summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/etc/apparmor.d
diff options
context:
space:
mode:
Diffstat (limited to 'config/chroot_local-includes/etc/apparmor.d')
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare29
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare2
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare-gui2
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits27
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare10
-rw-r--r--config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare-gui28
6 files changed, 98 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare b/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare
new file mode 100644
index 0000000..b90e243
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/abstractions/onionshare
@@ -0,0 +1,29 @@
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/private-files-strict>
+ #include <abstractions/python>
+
+ # Why are these not in abstractions/python?
+ /usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
+ /usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
+
+ /bin/dash rix,
+ /proc/*/mounts r,
+ /proc/*/fd/ r,
+ /sbin/ldconfig rix,
+ /sbin/ldconfig.real rix,
+ /bin/uname rix,
+ /etc/mime.types r,
+ /usr/share/onionshare/ r,
+ /usr/share/onionshare/** r,
+ /tmp/ rw,
+ /tmp/** rw,
+
+ # Allow read on almost anything in @{HOME}. Lenient, but
+ # private-files-strict is in effect.
+ owner @{HOME}/ r,
+ owner @{HOME}/[^.]** r,
diff --git a/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare b/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare
new file mode 100644
index 0000000..6453771
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare-gui b/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare-gui
new file mode 100644
index 0000000..fa5ba3f
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/local/usr.bin.onionshare-gui
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare-gui.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits
new file mode 100644
index 0000000..61c0cb6
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onioncircuits
@@ -0,0 +1,27 @@
+#include <tunables/global>
+
+/usr/bin/onioncircuits {
+ #include <abstractions/base>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/python>
+
+ # Why are these not in abstractions/python?
+ /usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
+ /usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
+ /usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
+
+ /usr/bin/ r,
+ /usr/bin/onioncircuits r,
+ /usr/share/xml/iso-codes/** r,
+
+ deny /etc/machine-id r,
+
+ # Accessibility support
+ owner /{,var/}run/user/*/at-spi2-*/ rw,
+ owner /{,var/}run/user/*/at-spi2-*/** rw,
+}
diff --git a/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare
new file mode 100644
index 0000000..1c14ccc
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare
@@ -0,0 +1,10 @@
+#include <tunables/global>
+
+/usr/bin/onionshare {
+ #include <abstractions/onionshare>
+
+ /usr/bin/ r,
+ /usr/bin/onionshare r,
+
+ #include <local/usr.bin.onionshare>
+}
diff --git a/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare-gui b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare-gui
new file mode 100644
index 0000000..746dadc
--- /dev/null
+++ b/config/chroot_local-includes/etc/apparmor.d/usr.bin.onionshare-gui
@@ -0,0 +1,28 @@
+#include <tunables/global>
+
+/usr/bin/onionshare-gui {
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/onionshare>
+
+ /usr/bin/ r,
+ /usr/bin/onionshare-gui r,
+ /proc/*/cmdline r,
+
+ # The freedesktop.org abstraction doesn't allow `k`
+ /usr/share/icons/*/index.theme k,
+
+ # Why do these still emit audit journal entries?
+ owner @{HOME}/.config/ibus/bus/ rw,
+ owner @{HOME}/.config/ibus/bus/* rw,
+ deny @{HOME}/.ICEauthority r,
+
+ deny /etc/machine-id r,
+ deny /var/lib/dbus/machine-id.* rw,
+
+ # Accessibility support
+ owner /{,var/}run/user/*/at-spi2-*/ rw,
+ owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+ #include <local/usr.bin.onionshare-gui>
+}