Merge Add profiles for the Transmission family of Bittorrent clients

This covers the various forms of the Transmission BT client. I've tested the `-gtk` one most thoroughly, and run through an ISO download with each of the other three. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1190 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit 30a45ba82f) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 16:35:02 +01:00 · 2024-04-11 22:41:45 +00:00 · 2024-04-11 22:41:45 +00:00 · f763c44cd0
commit f763c44cd0
parent 1d36e1f196
2 changed files with 229 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/transmission-common
+++ b/profiles/apparmor.d/abstractions/transmission-common
@ -0,0 +1,153 @@
+# vim:syntax=apparmor
+# LOGPROF-SUGGEST: no
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet    dgram,
+  network inet6   dgram,
+  network netlink dgram,
+  network inet    stream,
+  network inet6   stream,
+
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.Transmission,
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.transmission_*,
+
+  dbus (receive)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Notify,
+  dbus (send)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Change
+       peer=(name=ca.desrt.dconf),
+
+  dbus (receive)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set,
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetDeviceEventListeners,GetKeystrokeListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send)
+       bus={accessibility,session}
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       path=/StatusNotifierWatcher
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/StatusNotifierWatcher
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/org/a11y/bus
+       member=Get
+       peer=(name=org.a11y.Bus),
+  dbus (send)
+       bus=system
+       interface=org.freedesktop.DBus.Properties
+       path=/org/freedesktop/hostname1
+       member=GetAll,
+
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.Notifications
+       path=/org/freedesktop/Notifications
+       member={GetCapabilities,Notify},
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={IsSupported,List},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member={GetConnection,ListMonitorImplementations},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mount/[1-9]*
+       interface=org.gtk.vfs.Mount
+       member={CreateFileMonitor,Enumerate,QueryInfo},
+  dbus (receive)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=Mounted,
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member={ListMountableInfo,ListMounts2,LookupMount},
+
+  @{PROC}/sys/kernel/random/uuid r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+
+  @{etc_ro}/fstab r,
+
+  @{system_share_dirs}/hwdata/** r,
+  @{system_share_dirs}/lxqt/**   r,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  # allow a top-level directory listing
+  @{HOME}/ r,
+
+  owner @{HOME}/.cache/transmission/    w,
+  owner @{HOME}/.cache/transmission/**  rw,
+  owner @{HOME}/.config/transmission/   w,
+  owner @{HOME}/.config/transmission/** rw,
+
+  owner @{HOME}/.config/lxqt/lxqt.conf  r,
+
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/    r,
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/**  rw,
+
+  # exclude these for now
+  deny /usr/share/thumbnailers/ r,
+  deny @{HOME}/.local/share/gvfs-metadata/** r,
+  deny @{HOME}/.config/lxqt/**  rw,
+
+  include if exists <abstractions/transmission-common.d>
--- a/profiles/apparmor.d/transmission
+++ b/profiles/apparmor.d/transmission
@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
+  # Don't use abstractions/transmission-common here, as the
+  # access needed is narrower than the user applications
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet  dgram,
+  network inet6 dgram,
+  network inet  stream,
+  network inet6 stream,
+
+  owner @{PROC}/@{pid}/mounts r,
+  @{PROC}/sys/kernel/random/uuid r,
+
+  @{run}/systemd/notify w,
+
+  /etc/transmission-daemon/** r,
+  owner /etc/transmission-daemon/settings.json{,.tmp.*} rw,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  /usr/share/transmission/web/** r,
+
+  owner /var/lib/transmission-daemon/.config/transmission-daemon/** rw,
+  owner /var/lib/transmission-daemon/downloads/** rw,
+  owner /var/lib/transmission-daemon/info/**      rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-daemon>
+}
+
+profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/consoles>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-cli>
+}
+
+profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
+  include <abstractions/gnome>
+
+  owner @{run}/user/*/dconf/user w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-gtk>
+}
+
+profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/fonts>
+  include <abstractions/X>
+  include <abstractions/qt5>
+  include <abstractions/qt5-settings-write>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-qt>
+}