Improve AppArmor profiles and enforce them.

Work from Tails Developers, main git repository, currently devel branch. Upstream commits: commit 6e7ad41ca9664246856fe9553c202f09a1d1066b Remove superfluous AppArmor rule. The pattern `[^.]*` matches a subset of `[^.]**`, so we only need to keep the latter. commit b3a827d8e3c3fee78ec18450dfaf38a3d4eaf270 Make onionshare-gui able to access folders beneath $HOME. Without this change e.g. ~/Documents is inaccessible. To be honest, this does not makes sense to me, as my interpretation of the old patterns clearly should allow subfolders and files therein. commit db2b3a3f73aa01a54c9b7cb5ab83da1d083b7169 WIP: AppArmor profile improvements.
author: Ulrike Uhlig <u@451f.org> 2017-01-18 20:58:03 +0100
committer: Ulrike Uhlig <u@451f.org> 2017-01-18 20:58:03 +0100
commit: 6cceac3b3eca9ce2cc13cde4d16f7291b565c720 (patch)
tree: 00b65a1f27f1d4e1a2c8f87ab3a94481e2a9569a /apparmor
parent: ebdc92bfa7ef629f1a0c2ece343bf6ee04a0c5b0 (diff)
download: onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.tar.gz
onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.zip
3 files changed, 14 insertions, 14 deletions
diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare
index d5c7c184..fa94e68d 100644
--- a/apparmor/abstractions/onionshare
+++ b/apparmor/abstractions/onionshare
@@ -1,5 +1,6 @@
 #include <abstractions/base>
 #include <abstractions/nameservice>
+#include <abstractions/private-files-strict>
 #include <abstractions/python>
 
 # Why are these not in abstractions/python?
@@ -16,16 +17,13 @@
 /sbin/ldconfig rix,
 /sbin/ldconfig.real rix,
 /bin/uname rix,
-/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r,
-/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r,
-/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r,
+/etc/mime.types r,
+/usr/share/onionshare/ r,
+/usr/share/onionshare/** r,
 /tmp/ rw,
 /tmp/** rw,
 
-# Allow all user data except .gnupg, .ssh and other potential
-# places for critically sensitive application data.
-audit deny @{HOME}/.* mrwkl,
-audit deny @{HOME}/.*/ mrwkl,
-audit deny @{HOME}/.*/** mrwkl,
-owner @{HOME}/ r,
-owner @{HOME}/** r,
+# Allow read on almost anything in @{HOME}. Lenient, but
+# private-files-strict is in effect.
+owner @{HOME}/         r,
+owner @{HOME}/[^.]**   r,
diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare
index 225e5458..1c14ccc1 100644
--- a/apparmor/usr.bin.onionshare
+++ b/apparmor/usr.bin.onionshare
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/bin/onionshare flags=(complain) {
+/usr/bin/onionshare {
   #include <abstractions/onionshare>
 
   /usr/bin/ r,
diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui
index ed69e832..746dadc1 100644
--- a/apparmor/usr.bin.onionshare-gui
+++ b/apparmor/usr.bin.onionshare-gui
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/bin/onionshare-gui flags=(complain) {
+/usr/bin/onionshare-gui {
   #include <abstractions/gnome>
   #include <abstractions/ibus>
   #include <abstractions/onionshare>
@@ -8,14 +8,16 @@
   /usr/bin/ r,
   /usr/bin/onionshare-gui r,
   /proc/*/cmdline r,
-  /usr/share/icons/Adwaita/index.theme r,
+
+  # The freedesktop.org abstraction doesn't allow `k`
+  /usr/share/icons/*/index.theme k,
 
   # Why do these still emit audit journal entries?
   owner @{HOME}/.config/ibus/bus/ rw,
   owner @{HOME}/.config/ibus/bus/* rw,
   deny @{HOME}/.ICEauthority r,
 
-  deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r,
+  deny /etc/machine-id r,
   deny /var/lib/dbus/machine-id.* rw,
 
   # Accessibility support
author	Ulrike Uhlig <u@451f.org>	2017-01-18 20:58:03 +0100
committer	Ulrike Uhlig <u@451f.org>	2017-01-18 20:58:03 +0100
commit	6cceac3b3eca9ce2cc13cde4d16f7291b565c720 (patch)
tree	00b65a1f27f1d4e1a2c8f87ab3a94481e2a9569a /apparmor
parent	ebdc92bfa7ef629f1a0c2ece343bf6ee04a0c5b0 (diff)
download	onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.tar.gz onionshare-6cceac3b3eca9ce2cc13cde4d16f7291b565c720.zip