1# Copyright © 2019 by The qTox Project Contributors 2# 3# This file is part of qTox, a Qt-based graphical interface for Tox. 4# qTox is libre software: you can redistribute it and/or modify 5# it under the terms of the GNU General Public License as published by 6# the Free Software Foundation, either version 3 of the License, or 7# (at your option) any later version. 8# 9# qTox is distributed in the hope that it will be useful, 10# but WITHOUT ANY WARRANTY; without even the implied warranty of 11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12# GNU General Public License for more details. 13# 14# You should have received a copy of the GNU General Public License 15# along with qTox. If not, see <http://www.gnu.org/licenses/> 16 17#include <tunables/global> 18#include <tunables/usr.bin.qtox> 19 20# using variables in profile name is not yet recommended due to issues with 21# AppArmor tools 22# TODO: use this alternative in the future when available 23#profile qtox @{qtox_prefix}/bin/qtox { 24profile qtox /usr{,/local}/bin/qtox { 25 #include <abstractions/audio> 26 #include <abstractions/base> 27 #include <abstractions/dbus-accessibility> 28 #include <abstractions/dbus-session-strict> 29 #include <abstractions/dri-enumerate> 30 #include <abstractions/gnome> 31 #include <abstractions/ibus> 32 #include <abstractions/kde-globals-write> 33 #include <abstractions/kde-icon-cache-write> 34 #include <abstractions/kde> 35 #include <abstractions/mesa> 36 #include <abstractions/nameservice> 37 #include <abstractions/openssl> 38 #include <abstractions/qt5-compose-cache-write> 39 #include <abstractions/qt5-settings-write> 40 #include <abstractions/recent-documents-write> 41 #include <abstractions/video> 42 43 # Site-specific additions and overrides. See local/README for details. 44 #include if exists <local/usr.bin.qtox> 45 46 # Main executable 47 48 @{qtox_prefix}/bin/qtox mr, 49 50 # Other executables 51 52 #TODO: use xdg-open abstraction when it's available 53 /usr/bin/xdg-open PUx, 54 #TODO: use named profile or abstraction when it's available 55 /usr/lib/@{multiarch}/libexec/kf5/kioslave PUx, 56 57 # Additional libraries 58 59 # Allow /usr/local/lib/libtoxcore.so... 60 @{qtox_prefix}/lib/*.so* mr, 61 62 # Networking 63 64 network inet udp, 65 network inet6 udp, 66 network inet tcp, 67 network inet6 tcp, 68 69 # DBus 70 71 dbus send 72 bus=session 73 path=/org/a11y/bus 74 interface=org.freedesktop.DBus.Properties 75 member=Get 76 peer=(label=unconfined), 77 78 dbus receive 79 bus=session 80 path=/ 81 interface=org.freedesktop.DBus.Introspectable 82 member=Introspect 83 peer=(label=unconfined), 84 85 dbus send 86 bus=session 87 path=/StatusNotifierWatcher 88 interface=org.freedesktop.DBus.Introspectable 89 member=Introspect 90 peer=(label=unconfined), 91 92 dbus (send,receive) 93 bus=session 94 path=/StatusNotifierWatcher 95 interface=org.freedesktop.DBus.Properties 96 member=Get 97 peer=(label=unconfined), 98 99 dbus receive 100 bus=session 101 path=/StatusNotifierItem 102 interface=org.freedesktop.DBus.Properties 103 member=GetAll 104 peer=(label=unconfined), 105 106 dbus send 107 bus=system 108 path=/org/freedesktop/NetworkManager 109 interface=org.freedesktop.DBus.Properties 110 member=GetAll 111 peer=(label=unconfined), 112 113 dbus send 114 bus=system 115 path=/org/freedesktop/NetworkManager 116 interface=org.freedesktop.NetworkManager 117 member=GetDevices 118 peer=(label=unconfined), 119 120 dbus receive 121 bus=system 122 path=/org/freedesktop/NetworkManager 123 interface=org.freedesktop.NetworkManager 124 member=PropertiesChanged 125 peer=(label=unconfined), 126 127 dbus send 128 bus=system 129 path=/org/freedesktop/NetworkManager/Settings 130 interface=org.freedesktop.NetworkManager.Settings 131 member=ListConnections 132 peer=(label=unconfined), 133 134 dbus send 135 bus=system 136 path=/org/freedesktop/NetworkManager/Settings/[0-9]* 137 interface=org.freedesktop.NetworkManager.Settings.Connection 138 member=GetSettings 139 peer=(label=unconfined), 140 141 dbus send 142 bus=system 143 path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* 144 interface=org.freedesktop.DBus.Properties 145 member=GetAll 146 peer=(label=unconfined), 147 148 dbus receive 149 bus=system 150 path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* 151 interface=org.freedesktop.NetworkManager.Connection.Active 152 member=PropertiesChanged 153 peer=(label=unconfined), 154 155 dbus send 156 bus=system 157 path=/org/freedesktop/NetworkManager/Devices/[0-9]* 158 interface=org.freedesktop.DBus.Properties 159 member=GetAll 160 peer=(label=unconfined), 161 162 dbus send 163 bus=session 164 path=/StatusNotifierWatcher 165 interface=org.kde.StatusNotifierWatcher 166 member=RegisterStatusNotifierItem 167 peer=(label=unconfined), 168 169 dbus receive 170 bus=session 171 path=/StatusNotifierItem 172 interface=org.kde.StatusNotifierItem 173 member=Activate 174 peer=(label=unconfined), 175 176 dbus (send,receive) 177 bus=session 178 path=/MenuBar 179 interface=com.canonical.dbusmenu 180 member=GetLayout 181 peer=(label=unconfined), 182 183 dbus (send,receive) 184 bus=session 185 path=/MenuBar 186 interface=com.canonical.dbusmenu 187 member={AboutToShow,Event} 188 peer=(label=unconfined), 189 190 dbus send 191 bus=session 192 path=/StatusNotifierItem 193 interface=org.kde.StatusNotifierItem 194 member={NewIcon,NewToolTip} 195 peer=(label=unconfined), 196 197 dbus send 198 bus=system 199 path=/org/freedesktop/UPower 200 interface=org.freedesktop.DBus.Introspectable 201 member=Introspect 202 peer=(label=unconfined), 203 204 dbus send 205 bus=system 206 path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*} 207 interface=org.freedesktop.DBus.Introspectable 208 member=Introspect 209 peer=(label=unconfined), 210 211 dbus send 212 bus=system 213 path=/org/freedesktop/UDisks2/{block_devices,drives}/* 214 interface=org.freedesktop.DBus.Properties 215 member={Get,GetAll} 216 peer=(label=unconfined), 217 218 dbus send 219 bus=session 220 path=/org/freedesktop/DBus 221 interface=org.freedesktop.DBus 222 member=GetConnectionUnixUser 223 peer=(label=unconfined), 224 225 dbus send 226 bus=session 227 path=/ 228 interface=org.kde.KDirNotify 229 member={enteredDirectory,leftDirectory} 230 peer=(label=unconfined), 231 232 dbus receive 233 bus=session 234 path=/ 235 interface=org.kde.KDirNotify 236 member=FilesAdded 237 peer=(label=unconfined), 238 239 dbus send 240 bus=session 241 path=/KLauncher 242 interface=org.kde.KSlaveLauncher 243 member=requestSlave 244 peer=(label=unconfined), 245 246 # Denied files 247 248 # libpcre2 on openSUSE tries to mmap() shared memory on directory. 249 # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html 250 # AppArmor does not allow to distinguish "real" file vs shared memory one, 251 # so we deny this path to protect from loading exploits from /tmp. 252 deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m, 253 254 # libfontconfig bug? Should not write to root-owned dirs. 255 deny /usr/share/fonts/** w, 256 deny /var/cache/fontconfig/ w, 257 258 # System files 259 260 /usr/share/hunspell/* r, 261 @{qtox_additional_rw_dirs}/ r, 262 @{qtox_additional_rw_dirs}/** rw, 263 264 # Sensitive directory access!!! 265 # Allow navigating directories with file dialog, to access directory you 266 # can write (read) file to, for most convenience (though against maximum 267 # security). Note: this allows reading only directory contents (list), 268 # not the files itself. 269 /{,**/} r, 270 271 /dev/ r, 272 /dev/dri/ r, 273 /dev/video[0-9]* rw, # webcam 274 /etc/fstab r, # file dialog 275 /etc/xdg/menus/ r, # file dialog 276 /proc/sys/kernel/core_pattern r, # for KCrash::initialize() 277 /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction? 278 /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog) 279 /sys/bus/ r, # file dialog 280 /sys/bus/usb/devices/ r, # file dialog 281 /sys/class/ r, # file dialog 282 /sys/devices/**/uevent r, # file dialog 283 /sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so 284 /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so 285 /usr/share/emoticons/{,**} r, 286 /usr/share/hspell/* r, # for spellchecking 287 /usr/share/hwdata/pnp.ids r, # For OpenSUSE only? 288 /usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only? 289 /usr/share/kf5/sonnet/* r, # for spellchecking 290 /usr/share/kservices5/{,**} r, # file dialog 291 /usr/share/mime/ r, # file dialog 292 /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? 293 /usr/share/sounds/ r, # file dialog (alert) 294 /var/lib/aspell/* r, # for spellchecking 295 /{,var/}run/udev/data/* r, # file dialog 296 297 # User files 298 299 # Sensitive file access!!! 300 # Allow reading & writing into $HOME, EXCEPT for dot files and directories, 301 # for most convenience (though against maximum security). 302 owner @{HOME}/ r, 303 owner @{HOME}/[^.]* rw, 304 owner @{HOME}/[^.]*/{,**} rw, 305 # QSaveFile security measures? While saving log file 306 owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9], 307 owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9], 308 309 owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog 310 owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog 311 owner @{HOME}/.aspell.??.{pws,prepl} rk, # for spellchecking 312 owner @{HOME}/.cache/Tox/ w, 313 owner @{HOME}/.cache/Tox/qTox/{,**} rw, 314 owner @{HOME}/.cache/fontconfig/** rwk, 315 owner @{HOME}/.cache/qTox/{,**} rw, 316 owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail? 317 owner @{HOME}/.config/menus/ r, # file dialog 318 owner @{HOME}/.config/menus/applications-merged/ r, # file dialog 319 owner @{HOME}/.config/qToxrc rw, 320 owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile? 321 owner @{HOME}/.config/qToxrc.lock rwk, 322 owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile? 323 owner @{HOME}/.config/tox/{,**} rwk, 324 owner @{HOME}/.fonts/.uuid* rw, 325 owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*, 326 owner @{HOME}/.fonts/.uuid.*/ rw, 327 owner @{HOME}/.local/share/Tox/{,**} rw, 328 owner @{HOME}/.local/share/qTox/{,**} rw, 329 owner @{HOME}/.local/share/user-places.xbel r, # file dialog 330 owner @{PROC}/@{pid}/cmdline r, 331 332 # Backport from more recent qt5-compose-cache-write abstraction 333 # commit 1250402471d9d83134b0faa90239a733a37f23f0 334 owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9], 335 owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory) 336 337 # Backport kde abstraction 338 # commit aae838faca57905d2dbc27db7bffd595c09d26f0 339 # commit dc3b73daf9f648336a6f9ab90103acc962c0bf40 340 /etc/xdg/kdeglobals r, 341 /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent() 342 /usr/share/kubuntu-default-settings/kf5-settings/* r, 343 owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache 344 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget 345 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget 346 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent() 347 owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc. 348 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so 349 owner @{HOME}/.config/trashrc r, # Used by KFileWidget 350 351 # Backport dri-common abstraction 352 # commit 2d8d2f06d5697d9692330686bb5ddb0095621144 353 /usr/share/drirc.d/{,*.conf} r, 354 355} 356