add bt apparmor profiles

apparmor.d/blueman

@@ -0,0 +1,115 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/blueman-*
+profile blueman @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/audio>
+
+  network inet stream,
+  network inet6 stream,
+
+  network bluetooth raw,
+
+  @{exec_path} mrix,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /{usr/,}bin/         r,
+  /{usr/,}bin/dash     rix,
+
+  /{usr/,}bin/xdg-open rCx -> open,
+
+  /usr/share/blueman/{,**} r,
+
+  owner @{HOME}/.cache/blueman-tray-[0-9]* rw,
+  owner @{HOME}/.cache/blueman-services-[0-9]* rw,
+  owner @{HOME}/.cache/blueman-adapters-[0-9]* rw,
+  owner @{HOME}/.cache/blueman-manager-[0-9]* rw,
+  owner @{HOME}/.cache/blueman-applet-[0-9]* rw,
+
+  owner @{HOME}/.cache/obexd/ rw,
+  owner @{HOME}/.cache/obexd/* rw,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/bluetooth*/ r,
+  owner @{HOME}/bluetooth*/* rw,
+
+  # For sending a note (disabled since the feature doesn't seem to work)
+  #owner /tmp/* rw,
+  #owner /var/tmp/* rw,
+  #owner /tmp/note*.vnt rw,
+
+  /var/lib/blueman/network.state r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/cmdline r,
+
+  include <abstractions/dconf>
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  /dev/rfkill r,
+
+  /dev/shm/ r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+
+    profile open {
+    include <abstractions/base>
+    include <abstractions/xdg-open>
+
+    /{usr/,}bin/xdg-open mr,
+
+    /{usr/,}bin/{,ba,da}sh      rix,
+    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/readlink        rix,
+    /{usr/,}bin/basename        rix,
+    /{usr/,}bin/uname           rix,
+    /{usr/,}bin/xprop           rix,
+    /{usr/,}bin/file            rix,
+    /{usr/,}bin/dbus-send       rix,
+    /{usr/,}bin/mimetype        rix,
+
+    /usr/share/perl5/** r,
+    /etc/magic r,
+
+    owner @{HOME}/ r,
+    owner @{HOME}/bluetooth*/* r,
+
+    owner @{run}/user/[0-9]*/ r,
+
+    # Allowed apps to open
+    /{usr/,}lib/firefox/firefox rPx,
+    /{usr/,}bin/spacefm         rPx,
+
+    # file_inherit
+    owner @{HOME}/.xsession-errors w,
+
+  }
+
+  include if exists <local/blueman>
+}

apparmor.d/blueman-mechanism

@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/libexec/blueman-mechanism
+profile blueman-mechanism @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  deny capability sys_nice,
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /usr/libexec/ r,
+
+  /var/lib/blueman/network.state rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/rfkill rw,
+
+  # For network AP
+  #/{usr/,}bin/ip                 rix,
+  #/{usr/,}sbin/xtables-nft-multi rix,
+  #/{usr/,}sbin/dnsmasq           rPx,
+  #/{usr/,}sbin/dhclient          rPx,
+  #      @{PROC}/sys/net/ipv4/ip_forward w,
+  #      @{PROC}/sys/net/ipv4/conf/ r,
+  #      @{PROC}/sys/net/ipv4/conf/*/forwarding w,
+  #owner @{run}/blueman-iptables rw,
+  #owner @{run}/blueman-netconfig rw,
+
+  include if exists <local/blueman-mechanism>
+}

apparmor.d/blueman-rfcomm-watcher

@@ -0,0 +1,31 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/libexec/blueman-rfcomm-watcher
+profile blueman-rfcomm-watcher @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /usr/libexec/ r,
+
+  owner @{PROC}/@{pid}/mounts r,
+
+  owner @{HOME}/.Xauthority r,
+
+  include if exists <local/blueman-rfcomm-watcher>
+}

apparmor.d/bluemoon

@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/bluemoon
+profile bluemoon @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/bluemoon>
+}

apparmor.d/obex-folder-listing

@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obex-folder-listing
+profile obex-folder-listing @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/**/ r,
+  owner /media/*/ r,
+  owner /media/*/**/ r,
+
+  include if exists <local/obex-folder-listing>
+}

apparmor.d/obexautofs

@@ -0,0 +1,47 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obexautofs
+profile obexautofs @{exec_path} {
+  include <abstractions/base>
+
+  network bluetooth seqpacket,
+  network bluetooth stream,
+  network bluetooth raw,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/bin/fusermount{,3} rPx,
+
+  owner @{HOME}/bluetooth/ r,
+  mount fstype=fuse.obexautofs -> @{HOME}/bluetooth/,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/bus/usb/devices/ r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/bConfigurationValue r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/bConfigurationValue r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{uevent,busnum,devnum,speed,descriptors} r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r,
+
+  @{run}/udev/data/+usb:* r,
+  @{run}/udev/data/c189:* r,
+
+  /dev/bus/usb/ r,
+  /dev/fuse rw,
+
+  include if exists <local/obexautofs>
+}

apparmor.d/obexctl

@@ -0,0 +1,28 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obexctl
+profile obexctl @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/inputrc r,
+
+  owner @{HOME}/.cache/.obexctl_history rw,
+  owner @{HOME}/.cache/.obexctl_history-@{pid}.tmp rw,
+
+  include if exists <local/obexctl>
+}

apparmor.d/obexd

@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/libexec/bluetooth/obexd
+profile obexd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-download-strict>
+
+  network bluetooth stream,
+  network bluetooth seqpacket,
+
+  @{exec_path} mr,
+
+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/obexd/ rw,
+  owner @{HOME}/.cache/obexd/* rw,
+
+  owner @{HOME}/bluetooth/* rw,
+
+  include if exists <local/obexd>
+}

apparmor.d/obexfs

@@ -0,0 +1,34 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obexfs
+profile obexfs @{exec_path} {
+  include <abstractions/base>
+
+  network bluetooth raw,
+  network bluetooth seqpacket,
+  network bluetooth stream,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fusermount{,3} rPx,
+
+  owner @{HOME}/bluetooth/ r,
+  mount fstype=fuse.obexfs -> @{HOME}/bluetooth/,
+
+  /dev/fuse rw,
+
+  include if exists <local/obexfs>
+}

apparmor.d/obexpush-atd

@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obexpush_atd
+profile obexpush-atd @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/obexpush-atd>
+}

apparmor.d/obexpushd

@@ -0,0 +1,34 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/obexpushd
+profile obexpushd @{exec_path} {
+  include <abstractions/base>
+
+  # For listening on tcp/*:650
+  capability net_bind_service,
+
+  network bluetooth stream,
+  network irda stream,
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  # For receiving files
+  owner @{HOME}/bluetooth/* w,
+
+  include if exists <local/obexpushd>
+}