diff options
author | Ulrike Uhlig <u@451f.org> | 2016-11-19 21:26:57 +0100 |
---|---|---|
committer | Ulrike Uhlig <u@451f.org> | 2016-11-19 21:26:57 +0100 |
commit | b5aa66c2393872337ac8f52b43c1904261bb4e27 (patch) | |
tree | 576f486cd8750ad2ebf03a90bdbc25e09c5b46db /apparmor | |
parent | 1d031739c562f92f86a17d49fa7ec7c2cb2ae179 (diff) | |
download | onionshare-b5aa66c2393872337ac8f52b43c1904261bb4e27.tar.gz onionshare-b5aa66c2393872337ac8f52b43c1904261bb4e27.zip |
AppArmor profiles for Onionshare, written by Tails developers
Diffstat (limited to 'apparmor')
-rw-r--r-- | apparmor/abstractions/onionshare | 31 | ||||
-rw-r--r-- | apparmor/local/usr.bin.onionshare | 2 | ||||
-rw-r--r-- | apparmor/local/usr.bin.onionshare-gui | 2 | ||||
-rw-r--r-- | apparmor/usr.bin.onionshare | 10 | ||||
-rw-r--r-- | apparmor/usr.bin.onionshare-gui | 26 |
5 files changed, 71 insertions, 0 deletions
diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare new file mode 100644 index 00000000..d5c7c184 --- /dev/null +++ b/apparmor/abstractions/onionshare @@ -0,0 +1,31 @@ +#include <abstractions/base> +#include <abstractions/nameservice> +#include <abstractions/python> + +# Why are these not in abstractions/python? +/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw, +/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw, +/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw, +/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw, +/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw, +/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw, + +/bin/dash rix, +/proc/*/mounts r, +/proc/*/fd/ r, +/sbin/ldconfig rix, +/sbin/ldconfig.real rix, +/bin/uname rix, +/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r, +/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r, +/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r, +/tmp/ rw, +/tmp/** rw, + +# Allow all user data except .gnupg, .ssh and other potential +# places for critically sensitive application data. +audit deny @{HOME}/.* mrwkl, +audit deny @{HOME}/.*/ mrwkl, +audit deny @{HOME}/.*/** mrwkl, +owner @{HOME}/ r, +owner @{HOME}/** r, diff --git a/apparmor/local/usr.bin.onionshare b/apparmor/local/usr.bin.onionshare new file mode 100644 index 00000000..6453771d --- /dev/null +++ b/apparmor/local/usr.bin.onionshare @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.bin.onionshare. +# For more details, please see /etc/apparmor.d/local/README. diff --git a/apparmor/local/usr.bin.onionshare-gui b/apparmor/local/usr.bin.onionshare-gui new file mode 100644 index 00000000..fa5ba3f0 --- /dev/null +++ b/apparmor/local/usr.bin.onionshare-gui @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.bin.onionshare-gui. +# For more details, please see /etc/apparmor.d/local/README. diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare new file mode 100644 index 00000000..225e5458 --- /dev/null +++ b/apparmor/usr.bin.onionshare @@ -0,0 +1,10 @@ +#include <tunables/global> + +/usr/bin/onionshare flags=(complain) { + #include <abstractions/onionshare> + + /usr/bin/ r, + /usr/bin/onionshare r, + + #include <local/usr.bin.onionshare> +} diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui new file mode 100644 index 00000000..f41e0cd0 --- /dev/null +++ b/apparmor/usr.bin.onionshare-gui @@ -0,0 +1,26 @@ +#include <tunables/global> + +/usr/bin/onionshare-gui flags=(complain) { + #include <abstractions/gnome> + #include <abstractions/ibus> + #include <abstractions/onionshare> + + /usr/bin/ r, + /usr/bin/onionshare-gui r, + /proc/*/cmdline r, + /usr/share/icons/Adwaita/index.theme rwk, + + # Why do these still emit audit journal entries? + owner @{HOME}/.config/ibus/bus/ rw, + owner @{HOME}/.config/ibus/bus/* rw, + deny @{HOME}/.ICEauthority r, + + deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, + deny /var/lib/dbus/machine-id.* rw, + + # Accessibility support + owner /{,var/}run/user/*/at-spi2-*/ rw, + owner /{,var/}run/user/*/at-spi2-*/** rw, + + #include <local/usr.bin.onionshare-gui> +} |