# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2015-2020 Mikhail Morfikov # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi , include @{TORRENT_DIR} = /media/*/torrent @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include include include include include include include include include include include include include include include include include signal (send) set=(term, kill) peer=qbittorrent//python3, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink dgram, network netlink raw, @{exec_path} mr, # For "search engine" /{usr/,}bin/python3.[0-9]* rCx -> python3, # Qbittorrent home dirs owner @{HOME}/.config/qBittorrent/ rw, owner @{HOME}/.config/qBittorrent/** rwkl -> @{HOME}/.config/qBittorrent/#[0-9]*[0-9], owner @{HOME}/.local/share/data/qBittorrent/ rw, owner @{HOME}/.local/share/data/qBittorrent/** rwl -> @{HOME}/.local/share/data/qBittorrent/**/#[0-9]*[0-9], # Cache dir owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/#[0-9]*[0-9] rw, owner @{HOME}/.cache/qBittorrent/{,**} rw, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{HOME}/.config/qt5ct/{,**} r, /usr/share/qt5ct/** r, # Torrent files /media/ r, owner /media/*/ r, owner @{TORRENT_DIR}/ r, owner @{TORRENT_DIR}/** rw, # GeoIP settings /usr/share/GeoIP/GeoIP.dat r, /dev/disk/by-label/ r, /dev/shm/#[0-9]*[0-9] rw, owner @{PROC}/@{pid}/fd/ r, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, deny @{PROC}/sys/kernel/random/boot_id r, /usr/share/hwdata/pnp.ids r, /var/lib/dbus/machine-id r, /etc/machine-id r, # TMP owner /tmp/qtsingleapp-qBitto-* rw, owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, owner /tmp/.qBittorrent/ rw, owner /tmp/.qBittorrent/#[0-9]*[0-9] rw, owner /tmp/.qBittorrent/[a-zA-Z]* rwl -> /tmp/.qBittorrent/#[0-9]*[0-9], owner /tmp/mozilla_*/*.torrent rw, # To load/add torrents from the search engine owner /tmp/tmp* rw, owner /tmp/.*/{,s} rw, owner /tmp/xauth-[0-9]*-_[0-9] rw, # Launch external apps /{usr/,}bin/xdg-open rCx -> open, # Allowed apps to open /{usr/,}bin/spacefm rPx, /{usr/,}bin/smplayer rPx, /{usr/,}bin/vlc rPx, /{usr/,}bin/mpv rPx, /{usr/,}bin/geany rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, /{usr/,}lib/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, profile python3 { include include include include include signal (receive) set=(term, kill) peer=qbittorrent, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, /{usr/,}bin/python3.[0-9]* r, owner @{HOME}/.local/share/data/qBittorrent/nova[0-9]/{,**} rw, # Used while searching for torrents owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9], owner /dev/shm/* rw, # To load/add torrents from the search engine owner /tmp/[0-9]*[0-9] rw, owner /tmp/tmp* rw, # file_inherit owner /media/*/torrent/** r, deny /dev/dri/card[0-9]* rw, } profile open { include include /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gawk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/spacefm rPx, /{usr/,}bin/smplayer rPx, /{usr/,}bin/vlc rPx, /{usr/,}bin/mpv rPx, /{usr/,}bin/geany rPx, /{usr/,}bin/viewnior rPUx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/ebook-viewer rPx, /{usr/,}lib/firefox/firefox rPx, # file_inherit owner /media/*/torrent/** r, owner /media/*/torrent/**.[0-9a-f]*.parts rw, owner "/media/*/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, } include if exists }