diff --git a/profiles/apparmor.d/abstractions/exo-open b/profiles/apparmor.d/abstractions/exo-open new file mode 100644 index 000000000..0630ef17a --- /dev/null +++ b/profiles/apparmor.d/abstractions/exo-open @@ -0,0 +1,99 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via exo-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/exo-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/exo-open rPx -> foo//exo-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//exo-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include + #include + #include + #include + + # Main executables + + /usr/bin/exo-open rix, + /usr/lib/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, + + # Other executables + + /{,usr/}bin/which rix, + + # Deny DBus + + # for GTK error message dialog? overkill? + deny dbus send + bus=session + path=/org/gtk/vfs/mounttracker, + + # DBus + + # for error message box + dbus send + bus=accessibility + path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus send + bus=accessibility + path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry), + + dbus send + bus=accessibility + path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetDeviceEventListeners,GetKeystrokeListeners} + peer=(name=org.a11y.atspi.Registry), + + dbus receive + bus=accessibility + path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:[0-9]*.[0-9]*), + + # end for errmor message box + + # System files + + /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, + /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? + /usr/share/xfce4/helpers/*.desktop r, + /usr/share/{xfce4,xubuntu}/applications/{,*.list} r, + + # User files + + owner @{PROC}/@{pid}/fd/ r, + owner @{HOME}/.config/xfce4/helpers.rc r, + diff --git a/profiles/apparmor.d/abstractions/gio-open b/profiles/apparmor.d/abstractions/gio-open new file mode 100644 index 000000000..c73498f37 --- /dev/null +++ b/profiles/apparmor.d/abstractions/gio-open @@ -0,0 +1,54 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gio helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gio directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gio rPx -> foo//gio-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gio-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } + + #include + #include + + # Main executables + + /usr/bin/gio rix, + /usr/bin/gio-launch-desktop ix, # for OpenSUSE + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, + + # System files + + /etc/gnome/defaults.list r, + /usr/share/mime/* r, + /usr/share/{,*/}applications/{,**} r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + + # User files + + owner @{HOME}/.config/mimeapps.list r, + owner @{HOME}/.local/share/applications/{,*.desktop} r, + owner @{PROC}/@{pid}/fd/ r, + diff --git a/profiles/apparmor.d/abstractions/gvfs-open b/profiles/apparmor.d/abstractions/gvfs-open new file mode 100644 index 000000000..c0e20717c --- /dev/null +++ b/profiles/apparmor.d/abstractions/gvfs-open @@ -0,0 +1,43 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via gvfs-open helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/gvfs-open directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/gvfs-open rPx -> foo//gvfs-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//gvfs-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # gvfs-open is deprecated, it launches gio open + #include + + # Main executables + + /usr/bin/gvfs-open r, + /{,usr/}bin/dash mr, + diff --git a/profiles/apparmor.d/abstractions/kde-open5 b/profiles/apparmor.d/abstractions/kde-open5 new file mode 100644 index 000000000..32d434971 --- /dev/null +++ b/profiles/apparmor.d/abstractions/kde-open5 @@ -0,0 +1,154 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via kde-open5 helper. +# +# NOTE: most likely you want to use xdg-open abstraction instead for better +# portability across desktop environments, unless you are sure that confined +# application only uses /usr/bin/kde-open5 directly. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/kde-open5 rPx -> foo//kde-open5, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//kde-open5 { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include # for alert messages + #include + #include + #include + #include + #include + #include + #include # for IceProcessMessages () from libICE.so (called by libQtCore.so) + #include + #include + #include + #include + + # Main executables + + /usr/bin/kde-open5 rix, + /usr/lib/@{multiarch}/libexec/kf5/kioslave ix, + + # Other executables + + /usr/lib/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner PUx, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + + # Additional libraries + + owner /{,var/}run/user/[0-9]*/orcexec.* rwm, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + + # DBus + + dbus send + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=GetDevices + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Devices/[0-9]* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Settings/[0-9]* + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=system + path=/org/freedesktop/NetworkManager/Settings + interface=org.freedesktop.NetworkManager.Settings + member=ListConnections + peer=(name=org.freedesktop.NetworkManager), + + dbus send + bus=session + peer=(name=org.a11y.Bus), + + dbus + bus=session + interface=org.kde.KLauncher + member=start_service_by_desktop_path + peer=(name=org.kde.klauncher5), + + # Denied system files + + deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 + + # libpcre2 on openSUSE tries to mmap() shared memory on directory. + # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html + # AppArmor does not allow to distinguish "real" file vs shared memory one, + # so we deny this path to protect from loading exploits from /tmp. + deny /tmp/#[0-9]*[0-9] m, + + # System files + + /dev/ r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /dev/tty r, + /dev/video[0-9]* rw, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /etc/xdg/accept-languages.codes r, + /etc/xdg/menus/{,*/} r, + /run/udev/data/c* r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /sys/bus/ r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /sys/class/ r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /sys/class/video4linux/ r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /sys/devices/pci[0-9]*/**/uevent r, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box + /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box + /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE + /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so + /usr/share/mime/ r, + /usr/share/mime/generic-icons r, + /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? + /usr/share/sounds/ r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + + # User files + + owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so + owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 + owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) + owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin{,.tmp*} rw, # for error message alert sound with gstreamer backend. TODO: use gstreamer abstraction ? + diff --git a/profiles/apparmor.d/abstractions/xdg-open b/profiles/apparmor.d/abstractions/xdg-open new file mode 100644 index 000000000..bf7d35375 --- /dev/null +++ b/profiles/apparmor.d/abstractions/xdg-open @@ -0,0 +1,74 @@ +# vim:syntax=apparmor + +# This abstraction is designed to be used in a child profile to limit what +# confined application can invoke via xdg-open helper. xdg-open abstraction +# will allow to use gio-open, kde-open5 and other helpers of the different +# desktop environments. +# +# Usage example: +# +# ``` +# profile foo /usr/bin/foo { +# ... +# /usr/bin/xdg-open rPx -> foo//xdg-open, +# ... +# } # end of main profile +# +# # out-of-line child profile +# profile foo//xdg-open { +# #include +# +# # needed for ubuntu-* abstractions +# #include +# +# # Only allow to handle http[s]: and mailto: links +# #include +# #include +# +# # < add additional allowed applications here > +# } +# ``` + + #include + + # for openin with `exo-open` + #include + + # for opening with `gio open ` + #include + + # for opening with gvfs-open (deprecated) + #include + + # for opening with kde-open5 + #include + + # Main executables + + /{,usr/}bin/{b,d}ash mr, + /usr/bin/xdg-open r, + + # Additional executables + + /usr/bin/xdg-mime rix, + /{,usr/}bin/cut rix, # for xdg-mime + /{,usr/}bin/head rix, # for xdg-mime + /{,usr/}bin/sed rix, # for xdg-open + /{,usr/}bin/tr rix, # for xdg-mime + /{,usr/}bin/which rix, # for xdg-open + /{,usr/}bin/{grep,egrep} rix, # for xdg-open + + # System files + + /dev/pts/[0-9]* rw, + /dev/tty w, + /etc/gnome/defaults.list r, # for grep + /usr/share/applications/mimeinfo.cache r, # for grep + /usr/share/terminfo/s/screen r, # for bash on openSUSE + /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime + /var/lib/menu-xdg/applications/ r, # for xdg-mime + + # Usr files + + owner @{HOME}/.local/share/applications/{,*.desktop} r, +