Add profiles for the Transmission family of Bittorrent clients

2025-08-30 05:47:59 +00:00 · 2024-03-22 00:00:22 -04:00 · 2024-03-22 00:00:22 -04:00 · 174adf9ddf
commit 174adf9ddf
parent 451bb8b235
2 changed files with 229 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/transmission-common
+++ b/profiles/apparmor.d/abstractions/transmission-common
@ -0,0 +1,153 @@
 # vim:syntax=apparmor
 # LOGPROF-SUGGEST: no
 # Author: Daniel Richard G. <skunk@iSKUNK.ORG>
  include <abstractions/base>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  network inet    dgram,
  network inet6   dgram,
  network netlink dgram,
  network inet    stream,
  network inet6   stream,
  dbus (bind)
       bus=session
       name=com.transmissionbt.Transmission,
  dbus (bind)
       bus=session
       name=com.transmissionbt.transmission_*,
  dbus (receive)
       bus=session
       path=/ca/desrt/dconf/Writer/user
       interface=ca.desrt.dconf.Writer
       member=Notify,
  dbus (send)
       bus=session
       path=/ca/desrt/dconf/Writer/user
       interface=ca.desrt.dconf.Writer
       member=Change
       peer=(name=ca.desrt.dconf),
  dbus (receive)
       bus=accessibility
       path=/org/a11y/atspi/accessible/root
       interface=org.freedesktop.DBus.Properties
       member=Set,
  dbus (send)
       bus=accessibility
       path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
       peer=(name=org.a11y.atspi.Registry),
  dbus (send)
       bus=accessibility
       path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=GetRegisteredEvents
       peer=(name=org.a11y.atspi.Registry),
  dbus (send)
       bus=accessibility
       path=/org/a11y/atspi/registry/deviceeventcontroller
       interface=org.a11y.atspi.DeviceEventController
       member={GetDeviceEventListeners,GetKeystrokeListeners}
       peer=(name=org.a11y.atspi.Registry),
  dbus (send)
       bus={accessibility,session}
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=session
       interface=org.freedesktop.DBus.Introspectable
       path=/StatusNotifierWatcher
       member=Introspect
       peer=(name=org.kde.StatusNotifierWatcher),
  dbus (send)
       bus=session
       interface=org.freedesktop.DBus.Properties
       path=/StatusNotifierWatcher
       member=Get
       peer=(name=org.kde.StatusNotifierWatcher),
  dbus (send)
       bus=session
       interface=org.freedesktop.DBus.Properties
       path=/org/a11y/bus
       member=Get
       peer=(name=org.a11y.Bus),
  dbus (send)
       bus=system
       interface=org.freedesktop.DBus.Properties
       path=/org/freedesktop/hostname1
       member=GetAll,
  dbus (send)
       bus=session
       interface=org.freedesktop.Notifications
       path=/org/freedesktop/Notifications
       member={GetCapabilities,Notify},
  dbus (send)
       bus=session
       path=/org/gtk/Private/RemoteVolumeMonitor
       interface=org.gtk.Private.RemoteVolumeMonitor
       member={IsSupported,List},
  dbus (send)
       bus=session
       path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
       member={GetConnection,ListMonitorImplementations},
  dbus (send)
       bus=session
       path=/org/gtk/vfs/mount/[1-9]*
       interface=org.gtk.vfs.Mount
       member={CreateFileMonitor,Enumerate,QueryInfo},
  dbus (receive)
       bus=session
       path=/org/gtk/vfs/mounttracker
       interface=org.gtk.vfs.MountTracker
       member=Mounted,
  dbus (send)
       bus=session
       path=/org/gtk/vfs/mounttracker
       interface=org.gtk.vfs.MountTracker
       member={ListMountableInfo,ListMounts2,LookupMount},
  @{PROC}/sys/kernel/random/uuid r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
  @{etc_ro}/fstab r,
  @{system_share_dirs}/hwdata/** r,
  @{system_share_dirs}/lxqt/**   r,
  owner /tmp/tr_session_id_* rwk,
  # allow a top-level directory listing
  @{HOME}/ r,
  owner @{HOME}/.cache/transmission/    w,
  owner @{HOME}/.cache/transmission/**  rw,
  owner @{HOME}/.config/transmission/   w,
  owner @{HOME}/.config/transmission/** rw,
  owner @{HOME}/.config/lxqt/lxqt.conf  r,
  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/    r,
  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/**  rw,
  # exclude these for now
  deny /usr/share/thumbnailers/ r,
  deny @{HOME}/.local/share/gvfs-metadata/** r,
  deny @{HOME}/.config/lxqt/**  rw,
  include if exists <abstractions/transmission-common.d>
--- a/profiles/apparmor.d/transmission
+++ b/profiles/apparmor.d/transmission
@ -0,0 +1,76 @@
 # vim:syntax=apparmor
 # Author: Daniel Richard G. <skunk@iSKUNK.ORG>
 abi <abi/4.0>,
 include <tunables/global>
 profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
  # Don't use abstractions/transmission-common here, as the
  # access needed is narrower than the user applications
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  network inet  dgram,
  network inet6 dgram,
  network inet  stream,
  network inet6 stream,
  owner @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/random/uuid r,
  @{run}/systemd/notify w,
  /etc/transmission-daemon/** r,
  owner /etc/transmission-daemon/settings.json{,.tmp.*} rw,
  owner /tmp/tr_session_id_* rwk,
  /usr/share/transmission/web/** r,
  owner /var/lib/transmission-daemon/.config/transmission-daemon/** rw,
  owner /var/lib/transmission-daemon/downloads/** rw,
  owner /var/lib/transmission-daemon/info/**      rw,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-daemon>
 }
 profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
  include <abstractions/transmission-common>
  include <abstractions/consoles>
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-cli>
 }
 profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
  include <abstractions/transmission-common>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf>
  include <abstractions/gnome>
  owner @{run}/user/*/dconf/user w,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-gtk>
 }
 profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
  include <abstractions/transmission-common>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/fonts>
  include <abstractions/X>
  include <abstractions/qt5>
  include <abstractions/qt5-settings-write>
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-qt>
 }