mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

profiles: Fix remmina profile

Browse Source 
Two fixes for the remmina profile so we can merge this
1. mknod is not currently an allowed permission. It has to be
   downgraded to w
   Do that with a note about how this needs to change in the future

2. The original fix adds direct references to peer=(label=unconfined)
   Fix this to use a variable. So it will be easier to refactor and
   update.
   While doing it for the PMR also fixup the other direct unconfined
   references.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2025-04-04 14:29:46 -07:00
parent ee3dfb4a5d
commit 3740f78c11
1 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
profiles/apparmor.d/remmina
View File

@ -13,6 +13,17 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
#TODO: need to make these part of a proper desktop policy API, some may merge
#keep them separate for now
@{StatusNotifierWatcher}=unconfined
@{MountTracker}=unconfined
@{secrets}=unconfined
@{DBus}=unconfined
@{collection}=unconfined
@{NetworkManager}=unconfined
@{a11y}=unconfined
@{Settings}=unconfined
profile remmina /usr/bin/remmina { profile remmina /usr/bin/remmina {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/fonts>
@ -27,15 +38,15 @@ profile remmina /usr/bin/remmina {
include <abstractions/dconf> include <abstractions/dconf>
dbus (bind) bus=session name="org.remmina.Remmina", dbus (bind) bus=session name="org.remmina.Remmina",
dbus (send) bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member={ListMountableInfo,LookupMount} peer=(label=unconfined), dbus (send) bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member={ListMountableInfo,LookupMount} peer=(label=@{MountTracker}),
dbus (send) bus=session path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=unconfined), dbus (send) bus=session path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{secrets}),
dbus (send) bus=session path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member={RequestName,ReleaseName,DescribeAll} peer=(label=unconfined), dbus (send) bus=session path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member={RequestName,ReleaseName,DescribeAll} peer=(label=@{DBus}),
dbus (send) bus=session path="/org/freedesktop/secrets/collection/{login,session}" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=unconfined), dbus (send) bus=session path="/org/freedesktop/secrets/collection/{login,session}" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{collection}),
dbus (send) bus=system path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=unconfined), dbus (send) bus=system path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{NetworkManager}),
dbus (send) bus=system path="/org/a11y/bus" interface="org.a11y.Bus" member=GetAddress peer=(label=unconfined), dbus (send) bus=system path="/org/a11y/bus" interface="org.a11y.Bus" member=GetAddress peer=(label=@{a11y}),
dbus (send) bus=system path="/org/gtk/Settings" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=unconfined), dbus (send) bus=system path="/org/gtk/Settings" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{Settings}),
dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member=Introspect peer=(label=unconfined), dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member=Introspect peer=(label=@{StatusNotifierWatcher}),
dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=unconfined), dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=@{StatusNotifierWatcher}),
@{etc_ro}/fstab r, @{etc_ro}/fstab r,
/usr/bin/remmina mr, /usr/bin/remmina mr,
@ -48,7 +59,10 @@ profile remmina /usr/bin/remmina {
owner @{HOME}/.cache/org.remmina.Remmina/{,**} rw, owner @{HOME}/.cache/org.remmina.Remmina/{,**} rw,
owner @{HOME}/.cache/remmina/{,**} rw, owner @{HOME}/.cache/remmina/{,**} rw,
owner @{HOME}/.cache/thumbnails/{,**} r, owner @{HOME}/.cache/thumbnails/{,**} r,
owner @{HOME}/.config/autostart/remmina-applet.desktop{,.*} mknod, owner @{HOME}/.config/autostart/remmina-applet.desktop{,**} r,
# TODO: This should be mknod instead of w, and this should be behind prompt
# hence why the rule is split.
owner @{HOME}/.config/autostart/remmina-applet.desktop{,**} w,
owner @{HOME}/.config/freerdp/known_hosts2 rwk, owner @{HOME}/.config/freerdp/known_hosts2 rwk,
owner @{HOME}/.config/glib-2.0/settings/keyfile rw, owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
owner @{HOME}/.config/remmina/{,**} rw, owner @{HOME}/.config/remmina/{,**} rw,