phantom/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-01-10 11:47:27 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improve AppArmor profiles and enforce them.

Browse source 
Work from Tails Developers, main git repository, currently devel branch.
Upstream commits:

commit 6e7ad41ca9664246856fe9553c202f09a1d1066b
Remove superfluous AppArmor rule.
The pattern `[^.]*` matches a subset of `[^.]**`, so we only need to
keep the latter.

commit b3a827d8e3c3fee78ec18450dfaf38a3d4eaf270
Make onionshare-gui able to access folders beneath $HOME.
Without this change e.g. ~/Documents is inaccessible. To be honest,
this does not makes sense to me, as my interpretation of the old
patterns clearly should allow subfolders and files therein.

commit db2b3a3f73aa01a54c9b7cb5ab83da1d083b7169
WIP: AppArmor profile improvements.
This commit is contained in:
Ulrike Uhlig 2017-01-18 20:58:03 +01:00
parent ebdc92bfa7
commit 6cceac3b3e
3 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
apparmor/abstractions/onionshare
View file

@ -1,5 +1,6 @@
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice> #include <abstractions/nameservice>
#include <abstractions/private-files-strict>
#include <abstractions/python> #include <abstractions/python>
# Why are these not in abstractions/python? # Why are these not in abstractions/python?
@ -16,16 +17,13 @@
/sbin/ldconfig rix, /sbin/ldconfig rix,
/sbin/ldconfig.real rix, /sbin/ldconfig.real rix,
/bin/uname rix, /bin/uname rix,
/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r, /etc/mime.types r,
/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r, /usr/share/onionshare/ r,
/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r, /usr/share/onionshare/** r,
/tmp/ rw, /tmp/ rw,
/tmp/** rw, /tmp/** rw,
# Allow all user data except .gnupg, .ssh and other potential # Allow read on almost anything in @{HOME}. Lenient, but
# places for critically sensitive application data. # private-files-strict is in effect.
audit deny @{HOME}/.* mrwkl, owner @{HOME}/ r,
audit deny @{HOME}/.*/ mrwkl, owner @{HOME}/[^.]** r,
audit deny @{HOME}/.*/** mrwkl,
owner @{HOME}/ r,
owner @{HOME}/** r,

2
apparmor/usr.bin.onionshare
View file

@ -1,6 +1,6 @@
#include <tunables/global> #include <tunables/global>
/usr/bin/onionshare flags=(complain) { /usr/bin/onionshare {
#include <abstractions/onionshare> #include <abstractions/onionshare>
/usr/bin/ r, /usr/bin/ r,

8
apparmor/usr.bin.onionshare-gui
View file

@ -1,6 +1,6 @@
#include <tunables/global> #include <tunables/global>
/usr/bin/onionshare-gui flags=(complain) { /usr/bin/onionshare-gui {
#include <abstractions/gnome> #include <abstractions/gnome>
#include <abstractions/ibus> #include <abstractions/ibus>
#include <abstractions/onionshare> #include <abstractions/onionshare>
@ -8,14 +8,16 @@
/usr/bin/ r, /usr/bin/ r,
/usr/bin/onionshare-gui r, /usr/bin/onionshare-gui r,
/proc/*/cmdline r, /proc/*/cmdline r,
/usr/share/icons/Adwaita/index.theme r,
# The freedesktop.org abstraction doesn't allow `k`
/usr/share/icons/*/index.theme k,
# Why do these still emit audit journal entries? # Why do these still emit audit journal entries?
owner @{HOME}/.config/ibus/bus/ rw, owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw, owner @{HOME}/.config/ibus/bus/* rw,
deny @{HOME}/.ICEauthority r, deny @{HOME}/.ICEauthority r,
deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r, deny /etc/machine-id r,
deny /var/lib/dbus/machine-id.* rw, deny /var/lib/dbus/machine-id.* rw,
# Accessibility support # Accessibility support