pimhwang
/
qTox
mirror of https://github.com/qTox/qTox.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #5855 

Vincas Dargis (3):
      feat(apparmor): Add AppArmor 2.13.3 profile
      feat(apparmor): Update AppArmor 2.13.3 profile
      docs(apparmor): Update AppArmor documentation.
reviewable/pr6033/r1
sudden6 5 years ago
parent
f53e44b62c fa86413b1b
commit
be80fcf6f3
No known key found for this signature in database
GPG Key ID: 279509B499E032B9
4 changed files with 409 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 48
      security/apparmor/2.13.3/install.sh
  2. 28
      security/apparmor/2.13.3/tunables/usr.bin.qtox
  3. 327
      security/apparmor/2.13.3/usr.bin.qtox
  4. 9
      security/apparmor/README.md

48
security/apparmor/2.13.3/install.sh
Unescape View File

@ -0,0 +1,48 @@
#!/usr/bin/env bash
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
set -e -u pipefail
readonly SCRIPT_DIR=$(dirname $(readlink -f $0))
if [[ $(id -u) != 0 ]]
then
>&2 echo "Please run as root."
exit 1
fi
if [[ -z $(which apparmor_parser) ]]
then
>&2 echo "AppArmor not found."
exit 1
fi
#NOTE: we do not need to create /etc/apparmor.d/tunables/usr.bin.qtox.d/ or
#/etc/apparmor.d/local/usr.bin.qtox because AppArmor >2.13 support #include if
#exists
echo "Copying AppArmor files..."
cp -v "${SCRIPT_DIR}/tunables/usr.bin.qtox" "/etc/apparmor.d/tunables/"
cp -v "${SCRIPT_DIR}/usr.bin.qtox" "/etc/apparmor.d/"
echo "Restarting AppArmor..."
systemctl restart apparmor
echo "Done."

28
security/apparmor/2.13.3/tunables/usr.bin.qtox
Unescape View File

@ -0,0 +1,28 @@
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
@{qtox_prefix} = /usr /usr/local
# Allow to read & write into mounted media, etc.
# for convenient sending & receiving of files.
@{qtox_additional_rw_dirs} = /mnt /media
# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
# needed, such as:
# @{qtox_prefix} += @{HOME}/opt/qtox
# @{qtox_additional_rw_dirs} = /data/nfs_storage
#include if exists <tunables/usr.bin.qtox.d/>

327
security/apparmor/2.13.3/usr.bin.qtox
Unescape View File

@ -0,0 +1,327 @@
# Copyright © 2019 by The qTox Project Contributors
#
# This file is part of qTox, a Qt-based graphical interface for Tox.
# qTox is libre software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# qTox is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with qTox. If not, see <http://www.gnu.org/licenses/>
#include <tunables/global>
#include <tunables/usr.bin.qtox>
# using variables in profile name is not yet recommended due to issues with
# AppArmor tools
# TODO: use this alternative in the future when available
#profile qtox @{qtox_prefix}/bin/qtox {
profile qtox /usr{,/local}/bin/qtox {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde-globals-write>
#include <abstractions/kde-icon-cache-write>
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/qt5-settings-write>
#include <abstractions/recent-documents-write>
#include <abstractions/video>
# Site-specific additions and overrides. See local/README for details.
#include if exists <local/usr.bin.qtox>
# Main executable
@{qtox_prefix}/bin/qtox mr,
# Other executables
#TODO: use xdg-open abstraction when it's available
/usr/bin/xdg-open PUx,
#TODO: use named profile or abstraction when it's available
/usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
# Additional libraries
# Allow /usr/local/lib/libtoxcore.so...
@{qtox_prefix}/lib/*.so* mr,
# Networking
network inet udp,
network inet6 udp,
network inet tcp,
network inet6 tcp,
# DBus
dbus send
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member=ListConnections
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus receive
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=PropertiesChanged
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(label=unconfined),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=GetLayout
peer=(label=unconfined),
dbus (send,receive)
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={AboutToShow,Event}
peer=(label=unconfined),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewIcon,NewToolTip}
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus send
bus=system
path=/org/freedesktop/UDisks2/{block_devices,drives}/*
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(label=unconfined),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(label=unconfined),
dbus send
bus=session
path=/
interface=org.kde.KDirNotify
member={enteredDirectory,leftDirectory}
peer=(label=unconfined),
dbus receive
bus=session
path=/
interface=org.kde.KDirNotify
member=FilesAdded
peer=(label=unconfined),
dbus send
bus=session
path=/KLauncher
interface=org.kde.KSlaveLauncher
member=requestSlave
peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# libfontconfig bug? Should not write to root-owned dirs.
deny /usr/share/fonts/** w,
deny /var/cache/fontconfig/ w,
# System files
/usr/share/hunspell/* r,
@{qtox_additional_rw_dirs}/ r,
@{qtox_additional_rw_dirs}/** rw,
# Sensitive directory access!!!
# Allow navigating directories with file dialog, to access directory you
# can write (read) file to, for most convenience (though against maximum
# security). Note: this allows reading only directory contents (list),
# not the files itself.
/{,**/} r,
/dev/ r,
/dev/video[0-9]* rw, # webcam
/etc/fstab r, # file dialog
/etc/xdg/menus/ r, # file dialog
/proc/sys/kernel/core_pattern r, # for KCrash::initialize()
/proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
/run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
/sys/bus/ r, # file dialog
/sys/bus/usb/devices/ r, # file dialog
/sys/class/ r, # file dialog
/sys/devices/**/uevent r, # file dialog
/sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
/sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
/usr/share/emoticons/{,**} r,
/usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
/usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
/usr/share/kservices5/{,**} r, # file dialog
/usr/share/mime/ r, # file dialog
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r, # file dialog (alert)
/{,var/}run/udev/data/* r, # file dialog
# User files
# Sensitive file access!!!
# Allow reading & writing into $HOME, EXCEPT for dot files and directories,
# for most convenience (though against maximum security).
owner @{HOME}/ r,
owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/{,**} rw,
# QSaveFile security measures? While saving log file
owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
owner @{HOME}/.cache/Tox/ w,
owner @{HOME}/.cache/Tox/qTox/{,**} rw,
owner @{HOME}/.cache/fontconfig/** rwk,
owner @{HOME}/.cache/qTox/{,**} rw,
owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
owner @{HOME}/.config/menus/ r, # file dialog
owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
owner @{HOME}/.config/qToxrc rw,
owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
owner @{HOME}/.config/qToxrc.lock rwk,
owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
owner @{HOME}/.config/tox/{,**} rwk,
owner @{HOME}/.fonts/.uuid* rw,
owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
owner @{HOME}/.fonts/.uuid.*/ rw,
owner @{HOME}/.local/share/Tox/{,**} rw,
owner @{HOME}/.local/share/qTox/{,**} rw,
owner @{HOME}/.local/share/user-places.xbel r, # file dialog
owner @{PROC}/@{pid}/cmdline r,
}

9
security/apparmor/README.md
Unescape View File

@ -29,10 +29,13 @@ Select AppArmor profile from appropriate `security/apparmor/X` subdirectory
depending on what AppArmor version is available for your Linux distribution depending on what AppArmor version is available for your Linux distribution
release: release:
- 2.13.2 - 2.13.3
- Debian 10 (buster) (or newer) - Debian 11 (bullseye) (or newer)
- Ubuntu 19.04 (Disco Dingo) (or newer) - Ubuntu 19.10 (or newer)
- openSUSE Tumbleweed - openSUSE Tumbleweed
- 2.13.2
- Debian 10 (buster)
- Ubuntu 19.04 (Disco Dingo)
- 2.12.1 - 2.12.1
- Debian 9 (stretch) or older - Debian 9 (stretch) or older
- Ubuntu 18.10 or older - Ubuntu 18.10 or older

Write Preview
Loading…
Cancel
Save