From fae582b66b62adc60d53766d5763b0bf76f8ba7b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 3 Feb 2020 21:32:21 +0000 Subject: [PATCH] Add xdg-open (and friends) abstraction Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments. Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers. PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404 Acked-by: John Johansen (cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a) 622fc44b Add xdg-open (and friends) abstraction af278ca6 exo-open: Fix denials on OpenSUSE f07f0771 exo-open: Allow playing alert sounds 80514906 kde-open5: use dbus-network-manager-strict abstraction ac08dc66 kde-open5: fix denies Ubuntu Eoan 501aada8 gio-open: fix denies Ubuntu Eoan 0a55babe exo-open: do not enable a11y by default e77abfa5 exo-open: update comment about DBUS denial d35faafd kde-open5: do not enable a11y by default 8b481d46 kde-open5: do not enable gstreamer support by default 162e5086 xdg-open: update usage example --- profiles/apparmor.d/abstractions/exo-open | 71 ++++++++++++++ profiles/apparmor.d/abstractions/gio-open | 55 +++++++++++ profiles/apparmor.d/abstractions/gvfs-open | 43 +++++++++ profiles/apparmor.d/abstractions/kde-open5 | 102 +++++++++++++++++++++ profiles/apparmor.d/abstractions/xdg-open | 82 +++++++++++++++++ 5 files changed, 353 insertions(+) create mode 100644 profiles/apparmor.d/abstractions/exo-open create mode 100644 profiles/apparmor.d/abstractions/gio-open create mode 100644 profiles/apparmor.d/abstractions/gvfs-open create mode 100644 profiles/apparmor.d/abstractions/kde-open5 create mode 100644 profiles/apparmor.d/abstractions/xdg-open diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open new file mode 100644 index 000000000..85fb8c522 --- /dev/null +++ b/profiles/apparmor.d/abstractions/exo-open @@ -0,0 +1,71 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via exo-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/exo-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/exo-open rPx -> foo//exo-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//exo-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # Add if accesibility access is considered as required +# # (for message boxe in case exo-open fails) +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include # for alert messages + #include + #include + #include + + # Main executables + + /usr/bin/exo-open rix, + /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, + + # Other executables + + /{,usr/}bin/which rix, + + # Deny DBus + + # for GTK error message dialog, not required exo-open to work. + deny dbus send + bus=session + path=/org/gtk/vfs/mounttracker, + + # System files + + /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, + /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? + /usr/share/sounds/freedesktop/** r, # for message box alert sound + /usr/share/xfce4/helpers/*.desktop r, + /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r, + + # User files + + owner @{PROC}/@{pid}/fd/ r, + owner @{HOME}/.config/xfce4/helpers.rc r, + diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open new file mode 100644 index 000000000..f81a820d1 --- /dev/null +++ b/profiles/apparmor.d/abstractions/gio-open @@ -0,0 +1,55 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gio helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gio directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gio rPx -> foo//gio-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gio-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include + + # Main executables + + /usr/bin/gio rix, + /usr/bin/gio-launch-desktop ix, # for OpenSUSE + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, + + # System files + + /etc/gnome/defaults.list r, + /usr/share/mime/* r, + /usr/share/{,*/}applications/{,**} r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + /var/lib/snapd/desktop/applications/{,**} r, + + # User files + + owner @{HOME}/.config/mimeapps.list r, + owner @{HOME}/.local/share/applications/{,*.desktop} r, + owner @{PROC}/@{pid}/fd/ r, + diff --git a/profiles/apparmor.d/abstractions/gvfs-open b/profiles/apparmor.d/abstractions/gvfs-open new file mode 100644 index 000000000..c0e20717c --- /dev/null +++ b/profiles/apparmor.d/abstractions/gvfs-open @@ -0,0 +1,43 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gvfs-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gvfs-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gvfs-open rPx -> foo//gvfs-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gvfs-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # gvfs-open is deprecated, it launches gio open + #include + + # Main executables + + /usr/bin/gvfs-open r, + /{,usr/}bin/dash mr, + diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5 new file mode 100644 index 000000000..4ff22e0da --- /dev/null +++ b/profiles/apparmor.d/abstractions/kde-open5 @@ -0,0 +1,102 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via kde-open5 helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/kde-open5 directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/kde-open5 rPx -> foo//kde-open5, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//kde-open5 { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # Add if accesibility access is considered as required +# # (for message boxe in case exo-open fails) +# #include +# +# # Add if audio support for message box is +# # considered as required. +# #include if exists +# +# # < add additional allowed applications here > +# } +# ``` + + #include # for alert messages + #include + #include + #include + #include + #include + #include + #include + #include # for IceProcessMessages () from libICE.so (called by libQtCore.so) + #include + #include + #include + #include + + # Main executables + + /usr/bin/kde-open5 rix, + /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, + + # DBus + + dbus + bus=session + interface=org.kde.KLauncher + member=start_service_by_desktop_path + peer=(name=org.kde.klauncher5), + + # Denied system files + + deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 + + # libpcre2 on openSUSE tries to mmap() shared memory on directory. + # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html + # AppArmor does not allow to distinguish "real" file vs shared memory one, + # so we deny this path to protect from loading exploits from /tmp. + deny /tmp/#[0-9]*[0-9] m, + + # System files + + /dev/tty r, + /etc/xdg/accept-languages.codes r, + /etc/xdg/menus/{,*/} r, + /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box + /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box + /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE + /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so + /usr/share/mime/ r, + /usr/share/mime/generic-icons r, + /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? + /usr/share/sounds/ r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + + # User files + + owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so + owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 + owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) + owner @{HOME}/.cache/kio_http/ rw, + diff --git a/profiles/apparmor.d/abstractions/xdg-open b/profiles/apparmor.d/abstractions/xdg-open new file mode 100644 index 000000000..7db52b68c --- /dev/null +++ b/profiles/apparmor.d/abstractions/xdg-open @@ -0,0 +1,82 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via xdg-open helper. xdg-open abstraction +# will allow to use gio-open, kde-open5 and other helpers of the different +# desktop environments. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/xdg-open rPx -> foo//xdg-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//xdg-open { +# #include +# +# # Enable a11y support if considered required by +# # profile author for (rare) error message boxes. +# #include +# +# # Enable gstreamer support if considered required by +# # profile author for (rare) error message boxes. +# #include if exists +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # for openin with `exo-open` + #include + + # for opening with `gio open ` + #include + + # for opening with gvfs-open (deprecated) + #include + + # for opening with kde-open5 + #include + + # Main executables + + /{,usr/}bin/{b,d}ash mr, + /usr/bin/xdg-open r, + + # Additional executables + + /usr/bin/xdg-mime rix, + /{,usr/}bin/cut rix, # for xdg-mime + /{,usr/}bin/head rix, # for xdg-mime + /{,usr/}bin/sed rix, # for xdg-open + /{,usr/}bin/tr rix, # for xdg-mime + /{,usr/}bin/which rix, # for xdg-open + /{,usr/}bin/{grep,egrep} rix, # for xdg-open + + # System files + + /dev/pts/[0-9]* rw, + /dev/tty w, + /etc/gnome/defaults.list r, # for grep + /usr/share/applications/mimeinfo.cache r, # for grep + /usr/share/terminfo/s/screen r, # for bash on openSUSE + /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime + /var/lib/menu-xdg/applications/ r, # for xdg-mime + + # Usr files + + owner @{HOME}/.local/share/applications/{,*.desktop} r, +