[Pkg-privacy-commits] [onionshare] 09/256: AppArmor profiles for Onionshare, written by Tails developers

Fri May 26 12:53:02 UTC 2017

This is an automated email from the git hooks/post-receive script.

ulrike pushed a commit to branch master
in repository onionshare.

commit b5aa66c2393872337ac8f52b43c1904261bb4e27
Author: Ulrike Uhlig <u at 451f.org>
Date:   Sat Nov 19 21:26:57 2016 +0100

    AppArmor profiles for Onionshare, written by Tails developers
---
 apparmor/abstractions/onionshare      | 31 +++++++++++++++++++++++++++++++
 apparmor/local/usr.bin.onionshare     |  2 ++
 apparmor/local/usr.bin.onionshare-gui |  2 ++
 apparmor/usr.bin.onionshare           | 10 ++++++++++
 apparmor/usr.bin.onionshare-gui       | 26 ++++++++++++++++++++++++++
 5 files changed, 71 insertions(+)

diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare
new file mode 100644
index 0000000..d5c7c18
--- /dev/null
+++ b/apparmor/abstractions/onionshare
@@ -0,0 +1,31 @@
+#include <abstractions/base>
+#include <abstractions/nameservice>
+#include <abstractions/python>
+
+# Why are these not in abstractions/python?
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
+
+/bin/dash rix,
+/proc/*/mounts r,
+/proc/*/fd/ r,
+/sbin/ldconfig rix,
+/sbin/ldconfig.real rix,
+/bin/uname rix,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r,
+/tmp/ rw,
+/tmp/** rw,
+
+# Allow all user data except .gnupg, .ssh and other potential
+# places for critically sensitive application data.
+audit deny @{HOME}/.* mrwkl,
+audit deny @{HOME}/.*/ mrwkl,
+audit deny @{HOME}/.*/** mrwkl,
+owner @{HOME}/ r,
+owner @{HOME}/** r,
diff --git a/apparmor/local/usr.bin.onionshare b/apparmor/local/usr.bin.onionshare
new file mode 100644
index 0000000..6453771
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/local/usr.bin.onionshare-gui b/apparmor/local/usr.bin.onionshare-gui
new file mode 100644
index 0000000..fa5ba3f
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare-gui
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare-gui.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare
new file mode 100644
index 0000000..225e545
--- /dev/null
+++ b/apparmor/usr.bin.onionshare
@@ -0,0 +1,10 @@
+#include <tunables/global>
+
+/usr/bin/onionshare flags=(complain) {
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare r,
+
+  #include <local/usr.bin.onionshare>
+}
diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui
new file mode 100644
index 0000000..f41e0cd
--- /dev/null
+++ b/apparmor/usr.bin.onionshare-gui
@@ -0,0 +1,26 @@
+#include <tunables/global>
+
+/usr/bin/onionshare-gui flags=(complain) {
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare-gui r,
+  /proc/*/cmdline r,
+  /usr/share/icons/Adwaita/index.theme rwk,
+
+  # Why do these still emit audit journal entries?
+  owner @{HOME}/.config/ibus/bus/ rw,
+  owner @{HOME}/.config/ibus/bus/* rw,
+  deny @{HOME}/.ICEauthority r,
+
+  deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r,
+  deny /var/lib/dbus/machine-id.* rw,
+
+  # Accessibility support
+  owner /{,var/}run/user/*/at-spi2-*/ rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  #include <local/usr.bin.onionshare-gui>
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/onionshare.git

