AppArmor profiles for Onionshare, written by Tails developers

5 files changed, 71 insertions, 0 deletions

diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare
new file mode 100644
index 00000000..d5c7c184
--- /dev/null
+++ b/apparmor/abstractions/onionshare
@@ -0,0 +1,31 @@
+#include <abstractions/base>
+#include <abstractions/nameservice>
+#include <abstractions/python>
+
+# Why are these not in abstractions/python?
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
+
+/bin/dash rix,
+/proc/*/mounts r,
+/proc/*/fd/ r,
+/sbin/ldconfig rix,
+/sbin/ldconfig.real rix,
+/bin/uname rix,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r,
+/tmp/ rw,
+/tmp/** rw,
+
+# Allow all user data except .gnupg, .ssh and other potential
+# places for critically sensitive application data.
+audit deny @{HOME}/.* mrwkl,
+audit deny @{HOME}/.*/ mrwkl,
+audit deny @{HOME}/.*/** mrwkl,
+owner @{HOME}/ r,
+owner @{HOME}/** r,
diff --git a/apparmor/local/usr.bin.onionshare b/apparmor/local/usr.bin.onionshare
new file mode 100644
index 00000000..6453771d
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/local/usr.bin.onionshare-gui b/apparmor/local/usr.bin.onionshare-gui
new file mode 100644
index 00000000..fa5ba3f0
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare-gui
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare-gui.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare
new file mode 100644
index 00000000..225e5458
--- /dev/null
+++ b/apparmor/usr.bin.onionshare
@@ -0,0 +1,10 @@
+#include <tunables/global>
+
+/usr/bin/onionshare flags=(complain) {
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare r,
+
+  #include <local/usr.bin.onionshare>
+}
diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui
new file mode 100644
index 00000000..f41e0cd0
--- /dev/null
+++ b/apparmor/usr.bin.onionshare-gui
@@ -0,0 +1,26 @@
+#include <tunables/global>
+
+/usr/bin/onionshare-gui flags=(complain) {
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare-gui r,
+  /proc/*/cmdline r,
+  /usr/share/icons/Adwaita/index.theme rwk,
+
+  # Why do these still emit audit journal entries?
+  owner @{HOME}/.config/ibus/bus/ rw,
+  owner @{HOME}/.config/ibus/bus/* rw,
+  deny @{HOME}/.ICEauthority r,
+
+  deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r,
+  deny /var/lib/dbus/machine-id.* rw,
+
+  # Accessibility support
+  owner /{,var/}run/user/*/at-spi2-*/ rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  #include <local/usr.bin.onionshare-gui>
+}