/apparmor.d/blueman new file mode 100644 index 00000000..b370920a --- /dev/null +++ b/apparmor.d/blueman @@ -0,0 +1,115 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/blueman-* +profile blueman @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + + network bluetooth raw, + + @{exec_path} mrix, + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/ r, + /{usr/,}bin/dash rix, + + /{usr/,}bin/xdg-open rCx -> open, + + /usr/share/blueman/{,**} r, + + owner @{HOME}/.cache/blueman-tray-[0-9]* rw, + owner @{HOME}/.cache/blueman-services-[0-9]* rw, + owner @{HOME}/.cache/blueman-adapters-[0-9]* rw, + owner @{HOME}/.cache/blueman-manager-[0-9]* rw, + owner @{HOME}/.cache/blueman-applet-[0-9]* rw, + + owner @{HOME}/.cache/obexd/ rw, + owner @{HOME}/.cache/obexd/* rw, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/ r, + owner @{HOME}/bluetooth*/* rw, + + # For sending a note (disabled since the feature doesn't seem to work) + #owner /tmp/* rw, + #owner /var/tmp/* rw, + #owner /tmp/note*.vnt rw, + + /var/lib/blueman/network.state r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cmdline r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /dev/rfkill r, + + /dev/shm/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + profile open { + include + include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/xprop rix, + /{usr/,}bin/file rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/mimetype rix, + + /usr/share/perl5/** r, + /etc/magic r, + + owner @{HOME}/ r, + owner @{HOME}/bluetooth*/* r, + + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + /{usr/,}bin/spacefm rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + include if exists +} diff --git a/apparmor.d/blueman-mechanism b/apparmor.d/blueman-mechanism new file mode 100644 index 00000000..13a70ff8 --- /dev/null +++ b/apparmor.d/blueman-mechanism @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /usr/libexec/blueman-mechanism +profile blueman-mechanism @{exec_path} { + include + include + include + + capability net_admin, + deny capability sys_nice, + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/libexec/ r, + + /var/lib/blueman/network.state rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /dev/rfkill rw, + + # For network AP + #/{usr/,}bin/ip rix, + #/{usr/,}sbin/xtables-nft-multi rix, + #/{usr/,}sbin/dnsmasq rPx, + #/{usr/,}sbin/dhclient rPx, + # @{PROC}/sys/net/ipv4/ip_forward w, + # @{PROC}/sys/net/ipv4/conf/ r, + # @{PROC}/sys/net/ipv4/conf/*/forwarding w, + #owner @{run}/blueman-iptables rw, + #owner @{run}/blueman-netconfig rw, + + include if exists +} diff --git a/apparmor.d/blueman-rfcomm-watcher b/apparmor.d/blueman-rfcomm-watcher new file mode 100644 index 00000000..cc4cc414 --- /dev/null +++ b/apparmor.d/blueman-rfcomm-watcher @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /usr/libexec/blueman-rfcomm-watcher +profile blueman-rfcomm-watcher @{exec_path} { + include + include + + @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, + + /usr/libexec/ r, + + owner @{PROC}/@{pid}/mounts r, + + owner @{HOME}/.Xauthority r, + + include if exists +} diff --git a/apparmor.d/bluemoon b/apparmor.d/bluemoon new file mode 100644 index 00000000..a5ff852a --- /dev/null +++ b/apparmor.d/bluemoon @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/bluemoon +profile bluemoon @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/obex-folder-listing b/apparmor.d/obex-folder-listing new file mode 100644 index 00000000..4d417b9b --- /dev/null +++ b/apparmor.d/obex-folder-listing @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obex-folder-listing +profile obex-folder-listing @{exec_path} { + include + + @{exec_path} mr, + + owner @{HOME}/ r, + owner @{HOME}/**/ r, + owner /media/*/ r, + owner /media/*/**/ r, + + include if exists +} diff --git a/apparmor.d/obexautofs b/apparmor.d/obexautofs new file mode 100644 index 00000000..c9f82759 --- /dev/null +++ b/apparmor.d/obexautofs @@ -0,0 +1,47 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obexautofs +profile obexautofs @{exec_path} { + include + + network bluetooth seqpacket, + network bluetooth stream, + network bluetooth raw, + network netlink raw, + + @{exec_path} mr, + + /usr/bin/fusermount{,3} rPx, + + owner @{HOME}/bluetooth/ r, + mount fstype=fuse.obexautofs -> @{HOME}/bluetooth/, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/bConfigurationValue r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bConfigurationValue r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{uevent,busnum,devnum,speed,descriptors} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r, + + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c189:* r, + + /dev/bus/usb/ r, + /dev/fuse rw, + + include if exists +} diff --git a/apparmor.d/obexctl b/apparmor.d/obexctl new file mode 100644 index 00000000..ace482d3 --- /dev/null +++ b/apparmor.d/obexctl @@ -0,0 +1,28 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obexctl +profile obexctl @{exec_path} { + include + + @{exec_path} mr, + + /etc/inputrc r, + + owner @{HOME}/.cache/.obexctl_history rw, + owner @{HOME}/.cache/.obexctl_history-@{pid}.tmp rw, + + include if exists +} diff --git a/apparmor.d/obexd b/apparmor.d/obexd new file mode 100644 index 00000000..c2fe567e --- /dev/null +++ b/apparmor.d/obexd @@ -0,0 +1,33 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /usr/libexec/bluetooth/obexd +profile obexd @{exec_path} { + include + include + + network bluetooth stream, + network bluetooth seqpacket, + + @{exec_path} mr, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/obexd/ rw, + owner @{HOME}/.cache/obexd/* rw, + + owner @{HOME}/bluetooth/* rw, + + include if exists +} diff --git a/apparmor.d/obexfs b/apparmor.d/obexfs new file mode 100644 index 00000000..e65f33a6 --- /dev/null +++ b/apparmor.d/obexfs @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obexfs +profile obexfs @{exec_path} { + include + + network bluetooth raw, + network bluetooth seqpacket, + network bluetooth stream, + + @{exec_path} mr, + + /{usr/,}bin/fusermount{,3} rPx, + + owner @{HOME}/bluetooth/ r, + mount fstype=fuse.obexfs -> @{HOME}/bluetooth/, + + /dev/fuse rw, + + include if exists +} diff --git a/apparmor.d/obexpush-atd b/apparmor.d/obexpush-atd new file mode 100644 index 00000000..34cdeb9a --- /dev/null +++ b/apparmor.d/obexpush-atd @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obexpush_atd +profile obexpush-atd @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/obexpushd b/apparmor.d/obexpushd new file mode 100644 index 00000000..e78aa5f6 --- /dev/null +++ b/apparmor.d/obexpushd @@ -0,0 +1,34 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/obexpushd +profile obexpushd @{exec_path} { + include + + # For listening on tcp/*:650 + capability net_bind_service, + + network bluetooth stream, + network irda stream, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + # For receiving files + owner @{HOME}/bluetooth/* w, + + include if exists +}