diff options
author | Ulrike Uhlig <u@451f.org> | 2017-01-18 20:58:03 +0100 |
---|---|---|
committer | Ulrike Uhlig <u@451f.org> | 2017-01-18 20:58:03 +0100 |
commit | 6cceac3b3eca9ce2cc13cde4d16f7291b565c720 (patch) | |
tree | 00b65a1f27f1d4e1a2c8f87ab3a94481e2a9569a /apparmor | |
parent | ebdc92bfa7ef629f1a0c2ece343bf6ee04a0c5b0 (diff) | |
download | onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.tar.gz onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.zip |
Improve AppArmor profiles and enforce them.
Work from Tails Developers, main git repository, currently devel branch.
Upstream commits:
commit 6e7ad41ca9664246856fe9553c202f09a1d1066b
Remove superfluous AppArmor rule.
The pattern `[^.]*` matches a subset of `[^.]**`, so we only need to
keep the latter.
commit b3a827d8e3c3fee78ec18450dfaf38a3d4eaf270
Make onionshare-gui able to access folders beneath $HOME.
Without this change e.g. ~/Documents is inaccessible. To be honest,
this does not makes sense to me, as my interpretation of the old
patterns clearly should allow subfolders and files therein.
commit db2b3a3f73aa01a54c9b7cb5ab83da1d083b7169
WIP: AppArmor profile improvements.
Diffstat (limited to 'apparmor')
-rw-r--r-- | apparmor/abstractions/onionshare | 18 | ||||
-rw-r--r-- | apparmor/usr.bin.onionshare | 2 | ||||
-rw-r--r-- | apparmor/usr.bin.onionshare-gui | 8 |
3 files changed, 14 insertions, 14 deletions
diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare index d5c7c184..fa94e68d 100644 --- a/apparmor/abstractions/onionshare +++ b/apparmor/abstractions/onionshare @@ -1,5 +1,6 @@ #include <abstractions/base> #include <abstractions/nameservice> +#include <abstractions/private-files-strict> #include <abstractions/python> # Why are these not in abstractions/python? @@ -16,16 +17,13 @@ /sbin/ldconfig rix, /sbin/ldconfig.real rix, /bin/uname rix, -/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r, -/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r, -/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r, +/etc/mime.types r, +/usr/share/onionshare/ r, +/usr/share/onionshare/** r, /tmp/ rw, /tmp/** rw, -# Allow all user data except .gnupg, .ssh and other potential -# places for critically sensitive application data. -audit deny @{HOME}/.* mrwkl, -audit deny @{HOME}/.*/ mrwkl, -audit deny @{HOME}/.*/** mrwkl, -owner @{HOME}/ r, -owner @{HOME}/** r, +# Allow read on almost anything in @{HOME}. Lenient, but +# private-files-strict is in effect. +owner @{HOME}/ r, +owner @{HOME}/[^.]** r, diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare index 225e5458..1c14ccc1 100644 --- a/apparmor/usr.bin.onionshare +++ b/apparmor/usr.bin.onionshare @@ -1,6 +1,6 @@ #include <tunables/global> -/usr/bin/onionshare flags=(complain) { +/usr/bin/onionshare { #include <abstractions/onionshare> /usr/bin/ r, diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui index ed69e832..746dadc1 100644 --- a/apparmor/usr.bin.onionshare-gui +++ b/apparmor/usr.bin.onionshare-gui @@ -1,6 +1,6 @@ #include <tunables/global> -/usr/bin/onionshare-gui flags=(complain) { +/usr/bin/onionshare-gui { #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/onionshare> @@ -8,14 +8,16 @@ /usr/bin/ r, /usr/bin/onionshare-gui r, /proc/*/cmdline r, - /usr/share/icons/Adwaita/index.theme r, + + # The freedesktop.org abstraction doesn't allow `k` + /usr/share/icons/*/index.theme k, # Why do these still emit audit journal entries? owner @{HOME}/.config/ibus/bus/ rw, owner @{HOME}/.config/ibus/bus/* rw, deny @{HOME}/.ICEauthority r, - deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, + deny /etc/machine-id r, deny /var/lib/dbus/machine-id.* rw, # Accessibility support |