├── LICENSE
├── README.md
├── apparmor.d
├── abstractions
│ ├── block-networking
│ ├── chromium-base
│ ├── chromium-base-sandbox
│ ├── chromium-base-xdgsettings
│ ├── confidential-deny
│ ├── flatpak-snap
│ ├── general-security
│ ├── kde-dialog
│ ├── kde-plasma5
│ ├── kde-user
│ ├── networkmanager-strict
│ ├── open-browser
│ ├── open-email
│ ├── open-messaging
│ ├── open-some-applications
│ ├── ubuntu-browsers.d
│ │ ├── chromium-browser
│ │ └── user-files
│ └── udisk-strict
├── default-abstractions
│ └── wayland
├── opt.brave
├── opt.vivaldi-stable
├── tunables
│ ├── confidential
│ └── media-extensions
├── usr.bin.chromium-browser
├── usr.bin.firefox
├── usr.bin.gwenview
├── usr.bin.ktorrent
├── usr.bin.mpv
├── usr.bin.okular
├── usr.bin.opera
├── usr.bin.qbittorrent
├── usr.bin.thunderbird
└── usr.lib.bluetooth.bluetoothd
├── extra
├── usr.bin.baloo_file
├── usr.bin.bluedevil
└── usr.bin.youtube-dl
└── unmaintained
├── home.telegram
├── usr.bin.baka-mplayer
├── usr.bin.bomi
├── usr.bin.kget
├── usr.bin.konversation
├── usr.bin.ktorrent4
└── usr.bin.vlc-2.2
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # AppArmor Security Profiles for some applications
3 |
4 | **Author:** Nibaldo González ()
5 |
6 | ## Description:
7 |
8 | AppArmor profiles for:
9 |
10 | * Bluetooth Daemon
11 | * Brave
12 | * Chromium
13 | * Firefox
14 | * Gwenview
15 | * KTorrent (not tested in latest versions!)
16 | * mpv
17 | * Okular
18 | * Opera (not tested in latest versions!)
19 | * qBittorrent
20 | * Thunderbird
21 | * Vivaldi
22 | * youtube-dl (extra)
23 |
24 | **NOTE:** The profiles in the *extra* folder are not tested frequently!
25 |
26 | These are designed to work on KDE Plasma 5.
27 | All profiles have been tested on Ubuntu 18.04 & 16.04, with KDE Plasma 5.
28 |
29 | If you use Ubuntu, please install the `apparmor-utils` package.
30 |
31 | ## Important:
32 |
33 | * Some profiles require you to review the location of the downloads and desktop directories. By default it is used:
34 | * Downloads Directory: `@{HOME}/Descargas/`
35 | * Desktop Directory: `@{HOME}/Escritorio/`
36 |
37 | * The profiles of KTorrent and qBittorrent use the directory `@{HOME}/Descargas/Torrents/` to save the downloads. You must modify this according to your configuration.
38 |
39 | * Check the location of the Telegram executable. The profile uses: `/home/*/.app/Telegram/{Telegram,Updater}`. **NOTE:** The Telegram profile is unmaintained; for sandbox, use the Flatpak or Snap package.
40 |
41 | ## Installation:
42 |
43 | 1. Copy the files in: `/etc/apparmor.d/`
44 |
45 | Please do so with great caution!
46 |
47 | 2. To enable a profile, in enforcing mode, use the following command:
48 | ```bash
49 | sudo aa-enforce /etc/apparmor.d/usr.bin.profile
50 | ```
51 |
52 | * For example, you can use:
53 | ```bash
54 | sudo aa-enforce /etc/apparmor.d/usr.bin.*
55 | sudo aa-enforce /etc/apparmor.d/home.*
56 | sudo aa-enforce /etc/apparmor.d/usr.lib.bluetooth.bluetoothd
57 | ```
58 |
59 | * If you need to reload a profile:
60 | ```bash
61 | sudo apparmor_parser -r /etc/apparmor.d/usr.bin.profile
62 | ```
63 |
64 | * For profile in compliant mode:
65 | ```bash
66 | sudo aa-complain /etc/apparmor.d/usr.bin.profile
67 | ```
68 |
69 | * **NOTE:**
70 | * In Ubuntu, you need to install the `apparmor-utils` package to use the `aa-enforce` and `aa-complain` commands.
71 |
72 | * It is also enough to restart the computer to enable the profiles.
73 |
74 | 3. View profiles status:
75 | ```bash
76 | sudo apparmor_status
77 | ```
78 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/block-networking:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Last change: March 25, 2017
5 | # Block networking
6 |
7 | deny network inet,
8 | deny network inet6,
9 | deny network netlink raw,
10 |
11 | deny @{PROC}/[0-9]*/net/if_inet6 rw,
12 | deny @{PROC}/[0-9]*/net/ipv6_route rw,
13 | deny @{PROC}/[0-9]*/net/dev rw,
14 | deny @{PROC}/[0-9]*/net/wireless rw,
15 | deny @{PROC}/[0-9]*/net/route rw,
16 |
17 | # on systems using resolvconf, /etc/resolv.conf is a symlink to
18 | # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
19 | # /etc/resolvconf/run/resolv.conf. Similarly, if NetworkManager is used
20 | # without resolvconf, /etc/resolv.conf is a symlink to its own resolv.conf.
21 | # Finally, on systems using systemd's networkd, /etc/resolv.conf is
22 | # a symlink to /run/systemd/resolve/resolv.conf
23 | deny /etc/resolv.conf rw,
24 | deny /{,var/}run/{resolvconf,NetworkManager,systemd/resolve}/resolv.conf rw,
25 | deny /etc/resolvconf/run/resolv.conf rw,
26 |
27 | deny /etc/host.conf rw,
28 | deny /etc/hosts rw,
29 | deny /etc/protocols rw,
30 |
31 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/chromium-base:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
2 | # vim: syntax=apparmor
3 |
4 | # Rules for Web browsers based on Chromium.
5 | # ---------------------------------------------------
6 | # This abstraction is based on the Chromium profile,
7 | # created by Jamie Strandboge
8 | # Author: Nibaldo Gonzalez
9 | # Last change: March 23, 2019
10 |
11 | # IMPORTANT: In the main profile, also include the
12 | # abstraction "ubuntu-helpers" to use the transition
13 | # to "sanitized_helper". This is not included here to
14 | # avoid possible errors of duplicate profiles.
15 |
16 | # include
17 |
18 | include
19 | include
20 | include
21 | include
22 | include
23 | include
24 | include
25 | include
26 |
27 | include
28 |
29 | # Networking
30 | network inet stream,
31 | network inet6 stream,
32 | @{PROC}/[0-9]*/net/if_inet6 r,
33 | @{PROC}/[0-9]*/net/ipv6_route r,
34 | @{PROC}/sys/net/ipv4/tcp_fastopen r,
35 |
36 | capability sys_admin,
37 | capability sys_chroot,
38 | # capability net_bind_service, # Investigate
39 | capability sys_ptrace,
40 |
41 | owner @{PROC}/[0-9]*/setgroups w,
42 | owner @{PROC}/[0-9]*/gid_map w,
43 | owner @{PROC}/[0-9]*/uid_map w,
44 |
45 | /etc/mime.types r,
46 | /etc/mailcap r,
47 | /etc/mtab r,
48 | /etc/xdg/*ubuntu/applications/defaults.list r,
49 | /etc/xfce4/defaults.list r,
50 | owner @{HOME}/.local/share/applications/defaults.list r,
51 | owner @{HOME}/.local/share/applications/mimeinfo.cache r,
52 |
53 | @{PROC}/ r,
54 | @{PROC}/filesystems r,
55 | @{PROC}/vmstat r,
56 | @{PROC}/[0-9]*/fd/ r,
57 | @{PROC}/[0-9]*/environ r,
58 | @{PROC}/[0-9]*/smaps r,
59 | @{PROC}/[0-9]*/stat r,
60 | @{PROC}/[0-9]*/statm r,
61 | @{PROC}/[0-9]*/task/[0-9]*/stat r,
62 | @{PROC}/[0-9]*/task/[0-9]*/status r,
63 | owner @{PROC}/[0-9]*/cmdline r,
64 | owner @{PROC}/[0-9]*/io r,
65 | owner @{PROC}/[0-9]*/stat r,
66 | owner @{PROC}/[0-9]*/status r,
67 | deny @{PROC}/[0-9]*/oom_{,score_}adj w,
68 | @{PROC}/sys/kernel/yama/ptrace_scope r,
69 |
70 | /etc/lsb-release r,
71 | /etc/ssl/openssl.cnf r,
72 | /etc/udev/udev.conf r,
73 | /dev/video[0-9]* r,
74 |
75 | /sys/devices/system/cpu/cpu*/{cpufreq,policy[0-9]*}/cpuinfo_max_freq r,
76 | /sys/devices/pci[0-9]*/**/{config,revision,busnum} r,
77 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
78 | /sys/devices/pci[0-9]*/**/id{Product,Vendor} r,
79 | /sys/devices/pci[0-9]*/**/class r,
80 | /sys/devices/pci[0-9]*/**/irq r,
81 | /sys/devices/pci[0-9]*/**/resource r,
82 | /sys/devices/pci[0-9]*/**/removable r,
83 | /sys/devices/pci[0-9]*/**/block/**/size r,
84 | /sys/devices/pci[0-9]*/**/usb[0-9]*/[0-9]**/{descriptors,interface,manufacturer,serial,bConfigurationValue} r,
85 | /sys/devices/virtual/block/**/removable r,
86 | /sys/devices/virtual/block/**/size r,
87 | /sys/devices/virtual/tty/tty[0-9]/active r,
88 | /sys/devices/**/uevent r,
89 |
90 | # This is requested, but doesn't seem to actually be needed so deny for now
91 | deny /run/udev/data/** r,
92 |
93 | # Needed for the crash reporter
94 | owner @{PROC}/[0-9]*/auxv r,
95 |
96 | # mmaps all kinds of things for speed.
97 | /etc/passwd m,
98 | /usr/share/fonts/truetype/**/*.tt[cf] m,
99 | /usr/share/fonts/**/*.pfb m,
100 | /usr/share/mime/mime.cache m,
101 | /usr/share/icons/**/*.cache m,
102 | owner /{dev,run}/shm/pulse-shm* m,
103 | owner @{HOME}/.local/share/mime/mime.cache m,
104 | owner /tmp/** m,
105 |
106 | @{PROC}/sys/kernel/shmmax r,
107 | # owner /{dev,run}/shm/{,.}org.chromium.* mrw,
108 | owner /{var/run,run,dev}/shm/shmfd-* mrw,
109 |
110 | # Chromium Policies
111 | /etc/chromium-browser/policies/** r,
112 | /etc/chromium/** r,
113 |
114 | # Make browsing directories work
115 | /{,**/} r,
116 |
117 | # Allow access to documentation and other files the user
118 | # may want to look at in /usr
119 | /usr/{include,share,src}** r,
120 |
121 | deny /usr/share/{fonts,poppler,texmf}/{,**/}.* w,
122 | deny /usr/local/share/{fonts,texmf}/{,**/}.* w,
123 |
124 | /bin/ps Uxr,
125 | /usr/bin/xdg-settings Cxr -> xdgsettings,
126 | /usr/bin/lsb_release Cxr -> lsb_release,
127 |
128 | # Helpers
129 | /usr/bin/{exo,gnome,gvfs,xdg}-open ixr,
130 | /usr/bin/kde-open{,5} ixr,
131 | /usr/bin/kdialog ixr,
132 | # xfce/Xubuntu
133 | /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
134 | /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
135 | /etc/xdg/xfce4/helpers.rc r,
136 |
137 | /usr/bin/chrome-gnome-shell ixr,
138 |
139 | # GSettings
140 | owner /{,var/}run/user/*/dconf/ rw,
141 | owner /{,var/}run/user/*/dconf/user rw,
142 | owner @{HOME}/.config/dconf/user r,
143 |
144 | # Allow ptracing ourselves
145 | ptrace (trace) peer=@{profile_name},
146 | ptrace (trace read) peer=@{profile_name}//lsb_release,
147 | ptrace (trace read) peer=@{profile_name}//xdgsettings,
148 |
149 | # For migration
150 | # owner @{HOME}/.mozilla/firefox/profiles.ini r,
151 | # owner @{HOME}/.mozilla/firefox/*/prefs.js r,
152 |
153 | # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
154 | # which is provided by abstractions/ubuntu-browsers.d/user-files).
155 | # /etc/firefox/profile/bookmarks.html r,
156 | # owner @{HOME}/.mozilla/** k,
157 |
158 | # Block binary execution and mapping of compiled libraries
159 | audit deny /{data,media,mnt,srv,net}/** mx,
160 | audit deny @{HOME}/{*,[^.]**} mx,
161 | audit deny /tmp/** x,
162 | # audit deny owner /**/* x,
163 |
164 | deny @{HOME}/.local/share/applications/** w,
165 | audit deny @{HOME}/.local/share/flatpak/** w,
166 | audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
167 | deny /usr/lib/vlc/plugins/plugins.dat.* w,
168 | deny @{HOME}/.* w,
169 | deny @{HOME}/.bash* r,
170 | deny @{HOME}/.sudo_as_admin_* r,
171 |
172 | owner @{HOME}/.pki/nssdb/* rwk,
173 | owner @{HOME}/.config/gtk-3.0/* r,
174 | # owner @{HOME}/.local/share/.org.chromium.Chromium{,.[a-zA-Z0-9]*} rw,
175 |
176 | owner @{HOME}/.cache/fontconfig/*.cache-* rw,
177 | deny /var/cache/fontconfig/ w,
178 |
179 | owner @{HOME}/.cache/mesa_shader_cache/** rw,
180 | owner @{HOME}/.cache/mesa_shader_cache/**.tmp k,
181 |
182 |
183 | # For KDE Plasma 5 (used by kdialog & kde-open5).
184 | # This could be inside a child profile for the kdialog and kde-open5
185 | # binaries, but most of the rules in the parent profile are repeated.
186 |
187 | include
188 |
189 | owner @{HOME}/.config/kio* r,
190 | owner @{HOME}/.config/kdialogrc rw,
191 | owner @{HOME}/.config/kdialogrc.[a-zA-Z0-9]* rwk,
192 | link @{HOME}/.config/kdialogrc.[a-zA-Z0-9]* -> "/home/*/.config/#[0-9]*",
193 | owner @{HOME}/.local/share/qt_temp.* rwk,
194 | deny @{HOME}/.local/share/RecentDocuments/* w,
195 | owner @{PROC}/[0-9]*/mounts r,
196 | /usr/lib{,64,/@{multiarch}}/qt5/plugins/{imageformats,platformthemes,styles}/*.so m,
197 | /etc/fstab r,
198 | /etc/rpc r,
199 | /dev/tty r,
200 |
201 | # FIXME: chromium-browser has problems opening dialogs to open or save files
202 | # with kdialog (info: Failed name lookup - deleted entry).
203 | # The problem is not reproduced in Opera, Vivaldi and Brave.
204 | owner /run/user/[0-9]*/kdialog*.slave-socket rwk,
205 | owner /run/user/[0-9]*/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rwk,
206 | link /run/user/[0-9]*/kdialog*.slave-socket -> "/run/user/[0-9]*/#[0-9]*",
207 | owner /run/user/[0-9]*/kdeinit5* rwk,
208 | link /run/user/[0-9]*/kdeinit5* -> "/run/user/[0-9]*/#[0-9]*",
209 | /usr/lib{,64,/@{multiarch}}/libexec/drkonqi ixr,
210 |
211 | @{PROC}/sys/kernel/core_pattern r,
212 |
213 | # Plasma browser integration support (temporary solution)
214 | # NOTE: "sanitized_helper" is provided by the "ubuntu-helpers" abstraction.
215 | /usr/bin/plasma-browser-integration-host Cxr -> sanitized_helper,
216 | /etc/opt/chrome/native-messaging-hosts/org.kde.plasma.browser_integration.json r,
217 | # ptrace (read) peer=@{profile_name}//sanitized_helper,
218 |
219 | signal (send) set=(term) peer=unconfined,
220 |
221 |
222 | profile lsb_release flags=(attach_disconnected) {
223 | include
224 | include
225 | /usr/bin/lsb_release r,
226 | /bin/dash ixr,
227 | /usr/bin/dpkg-query ixr,
228 | /usr/include/python2.[4567]/pyconfig.h r,
229 | /etc/lsb-release r,
230 | /etc/debian_version r,
231 | /usr/share/distro-info/*.csv r,
232 | /var/lib/dpkg/** r,
233 |
234 | /usr/local/lib{,64}/python3.[0-6]/dist-packages/ r,
235 | /usr/bin/ r,
236 | /usr/bin/python3.[0-6] mr,
237 |
238 | # file_inherit
239 | deny /tmp/gtalkplugin.log w,
240 | }
241 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/chromium-base-sandbox:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
2 | # vim: syntax=apparmor
3 |
4 | # Chromium sandbox binary:
5 | # Rules for Web browsers based on Chromium.
6 | # ---------------------------------------------------
7 | # This abstraction is based on the Chromium profile,
8 | # created by Jamie Strandboge
9 | # Author: Nibaldo Gonzalez
10 | # Last change: September 29, 2018
11 |
12 | # Be fanatical since it is setuid root and don't use an abstraction
13 | /lib{,64}/libgcc_s.so* mr,
14 | /lib{,64,/@{multiarch}}/libgcc_s.so* mr,
15 | /lib{,64}/libm-*.so* mr,
16 | /lib{,64,/@{multiarch}}/libm-*.so* mr,
17 | /lib{,64}/libpthread-*.so* mr,
18 | /lib{,64,/@{multiarch}}/libpthread-*.so* mr,
19 | /lib{,64}/libc-*.so* mr,
20 | /lib{,64,/@{multiarch}}/libc-*.so* mr,
21 | /lib{,64}/libld-*.so* mr,
22 | /lib{,64,/@{multiarch}}/libld-*.so* mr,
23 | /lib{,64}/ld-*.so* mr,
24 | /lib{,64,/@{multiarch}}ld-*.so* mr,
25 | /lib{,64}/tls/*/{cmov,nosegneg}/libm-*.so* mr,
26 | /lib{,64}/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
27 | /lib{,64}/tls/*/{cmov,nosegneg}/libc-*.so* mr,
28 | /usr/lib{,64}/libstdc++.so* mr,
29 | /usr/lib{,64,/@{multiarch}}/libstdc++.so* mr,
30 | /lib{,64,/@{multiarch}}/librt-*.so* mr,
31 | /etc/ld.so.cache r,
32 |
33 | # Required for dropping into PID namespace. Keep in mind that until the
34 | # process drops this capability it can escape confinement, but once it
35 | # drops CAP_SYS_ADMIN we are ok.
36 | capability sys_admin,
37 |
38 | # All of these are for sanely dropping from root and chrooting
39 | capability chown,
40 | capability fsetid,
41 | capability setgid,
42 | capability setuid,
43 | capability dac_override,
44 | capability sys_chroot,
45 |
46 | capability sys_ptrace,
47 | ptrace (read, readby),
48 |
49 | signal (receive) peer=unconfined,
50 | signal peer=@{profile_name},
51 | signal (receive, send) set=("exists"),
52 |
53 | unix (create),
54 | unix peer=(label=@{profile_name}),
55 | unix (getattr, getopt, setopt, shutdown) addr=none,
56 |
57 | @{PROC}/ r,
58 | @{PROC}/[0-9]*/ r,
59 | @{PROC}/[0-9]*/fd/ r,
60 | deny @{PROC}/[0-9]*/oom_{,score_}adj w,
61 | @{PROC}/[0-9]*/status r,
62 | @{PROC}/[0-9]*/task/[0-9]*/stat r,
63 |
64 | /dev/null rw,
65 |
66 | owner /tmp/** rw,
67 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/chromium-base-xdgsettings:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
2 | # vim: syntax=apparmor
3 |
4 | # Chromium xdg-settings binary:
5 | # Rules for Web browsers based on Chromium.
6 | # ---------------------------------------------------
7 | # This abstraction is based on the Chromium profile,
8 | # created by Jamie Strandboge
9 | # Author: Nibaldo Gonzalez
10 | # Last change: November 22, 2017
11 |
12 | include
13 | include
14 |
15 | # For KDE Plasma 5
16 | owner @{HOME}/.config/kdeglobals rk,
17 | owner @{HOME}/.cache/ksycoca5_* r,
18 | /usr/share/qt5/translations/qt_*.qm r,
19 |
20 | /usr/bin/kreadconfig5 ixr,
21 | /usr/bin/ktraderclient5 ixr,
22 | /usr/bin/head ixr,
23 |
24 | /bin/dash ixr,
25 |
26 | /etc/ld.so.cache r,
27 | /usr/bin/xdg-settings r,
28 | # /{opt,usr/lib,usr/lib64,usr/lib/*-linux-gnu}/*/xdg-settings r,
29 | /usr/share/applications/*.desktop r,
30 |
31 | # Checking default browser
32 | /bin/grep ixr,
33 | /bin/readlink ixr,
34 | /bin/sed ixr,
35 | /bin/which ixr,
36 | /usr/bin/basename ixr,
37 | /usr/bin/cut ixr,
38 |
39 | # Setting the default browser
40 | /bin/mkdir ixr,
41 | /bin/mv ixr,
42 | /bin/touch ixr,
43 | /usr/bin/dirname ixr,
44 | /usr/bin/gconftool-2 ix,
45 | /usr/bin/[gm]awk ixr,
46 | /usr/bin/xdg-mime ixr,
47 | owner @{HOME}/.local/share/applications/ w,
48 | owner @{HOME}/.local/share/applications/mimeapps.list* rw,
49 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/confidential-deny:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Block full access to sensitive data, as passwords, keys and some system directories.
5 | # View: tunables/confidential.
6 | deny @{CONFIDENTIAL} rwklmx,
7 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/flatpak-snap:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 07, 2018
6 |
7 | # Flatpak
8 | /var/lib/flatpak/exports/share/** r,
9 | /var/lib/flatpak/app/**/export/share/applications/*.desktop r,
10 | /var/lib/flatpak/app/**/export/share/applications/ r,
11 | owner @{HOME}/.local/share/flatpak/exports/share/** r,
12 | owner @{HOME}/.local/share/flatpak/app/**.desktop r,
13 | owner @{HOME}/.local/share/flatpak/app/ r,
14 | deny @{HOME}/.local/share/flatpak/** w,
15 |
16 | # Snap
17 | /var/lib/snapd/desktop/applications/mimeinfo.cache r,
18 | /var/lib/snapd/desktop/applications/*.desktop r,
19 | /var/lib/snapd/desktop/applications/ r,
20 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/general-security:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 07, 2018
6 |
7 | # Block binary execution & mapping of compiled libraries from untrusted sources
8 | audit deny owner /**/* mx,
9 | audit deny @{HOME}/** mx,
10 | audit deny /{data,media,mnt,srv,net,cdrom,var,run,tmp}/** mx,
11 |
12 | # Block Python imports from untrusted sources
13 | deny owner /**/**.py* r,
14 | deny @{HOME}/**.py* r,
15 | deny /{data,media,mnt,srv,net,cdrom,var,run,tmp}/**.py* r,
16 |
17 | audit deny /dev/{video,audio}* rwlkmx,
18 |
19 | # For Windows partition
20 | deny /media/*/[Ww]indows/{Program*,Windows}/{,**} w,
21 | deny /media/*/[Ww]indows/Users/ w,
22 | deny /media/*/[Ww]indows/Users/*/ w,
23 |
24 | # Avoid modifications
25 | audit deny @{HOME}/.local/share/applications/** w,
26 | audit deny @{HOME}/.local/share/flatpak/** w,
27 | audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
28 | audit deny @{HOME}/.app/** w,
29 |
30 | audit deny @{HOME}/.* w,
31 | deny @{HOME}/.bash_history r,
32 |
33 | # Others
34 | deny /run/udev/data/** rwklmx,
35 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/kde-dialog:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 27, 2018
6 |
7 | #/usr/bin/kde-open{,5} Cx -> kde-dialog,
8 | #/usr/bin/kdeinit5 Cx -> kde-dialog,
9 | #/usr/bin/kdialog Cx -> kde-dialog,
10 |
11 | profile kde-dialog {
12 | include
13 | include
14 | include
15 | include
16 |
17 | /{,**/} r,
18 | /{data,home,media,mnt,srv,net,cdrom}/** r,
19 |
20 | owner @{HOME}/.config/kdialogrc rw,
21 | owner @{HOME}/.config/kdialogrc.[a-zA-Z0-9]* rwk,
22 | deny @{HOME}/.local/share/RecentDocuments/* w,
23 |
24 | owner /run/user/[0-9]*/kdialog*.slave-socket rwk,
25 | owner /run/user/[0-9]*/\#[0-9]* rwk,
26 |
27 | link @{HOME}/.config/kdialogrc.[a-zA-Z0-9]* -> "/home/*/.config/#[0-9]*",
28 | link /run/user/[0-9]*/kdialog*.slave-socket -> "/run/user/[0-9]*/#[0-9]*",
29 |
30 | #/usr/lib{,64,/*-linux-gnu}/qt5/plugins/{imageformats,platformthemes,styles}/*.so m,
31 | /etc/fstab r,
32 | /etc/rpc r,
33 | /dev/tty r,
34 |
35 | /sys/devices/**/uevent r,
36 | /sys/devices/pci[0-9]*/**/{busnum,config,revision} r,
37 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
38 | /sys/devices/pci[0-9]*/**/id{Product,Vendor} r,
39 | owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
40 | owner @{PROC}/@{pid}/task/[0-9]*/stat r,
41 | }
42 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/kde-plasma5:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 07, 2018
6 |
7 | # KDE Plasma 5
8 |
9 | include
10 | include
11 | include
12 | include
13 | include
14 | include
15 |
16 | include
17 | include
18 |
19 | owner @{HOME}/.config/kde.org/** r,
20 | owner @{HOME}/.config/kdebugrc rw,
21 | owner @{HOME}/.config/libaccounts-glib/ rw,
22 | owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
23 | owner @{HOME}/.config/Trolltech.conf rk,
24 |
25 | owner @{HOME}/.local/share/icons/** rw,
26 | /usr/share/icons/** r,
27 |
28 | /usr/share/color-schemes/** r,
29 | /usr/share/knotifications5/** r,
30 | /usr/share/kservices5/** r,
31 | /usr/share/kxmlgui5/** r,
32 | /usr/share/plasma/** r,
33 | /usr/share/qt5/** r,
34 | /usr/share/sounds/** r,
35 | /usr/share/mime/** r,
36 | /usr/share/templates/** r,
37 |
38 | /etc/xdg/** r,
39 | /etc/xdg/Trolltech.conf k,
40 | deny /etc/xdg/{autostart,systemd}/** rw,
41 |
42 | # Qt5
43 | /usr/lib{,64,32,x32,/@{multiarch}}/qt5/** r,
44 | /usr/lib{,64,32,x32,/@{multiarch}}/qt5/plugins/{,**/}*.so m,
45 | /usr/lib{,64,32,x32,/@{multiarch}}/qt5/qml/{,**/}*.{so,jsc,qmlc} m,
46 | /usr/lib{,64,32,x32,/@{multiarch}}/qt5/{bin,libexec}/** ix,
47 |
48 | /usr/lib/@{multiarch}/libexec/kf5/** ix,
49 | deny /usr/lib{,64,32,x32,/@{multiarch}}/vlc/plugins/plugins.dat* w,
50 |
51 | # Temporal files
52 | owner @{HOME}/.local/share/qt_temp.* rwk,
53 | owner @{HOME}/.kde/tmp-* rwk,
54 |
55 | owner /tmp/** rwlk,
56 | owner /{,var/}tmp/kde{,cache}-*/ rwl,
57 | owner /{,var/}tmp/kde{,cache}-*/** rwlk,
58 | owner /{,var/}run/user/[0-9]*/kdeinit5* rwlk,
59 | owner /{,var/}run/user/[0-9]*/ksocket-*/ rwl,
60 | owner /{,var/}run/user/[0-9]*/ksocket-*/** rwlk,
61 | owner /{,var/}run/user/[0-9]*/kioclient*-socket rwlk,
62 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/kde-user:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 27, 2018
6 |
7 | # Local Configuration Files in KDE Plasma 5
8 |
9 | owner @{HOME}/.config/.[a-zA-Z0-9]* rwk,
10 | owner @{HOME}/.config/kdeglobals rw,
11 | owner @{HOME}/.config/kdeglobals.[a-zA-Z0-9]* rwk,
12 | owner @{HOME}/.config/QtProject.conf rw,
13 | owner @{HOME}/.config/QtProject.conf.[a-zA-Z0-9]* rwk,
14 | owner @{HOME}/.config/QtProject/{,**} rw,
15 |
16 | owner "@{HOME}/.config/#[0-9]*" rwk,
17 | link @{HOME}/.config/QtProject.conf.[a-zA-Z0-9]* -> "/home/*/.config/#[0-9]*",
18 | link @{HOME}/.config/kdeglobals.[a-zA-Z0-9]* -> "/home/*/.config/#[0-9]*",
19 | #link @{HOME}/.config/?*.[a-zA-Z0-9]* -> "/home/*/.config/#[0-9]*",
20 | #link @{HOME}/.config/**/?*.[a-zA-Z0-9]* -> "/home/*/.config/**/#[0-9]*",
21 |
22 | owner @{HOME}/.config/baloofilerc r,
23 | owner @{HOME}/.config/breezerc r,
24 | owner @{HOME}/.config/kioslaverc r,
25 | owner @{HOME}/.config/klanguageoverridesrc r,
26 | owner @{HOME}/.config/trashrc rw,
27 |
28 | # owner @{HOME}/.config/kdebugrc rw,
29 | # owner @{HOME}/.config/kdialogrc rw,
30 | # owner @{HOME}/.config/kdialogrc.[a-zA-Z0-9]* rwk,
31 | # owner @{HOME}/.config/kde.org/libphonon.conf r,
32 |
33 | owner @{HOME}/.cache/icon-cache.kcache rw,
34 | owner @{HOME}/.cache/ksycoca5_* r,
35 | owner @{HOME}/.cache/qt_compose_cache_* rw,
36 |
37 | owner @{HOME}/.local/share/user-places.xbel{,.[a-zA-Z0-9]*} rw,
38 | owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl,
39 | owner @{HOME}/.local/share/RecentDocuments/{,*.desktop}.[a-zA-Z0-9]* rwk,
40 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/networkmanager-strict:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: September 07, 2017
6 |
7 | dbus (send)
8 | bus=system
9 | path=/org/freedesktop/NetworkManager
10 | interface=org.freedesktop.DBus.Properties
11 | member={GetAll,GetDevices}
12 | peer=(name=org.freedesktop.NetworkManager label=unconfined),
13 | dbus (send)
14 | bus=system
15 | path=/org/freedesktop/NetworkManager
16 | interface=org.freedesktop.NetworkManager
17 | member=GetDevices
18 | peer=(name=org.freedesktop.NetworkManager label=unconfined),
19 |
20 | dbus (send)
21 | bus=system
22 | path=/org/freedesktop/NetworkManager/Settings
23 | interface=org.freedesktop.NetworkManager.Settings
24 | member=ListConnections
25 | peer=(name=org.freedesktop.NetworkManager label=unconfined),
26 | dbus (send)
27 | bus=system
28 | path=/org/freedesktop/NetworkManager/Settings/[0-9]*
29 | interface=org.freedesktop.NetworkManager.Settings.Connection
30 | member=GetSettings
31 | peer=(name=org.freedesktop.NetworkManager label=unconfined),
32 |
33 | dbus (send)
34 | bus=system
35 | path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*}
36 | interface=org.freedesktop.DBus.Properties
37 | member=GetAll
38 | peer=(name=org.freedesktop.NetworkManager label=unconfined),
39 | dbus (receive)
40 | bus=system
41 | path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
42 | interface=org.freedesktop.NetworkManager.Connection.Active
43 | member=PropertiesChanged,
44 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/open-browser:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: October 13, 2019
6 |
7 | # Open Web browsers, needed to open links.
8 | # Only for Firefox, Opera, Chromium, Chrome, Vivaldi, Brave, Falkon & Pale Moon.
9 | # To support more browsers, you can also use (in the toplevel profile):
10 | # #include
11 | # #include
12 |
13 | # Firefox
14 | # "/usr/bin/firefox" is a link to: "/usr/lib{,64}/firefox/firefox.sh"
15 | # This is a script that executes: "/usr/lib{,64}/firefox/firefox"
16 | /usr/bin/{,_*.}firefox ixr,
17 | /usr/lib{,64}/firefox/firefox.sh ixr,
18 | /usr/lib{,64}/firefox/firefox PUx,
19 |
20 | # Opera
21 | # "/usr/bin/opera" is a link to: "/usr/lib{*,/*}/opera/opera"
22 | /usr/lib{,64,/x86_64-linux-gnu,/i386-linux-gnu}/opera/opera PUx,
23 |
24 | # Chromium
25 | # "/usr/bin/chromium-browser" is a script that executes: "/usr/lib{,64}/chromium-browser/chromium-browser"
26 | /usr/bin/chromium-browser ixr,
27 | /usr/lib{,64}/chromium-browser/chromium-browser PUx,
28 |
29 | # Chrome
30 | # "/usr/bin/google-chrome-stable" is a link to: "/opt/google/chrome/google-chrome"
31 | # This is a script that executes: "/opt/google/chrome/chrome"
32 | /opt/google/chrome/google-chrome ixr,
33 | /opt/google/chrome/chrome PUx,
34 |
35 | # Vivaldi
36 | # "/usr/bin/vivaldi" is a link to: "/opt/vivaldi/vivaldi"
37 | # This is a script that executes: "/opt/vivaldi/vivaldi-bin"
38 | /opt/vivaldi/vivaldi ixr,
39 | /opt/vivaldi/vivaldi-bin PUx,
40 |
41 | # Bave
42 | # "/usr/bin/brave-browser" is a link to: "/opt/brave.com/brave/brave-browser"
43 | # This is a script that executes: "/opt/brave.com/brave/brave"
44 | /opt/brave.com/brave/brave-browser ixr,
45 | /opt/brave.com/brave/brave PUx,
46 |
47 | # Falkon
48 | /usr/bin/falkon PUx,
49 |
50 | # Pale Moon
51 | /usr/lib{,64}/palemoon/palemoon PUx,
52 |
53 | /bin/which ixr,
54 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/open-email:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: May 12, 2017
6 |
7 | # Open e-mail clients.
8 | # Only for Thunderbird.
9 | # To support more e-mail clients, you can also use (in the toplevel profile):
10 | # #include
11 | # #include
12 |
13 | # Thunderbird
14 | # "/usr/bin/thunderbird" is a link to: "/usr/lib{,64}/thunderbird/thunderbird.sh"
15 | # This is a script that executes: "/usr/lib{,64}/thunderbird/thunderbird"
16 | /usr/lib{,64}/thunderbird/thunderbird.sh ix,
17 | /usr/lib{,64}/thunderbird/thunderbird PUx,
18 |
19 | /bin/which ix,
20 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/open-messaging:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | /usr/bin/konversation Pxr,
5 | /usr/bin/Telegram Pxr,
6 | /home/*/.TelegramDesktop/bin/Telegram Pxr,
7 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/open-some-applications:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 07, 2018
6 |
7 | # Applications with AppArmor Profile:
8 |
9 | # Document and image viewers
10 | /usr/bin/gwenview Px,
11 | /usr/bin/okular Px,
12 |
13 | # Media players
14 | /usr/bin/baka-mplayer Px,
15 | /usr/bin/bomi Px,
16 | /usr/bin/mpv Px,
17 | /usr/bin/vlc Px,
18 |
19 | # Messenger
20 | /usr/bin/konversation Px,
21 | /home/*/.TelegramDesktop/bin/Telegram Px,
22 |
23 | # Download clients and torrents
24 | /usr/bin/kget Px,
25 | /usr/bin/ktorrent Px,
26 | /usr/bin/qbittorrent Px,
27 |
28 | # Others Applications:
29 |
30 | # File manager
31 | /usr/bin/dolphin PUx,
32 |
33 | # Archivers
34 | /usr/bin/ark Cx -> sanitized_helper,
35 | /usr/bin/file-roller Cx -> sanitized_helper,
36 | /usr/bin/xarchiver Cx -> sanitized_helper,
37 |
38 | # Office
39 | /usr/bin/libreoffice Cx -> sanitized_helper,
40 | /usr/bin/lo{calc,draw,impress,writer} Cx -> sanitized_helper,
41 | /usr/lib{,64}/libreoffice/program/s{office,calc,draw,impress,writer} PUx,
42 | /usr/bin/calligra{sheets,stage,words} Cx -> sanitized_helper,
43 |
44 | # PDF viewers
45 | /usr/bin/evince Cx -> sanitized_helper,
46 |
47 | # Image and scanners
48 | /usr/bin/eog Cx -> sanitized_helper,
49 | /usr/bin/shotwell Cx -> sanitized_helper,
50 | /usr/bin/digikam Cx -> sanitized_helper,
51 | /usr/bin/f-spot Cx -> sanitized_helper,
52 | /usr/bin/gimp* Cx -> sanitized_helper,
53 | /usr/bin/inkscape Cx -> sanitized_helper,
54 | /usr/bin/krita Cx -> sanitized_helper,
55 | /usr/bin/clamscan Cx -> sanitized_helper,
56 | /usr/bin/skanlite Cx -> sanitized_helper,
57 | /usr/bin/darktable* Cx -> sanitized_helper,
58 | /usr/bin/mirage Cx -> sanitized_helper,
59 |
60 | # Multimedia
61 | /usr/bin/amarok Cx -> sanitized_helper,
62 | /usr/bin/clementine Cx -> sanitized_helper,
63 | /usr/bin/subtitleeditor Cx -> sanitized_helper,
64 |
65 | # Text editors
66 | include
67 | /usr/bin/kile Cx -> sanitized_helper,
68 |
69 | # Feed readers
70 | ## include
71 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile;
2 | # vim: syntax=apparmor
3 |
4 | # NOTE: This file is part of the "apparmor-profiles" package of Ubuntu 16.04 & 18.04.
5 |
6 | # This file is updated currently not managed by the package but in the future
7 | # will be overwritten on upgrades.
8 | #
9 | # For site-specific adjustments, please see:
10 | # /etc/apparmor.d/local/usr.bin.chromium-browser
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/ubuntu-browsers.d/user-files:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile;
2 | # vim:syntax=apparmor
3 |
4 | # NOTE: This file is part of the AppArmor provided policy in Ubuntu 16.04 & 18.04.
5 |
6 | # Allow read to all files user has DAC access to and write access to all
7 | # files owned by the user in $HOME.
8 | @{HOME}/ r,
9 | @{HOME}/** r,
10 | # owner @{HOME}/** w,
11 |
12 | # Do not allow read and/or write to particularly sensitive/problematic files
13 | #include
14 | audit deny @{HOME}/.ssh/{,**} mrwkl,
15 | audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
16 | audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
17 | audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
18 |
19 | # Comment this out if using gpg plugin/addons
20 | audit deny @{HOME}/.gnupg/{,**} mrwkl,
21 |
22 | # Allow read to all files user has DAC access to and write for files the user
23 | # owns on removable media and filesystems.
24 | /media/** r,
25 | /mnt/** r,
26 | /srv/** r,
27 | /net/** r,
28 | # owner /media/** w,
29 | # owner /mnt/** w,
30 | # owner /srv/** w,
31 | # owner /net/** w,
32 |
--------------------------------------------------------------------------------
/apparmor.d/abstractions/udisk-strict:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: September 04, 2017
6 |
7 | dbus (send)
8 | bus=system
9 | path=/org/freedesktop/UPower
10 | interface=org.freedesktop.DBus.Introspectable
11 | member=Introspect
12 | peer=(name=org.freedesktop.UPower label=unconfined),
13 |
14 | dbus (send)
15 | bus=system
16 | path=/org/freedesktop/UDisks2/{block_devices,drives}{,/*}
17 | interface=org.freedesktop.DBus.Introspectable
18 | member=Introspect
19 | peer=(name=org.freedesktop.UDisks2),
20 |
21 | dbus (send)
22 | bus=system
23 | path=/org/freedesktop/UDisks2/{block_devices,drives}/*
24 | interface=org.freedesktop.DBus.Properties
25 | member={Get,GetAll}
26 | peer=(name=org.freedesktop.UDisks2),
27 |
28 | dbus (send receive)
29 | bus=system
30 | path=/org/freedesktop/UDisks2/drives/*
31 | interface=org.freedesktop.DBus.Properties
32 | member=PropertiesChanged,
33 |
--------------------------------------------------------------------------------
/apparmor.d/default-abstractions/wayland:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile;
2 | # vim:syntax=apparmor
3 | # ------------------------------------------------------------------
4 | #
5 | # Copyright (C) 2016 intrigeri
6 | #
7 | # This program is free software; you can redistribute it and/or
8 | # modify it under the terms of version 2 of the GNU General Public
9 | # License published by the Free Software Foundation.
10 | #
11 | # ------------------------------------------------------------------
12 |
13 | # NOTE: this profile belongs to the AppArmor provided policy
14 |
15 | owner /var/run/user/*/weston-shared-* rw,
16 | owner /run/user/*/wayland-[0-9]* rw,
17 | owner /run/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
18 |
--------------------------------------------------------------------------------
/apparmor.d/opt.brave:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Brave Web browser
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: March 19, 2019
5 | # This AppArmor profile is based on the Chromium profile
6 | # by Jamie Strandboge
7 |
8 | # NOTE:
9 | # - Important: Check & change the user download & desktop directory.
10 | # - By default, there is only write access to the download & desktop directory.
11 | # - This profile is tested on Ubuntu 18.04 & KDE Plasma 5.
12 |
13 | # Requirements:
14 | # apparmor.d/tunables/confidential
15 | # apparmor.d/abstractions/chromium-base
16 | # apparmor.d/abstractions/chromium-base-xdgsettings
17 | # apparmor.d/abstractions/chromium-base-sandbox
18 | # apparmor.d/abstractions/kde-user
19 | # apparmor.d/abstractions/flatpak-snap
20 | # apparmor.d/abstractions/open-some-applications
21 |
22 | include
23 | include
24 |
25 | # Brave directory:
26 | @{BRAVE_LIBDIR} = /opt/brave.com/brave
27 |
28 | # User directories, with write access
29 | # (downloads and desktop directories):
30 | @{USER_DIR} = @{HOME}/Descargas
31 | @{USER_DIR} += @{HOME}/Escritorio
32 |
33 | profile brave-browser /opt/brave.com/brave/brave flags=(attach_disconnected) {
34 | # Base rules for Web browsers based on Chromium.
35 | include
36 | include
37 |
38 | # Required to open downloaded files.
39 | include
40 |
41 | # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if you
42 | # want access to productivity applications, adjust the following file accordingly.
43 | ## include
44 |
45 | # Block full access to sensitive data, as passwords and keys.
46 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
47 | deny @{CONFIDENTIAL_EXCEPT_BRAVE} rwklmx,
48 |
49 | owner /{dev,run}/shm/{,.}org.chromium.* mrw,
50 | deny /etc/opt/chrome/ w,
51 |
52 | # For the file download dialog
53 | owner @{PROC}/@{pid}/mountinfo r,
54 | /run/mount/utab r,
55 |
56 | # Access to Home, removable medias & other folders
57 | @{HOME}/{,*,[^.]**} r,
58 | /{data,media,mnt,srv,net}/** r,
59 |
60 | # User folders
61 | owner @{HOME}/ r,
62 | owner @{USER_DIR}/ r,
63 | owner @{USER_DIR}/** rw,
64 |
65 | # Brave configuration
66 | owner @{HOME}/.{config,cache}/BraveSoftware/{,Brave-Browser/} rw,
67 | owner @{HOME}/.config/BraveSoftware/Brave-Browser/** rwk,
68 | owner @{HOME}/.config/BraveSoftware/Brave-Browser/{,**/}Dictionaries/*.bdic mr,
69 | owner @{HOME}/.config/BraveSoftware/Brave-Browser/**/Cache/* mr,
70 | owner @{HOME}/.cache/BraveSoftware/Brave-Browser/** rw,
71 | owner "@{HOME}/.cache/BraveSoftware/Brave-Browser/{Default,Tor Profile}/Cache/*" mr,
72 |
73 | # Tor
74 | # TODO: create a child profile for Tor
75 | owner @{HOME}/.config/BraveSoftware/Brave-Browser/*/[0-9]*/tor-[0-9]*-linux-brave-[0-9] ix,
76 | @{PROC}/sys/kernel/random/uuid r,
77 |
78 | # Access to Brave directory
79 | deny @{BRAVE_LIBDIR}/** w, # Noisy
80 | @{BRAVE_LIBDIR}/** r,
81 | @{BRAVE_LIBDIR}/*.pak mr,
82 | @{BRAVE_LIBDIR}/locales/* mr,
83 | @{BRAVE_LIBDIR}/xdg-settings Cxr -> xdgsettings,
84 |
85 | # Allow transitions to ourself and our sandbox
86 | @{BRAVE_LIBDIR}/brave ix,
87 | @{BRAVE_LIBDIR}/brave-sandbox cx -> brave_sandbox,
88 |
89 | # Allow communicating with sandbox
90 | unix (receive, send) peer=(label=@{BRAVE_LIBDIR}/brave//brave_sandbox),
91 |
92 | # Noisy
93 | audit deny @{HOME}/.[^c]** x,
94 |
95 | profile xdgsettings flags=(attach_disconnected) {
96 | # Base rules for xdg-settings binary.
97 | include
98 |
99 | deny @{CONFIDENTIAL_EXCEPT_BRAVE} rwklmx,
100 | }
101 |
102 | profile brave_sandbox flags=(attach_disconnected) {
103 | # Base rules for brave-sandbox binary.
104 | include
105 |
106 | signal (receive) peer=@{BRAVE_LIBDIR}/brave,
107 | unix (receive, send) peer=(label=@{BRAVE_LIBDIR}/brave),
108 |
109 | @{BRAVE_LIBDIR}/brave-browser r,
110 | @{BRAVE_LIBDIR}/brave Px,
111 | @{BRAVE_LIBDIR}/brave-sandbox r,
112 | }
113 |
114 | # Site-specific additions and overrides. See local/README for details.
115 | # include
116 | }
117 |
118 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
119 | # vim: syntax=apparmor
120 |
--------------------------------------------------------------------------------
/apparmor.d/opt.vivaldi-stable:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Vivaldi Web browser
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: March 24, 2020
5 | # This AppArmor profile is based on the Chromium profile
6 | # by Jamie Strandboge
7 |
8 | # NOTE:
9 | # - Important: Check & change the user download & desktop directory.
10 | # - By default, there is only write access to the download & desktop directory.
11 | # - This profile is only tested on Ubuntu 18.04 & 16.04, with KDE Plasma 5.
12 |
13 | # Requirements:
14 | # apparmor.d/tunables/confidential
15 | # apparmor.d/abstractions/chromium-base
16 | # apparmor.d/abstractions/chromium-base-xdgsettings
17 | # apparmor.d/abstractions/chromium-base-sandbox
18 | # apparmor.d/abstractions/kde-user
19 | # apparmor.d/abstractions/flatpak-snap
20 | # apparmor.d/abstractions/open-some-applications
21 |
22 | include
23 | include
24 |
25 | # Vivaldi directory:
26 | @{VIVALDI_LIBDIR} = /opt/vivaldi
27 |
28 | # User directories, with write access
29 | # (downloads and desktop directories):
30 | @{USER_DIR} = @{HOME}/Descargas
31 | @{USER_DIR} += @{HOME}/Escritorio
32 |
33 | profile vivaldi-stable /opt/vivaldi/vivaldi-bin flags=(attach_disconnected) {
34 | # Base rules for Web browsers based on Chromium.
35 | include
36 | include
37 |
38 | # Required to open downloaded files.
39 | include
40 |
41 | # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if you
42 | # want access to productivity applications, adjust the following file accordingly.
43 | ## include
44 |
45 | # Block full access to sensitive data, as passwords and keys.
46 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
47 | deny @{CONFIDENTIAL_EXCEPT_VIVALDI} rwklmx,
48 |
49 | owner /{dev,run}/shm/{,.}com.vivaldi.* mrw,
50 |
51 | # Access to Home, removable medias & other folders
52 | @{HOME}/{,*,[^.]**} r,
53 | /{data,media,mnt,srv,net}/** r,
54 |
55 | # User folders
56 | owner @{HOME}/ r,
57 | owner @{USER_DIR}/ r,
58 | owner @{USER_DIR}/** rw,
59 |
60 | # Vivaldi configuration.
61 | # For Vivaldi-snapshot, use the "vivaldi-snapshot" directory instead of "vivaldi".
62 | owner @{HOME}/.config/vivaldi/ rw,
63 | owner @{HOME}/.config/vivaldi/** rwk,
64 | owner @{HOME}/.config/vivaldi/{,**/}Dictionaries/*.bdic mr,
65 | owner @{HOME}/.config/vivaldi/**/Cache/* mr,
66 | owner @{HOME}/.cache/vivaldi/{,**} rw,
67 | owner @{HOME}/.cache/vivaldi/Default/Cache/* mr,
68 | owner @{HOME}/.local/share/.vivaldi_user_id{,.[a-zA-Z0-9]*} rw,
69 | owner @{HOME}/.local/share/.com.vivaldi.Vivaldi{,.[a-zA-Z0-9]*} rw,
70 | owner @{HOME}/.local/share/.vivaldi_reporting_data{,.[a-zA-Z0-9]*} rwk,
71 | owner @{HOME}/.local/lib/{,vivaldi/} rw,
72 | owner @{HOME}/.local/lib/vivaldi/libffmpeg.so{,.*} mr,
73 |
74 | deny /usr/local/share/fonts/** w,
75 | deny /usr/share/fonts/** w,
76 | deny /usr/share/texmf/fonts/** w,
77 | deny /usr/share/poppler/** w,
78 |
79 | # Access to Vivaldi directory
80 | deny @{VIVALDI_LIBDIR}/** w, # Noisy
81 | @{VIVALDI_LIBDIR}/** r,
82 | @{VIVALDI_LIBDIR}/*.pak mr,
83 | @{VIVALDI_LIBDIR}/locales/* mr,
84 | @{VIVALDI_LIBDIR}/xdg-settings Cxr -> xdgsettings,
85 | @{VIVALDI_LIBDIR}/lib/libffmpeg.so mr,
86 | @{VIVALDI_LIBDIR}/libwidevinecdm.so mr,
87 |
88 | /var/opt/vivaldi/** r,
89 | /var/opt/vivaldi/libwidevinecdm.so mr,
90 | /var/opt/vivaldi/media-codecs-*/libffmpeg.so mr,
91 |
92 | @{PROC}/sys/fs/inotify/max_user_watches r,
93 | @{PROC}/devices/virtual/dmi/id/sys_vendor r,
94 | /sys/devices/virtual/dmi/id/{sys_vendor,product_name} r,
95 | owner @{PROC}/[0-9]*/clear_refs rw,
96 |
97 | # Allow transitions to ourself and our sandbox
98 | @{VIVALDI_LIBDIR}/vivaldi-bin ix,
99 | @{VIVALDI_LIBDIR}/vivaldi-sandbox cx -> vivaldi_sandbox,
100 |
101 | # Allow communicating with sandbox
102 | unix (receive, send) peer=(label=@{VIVALDI_LIBDIR}/vivaldi-bin//vivaldi_sandbox),
103 |
104 | /usr/bin/xdg-desktop-menu ixr,
105 |
106 | #ptrace (read) peer=@{profile_name}//sanitized_helper,
107 |
108 | # Noisy
109 | audit deny @{HOME}/** x,
110 | audit deny owner /**/* x,
111 |
112 | profile xdgsettings flags=(attach_disconnected) {
113 | # Base rules for xdg-settings binary.
114 | include
115 |
116 | deny @{CONFIDENTIAL_EXCEPT_VIVALDI} rwklmx,
117 |
118 | @{VIVALDI_LIBDIR}/xdg-settings r,
119 | /dev/tty r,
120 | }
121 |
122 | profile vivaldi_sandbox flags=(attach_disconnected) {
123 | # Base rules for vivaldi-sandbox binary.
124 | include
125 |
126 | signal (receive) peer=@{VIVALDI_LIBDIR}/vivaldi-bin,
127 | unix (receive, send) peer=(label=@{VIVALDI_LIBDIR}/vivaldi-bin),
128 |
129 | @{VIVALDI_LIBDIR}/vivaldi r, # vivaldi{,-snapshot}
130 | @{VIVALDI_LIBDIR}/vivaldi-bin Px,
131 | @{VIVALDI_LIBDIR}/vivaldi-sandbox r,
132 | }
133 |
134 | # Site-specific additions and overrides. See local/README for details.
135 | include
136 | }
137 |
138 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
139 | # vim: syntax=apparmor
140 |
--------------------------------------------------------------------------------
/apparmor.d/tunables/confidential:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Last change: March 13, 2019
5 |
6 | # Files and directories with sensitive data,
7 | # such as keys, passwords, settings or others:
8 |
9 | @{SSHKEYS} = @{HOME}/.ssh/{,**}
10 | @{PGPKEYS} = @{HOME}/.gnupg/{,**}
11 | @{ANDROIDKEYS} = @{HOME}/.android-keys/{,**}
12 | @{KWALLET} = @{HOME}/.kde{,4}/share/apps/kwallet/{,**} @{HOME}/.local/share/kwalletd/{,**}
13 |
14 | @{MUTT} = @{HOME}/.mutt/** @{HOME}/.muttrc
15 | @{THUNDERBIRD} = @{HOME}/.thunderbird/{,**} @{HOME}/.cache/thunderbird/**
16 | @{THUNDERBIRD_SPECIFIC} = @{HOME}/.thunderbird/ @{HOME}/.thunderbird/profiles.ini @{HOME}/.thunderbird/*/{,**} @{HOME}/.cache/thunderbird/**
17 | @{MOZILLA} = @{HOME}/.mozilla/*/{,**} @{HOME}/.cache/mozilla/firefox/*/{,**}
18 | @{OPERA} = @{HOME}/.config/opera/{,**} @{HOME}/.cache/opera/**
19 | @{VIVALDI} = @{HOME}/.config/vivaldi/{,**} @{HOME}/.cache/vivaldi/**
20 | @{CHROME} = @{HOME}/.config/chromium/{,**} @{HOME}/.config/google-chrome/{,**} @{HOME}/.cache/{chromium,google-chrome}/**
21 | @{CHROME} += @{HOME}/.encrypted-volume/chromium/{,**} @{HOME}/.encrypted-volume/google-chrome/{,**}
22 | @{BRAVE} = @{HOME}/.config/BraveSoftware/{,**} @{HOME}/.cache/BraveSoftware/**
23 | @{TELEGRAM} = @{HOME}/.TelegramDesktop/{,**} @{HOME}/.var/app/org.telegram.desktop/{,**}
24 |
25 | @{USER_HISTORY} = @{HOME}/.local/share/recently-used.xbel @{HOME}/.kde/share/apps/RecentDocuments/** @{HOME}/.cache/thumbnails/**
26 | #@{FLATPAK} = @{HOME}/.var/app/** @{HOME}/.local/share/flatpak/{app,db,repo,runtime,system-cache}/**
27 |
28 | # System
29 | @{SYSTEM_SEC} = /boot/** /var/log/**
30 | @{SYSTEM_SEC} += @{HOME}/.config/autostart{,-scripts}/** /etc/xdg/autostart/**
31 | @{SYSTEM_SEC} += /etc/init.d/** /etc/cron.*/** /etc/initramfs-tools/** /etc/systemd/** /etc/xdg/systemd/**
32 | @{SYSTEM_SEC} += /etc/apparmor.d/** /etc/apparmor/** /var/lib/apparmor/**
33 |
34 | # The following variables allow blocking access to confidential data
35 | # or data from other applications.
36 | # For example, for Mozilla Firefox, use:
37 | # deny @{CONFIDENTIAL_EXCEPT_MOZILLA} rwklmx,
38 | # Also, you can use abstraction:
39 | # include
40 |
41 | @{CONFIDENTIAL} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
42 | @{CONFIDENTIAL} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
43 |
44 | @{CONFIDENTIAL_EXCEPT_SSHKEYS} = @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
45 | @{CONFIDENTIAL_EXCEPT_SSHKEYS} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
46 |
47 | @{CONFIDENTIAL_EXCEPT_PGPKEYS} = @{SSHKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
48 | @{CONFIDENTIAL_EXCEPT_PGPKEYS} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
49 |
50 | @{CONFIDENTIAL_EXCEPT_KWALLET} = @{SSHKEYS} @{PGPKEYS} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
51 | @{CONFIDENTIAL_EXCEPT_KWALLET} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
52 |
53 | @{CONFIDENTIAL_EXCEPT_MOZILLA} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
54 | @{CONFIDENTIAL_EXCEPT_MOZILLA} += @{MUTT} @{THUNDERBIRD} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
55 |
56 | @{CONFIDENTIAL_EXCEPT_CHROME} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
57 | @{CONFIDENTIAL_EXCEPT_CHROME} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{VIVALDI} @{BRAVE} @{TELEGRAM}
58 |
59 | @{CONFIDENTIAL_EXCEPT_OPERA} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
60 | @{CONFIDENTIAL_EXCEPT_OPERA} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
61 |
62 | @{CONFIDENTIAL_EXCEPT_MUTT} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
63 | @{CONFIDENTIAL_EXCEPT_MUTT} += @{THUNDERBIRD} @{OPERA} @{MOZILLA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
64 |
65 | @{CONFIDENTIAL_EXCEPT_THUNDERBIRD} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
66 | @{CONFIDENTIAL_EXCEPT_THUNDERBIRD} += @{MUTT} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
67 |
68 | @{CONFIDENTIAL_EXCEPT_TELEGRAM} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
69 | @{CONFIDENTIAL_EXCEPT_TELEGRAM} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE}
70 |
71 | @{CONFIDENTIAL_EXCEPT_VIVALDI} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
72 | @{CONFIDENTIAL_EXCEPT_VIVALDI} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{BRAVE} @{TELEGRAM}
73 |
74 | @{CONFIDENTIAL_EXCEPT_BRAVE} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
75 | @{CONFIDENTIAL_EXCEPT_BRAVE} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{TELEGRAM}
76 |
77 | @{CONFIDENTIAL_VIEWER} = @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{SYSTEM_SEC}
78 | @{CONFIDENTIAL_VIEWER} += @{MUTT} @{THUNDERBIRD_SPECIFIC} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
79 |
--------------------------------------------------------------------------------
/apparmor.d/tunables/media-extensions:
--------------------------------------------------------------------------------
1 | # kate: syntax AppArmor Security Profile
2 | # vim: syntax=apparmor
3 |
4 | # Author: Nibaldo Gonzalez
5 | # Last change: February 12, 2018
6 | # ------------------------------------------------------
7 |
8 | # Audio/video extensions supported by VLC.
9 | # Not included: iso, zip, rar
10 |
11 | # Usage:
12 | # /**.@{MEDIA_EXT} r,
13 | # /{data,home,media,mnt,srv,net}/**.@{MEDIA_EXT} rw,
14 | # owner /**.@{VIDEO_EXT} rw,
15 |
16 | # All VLC media extensions
17 | @{MEDIA_EXT} = @{AUDIO_EXT} @{VIDEO_EXT} @{OTHER_MEDIA_EXT}
18 |
19 |
20 | # Audio:
21 |
22 | # 3ga
23 | @{AUDIO_EXT} = 3[gG][aA]
24 | # 669
25 | @{AUDIO_EXT} += 669
26 | # a52, aac, ac3
27 | @{AUDIO_EXT} += [aA]{52,[aA][cC],[cC]3}
28 | # adt, adts
29 | @{AUDIO_EXT} += [aA][dD][tT]{,[sS]}
30 | # aif, aifc, aiff
31 | @{AUDIO_EXT} += [aA][iI][fF]{,[cCfF]}
32 | # au
33 | @{AUDIO_EXT} += [aA][uU]
34 | # amr
35 | @{AUDIO_EXT} += [aA][mM][rR]
36 | # aob
37 | @{AUDIO_EXT} += [aA][oO][bB]
38 | # ape
39 | @{AUDIO_EXT} += [aA][pP][eE]
40 | # caf
41 | @{AUDIO_EXT} += [cC][aA][fF]
42 | # cda
43 | @{AUDIO_EXT} += [cC][dD][aA]
44 | # dts
45 | @{AUDIO_EXT} += [dD][tT][sS]
46 | # flac
47 | @{AUDIO_EXT} += [fF][lL][aA][cC]
48 | # it
49 | @{AUDIO_EXT} += [iI][tT]
50 | # m4a, m4p
51 | @{AUDIO_EXT} += [mM]4[aApP]
52 | # mid, mod
53 | @{AUDIO_EXT} += [mM][iIoO][dD]
54 | # mka
55 | @{AUDIO_EXT} += [mM][kK][aA]
56 | # mlp
57 | @{AUDIO_EXT} += [mM][lL][pP]
58 | # mp1, mp2, mp3, mpc
59 | @{AUDIO_EXT} += [mM][pP][123cC]
60 | # mpga
61 | @{AUDIO_EXT} += [mM][pP][gG][aA]
62 | # oga, oma
63 | @{AUDIO_EXT} += [oO][gGmM][aA]
64 | # opus
65 | @{AUDIO_EXT} += [oO][pP][uU][sS]
66 | # qcp
67 | @{AUDIO_EXT} += [qQ][cC][pP]
68 | # ra
69 | @{AUDIO_EXT} += [rR][aA]
70 | # rmi
71 | @{AUDIO_EXT} += [rR][mM][iI]
72 | # snd
73 | @{AUDIO_EXT} += [sS][nN][dD]
74 | # s3m
75 | @{AUDIO_EXT} += [sS]3[mM]
76 | # spx
77 | @{AUDIO_EXT} += [sS][pP][xX]
78 | # tta
79 | @{AUDIO_EXT} += [tT][tT][aA]
80 | # voc, vqf
81 | @{AUDIO_EXT} += [vV]{[oO][cC],[qQ][fF]}
82 | # w64
83 | @{AUDIO_EXT} += [wW]64
84 | # wav, wv
85 | @{AUDIO_EXT} += [wW]{,[aA]}[vV]
86 | # wm, wma
87 | @{AUDIO_EXT} += [wW][mM]{,[aA]}
88 | # xa, xm
89 | @{AUDIO_EXT} += [xX][aAmM]
90 |
91 |
92 | # Video:
93 |
94 | # 3g2, 3gp, 3gp2, 3gpp
95 | @{VIDEO_EXT} = 3[gG]{[2pP],[pP][2pP]}
96 | # amv
97 | @{VIDEO_EXT} += [aA][mM][vV]
98 | # asf
99 | @{VIDEO_EXT} += [aA][sS][fF]
100 | # avi
101 | @{VIDEO_EXT} += [aA][vV][iI]
102 | # bik
103 | @{VIDEO_EXT} += [bB][iI][kK]
104 | # divx
105 | @{VIDEO_EXT} += [dD][iI][vV][xX]
106 | # drc
107 | @{VIDEO_EXT} += [dD][rR][cC]
108 | # dv, dvr-ms
109 | @{VIDEO_EXT} += [dD][vV]{,[rR]-[mM][sS]}
110 | # evo
111 | @{VIDEO_EXT} += [eE][vV][oO]
112 | # f4v, flv
113 | @{VIDEO_EXT} += [fF][4lL][vV]
114 | # gvi
115 | @{VIDEO_EXT} += [gG][vV][iI]
116 | # gxf
117 | @{VIDEO_EXT} += [gG][xX][fF]
118 | # m1v, m2v, m4v
119 | @{VIDEO_EXT} += [mM][124][vV]
120 | # m2t, m2ts
121 | @{VIDEO_EXT} += [mM]2[tT]{,[sS]}
122 | # mkv, mov
123 | @{VIDEO_EXT} += [mM][kKoO][vV]
124 | # mp2v, mp4v
125 | @{VIDEO_EXT} += [mM][pP][24][vV]
126 | # mp4, mpa, mpe, mpg
127 | @{VIDEO_EXT} += [mM][pP][4aAeEgG]
128 | # mpeg, mpeg1, mpeg2, mpeg4
129 | @{VIDEO_EXT} += [mM][pP][eE][gG]{,[124]}
130 | # mpv2
131 | @{VIDEO_EXT} += [mM][pP][vV]2
132 | # mts, mtv
133 | @{VIDEO_EXT} += [mM][tT][sSvV]
134 | # mxf
135 | @{VIDEO_EXT} += [mM][xX][fF]
136 | # nsv, nuv
137 | @{VIDEO_EXT} += [nN][sSuU][vV]
138 | # ogg, ogm, ogx, ogv
139 | @{VIDEO_EXT} += [oO][gG][gGmMxXvV]
140 | # rec
141 | @{VIDEO_EXT} += [rR][eE][cC]
142 | # rm, rmvb
143 | @{VIDEO_EXT} += [rR][mM]{,[vV][bB]}
144 | # rpl
145 | @{VIDEO_EXT} += [rR][pP][lL]
146 | # thp, tp
147 | @{VIDEO_EXT} += [tT]{,[hH]}[pP]
148 | # tod
149 | @{VIDEO_EXT} += [tT][oO][dD]
150 | # ts, tts
151 | @{VIDEO_EXT} += [tT]{,[tT]}[sS]
152 | # vob
153 | @{VIDEO_EXT} += [vV][oO][bB]
154 | # vro
155 | @{VIDEO_EXT} += [vV][rR]
156 | # webm
157 | @{VIDEO_EXT} += [wW][eE][bB][mM]
158 | # wmv, wtv
159 | @{VIDEO_EXT} += [wW][mMtT][vV]
160 | # xesc
161 | @{VIDEO_EXT} += [xX][eE][sS][cC]
162 |
163 |
164 | # Others:
165 |
166 | # asx
167 | @{OTHER_MEDIA_EXT} = [aA][sS][xX]
168 | # b4s
169 | @{OTHER_MEDIA_EXT} += [bB]4[sS]
170 | # cue
171 | @{OTHER_MEDIA_EXT} += [cC][uU][eE]
172 | # ifo
173 | @{OTHER_MEDIA_EXT} += [iI][fF][oO]
174 | # m3u, m3u8
175 | @{OTHER_MEDIA_EXT} += [mM]3[uU]{,8}
176 | # pls
177 | @{OTHER_MEDIA_EXT} += [pP][lL][sS]
178 | # ram
179 | @{OTHER_MEDIA_EXT} += [rR][aA][mM]
180 | # sdp
181 | @{OTHER_MEDIA_EXT} += [sS][dD][pP]
182 | # srt
183 | @{OTHER_MEDIA_EXT} += [sS][rR][tT]
184 | # vlc, vlt
185 | @{OTHER_MEDIA_EXT} += [vV][lL][cCtT]
186 | # wvx
187 | @{OTHER_MEDIA_EXT} += [wW][vV][xX]
188 | # xspf
189 | @{OTHER_MEDIA_EXT} += [xX][sS][pP][fF]
190 | # wsz
191 | @{OTHER_MEDIA_EXT} += [wW][sS][zZ]
192 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.chromium-browser:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Chromium Web browser
2 | # --------------------------------------------
3 | # This AppArmor profile is a modification of the original Chromium profile
4 | # created by Jamie Strandboge
5 |
6 | # Modifications: Nibaldo Gonzalez
7 | # Last change: March 19, 2018
8 |
9 | # NOTE:
10 | # - This profile is only tested on Ubuntu 16.04 & 18.04, with KDE Plasma 5.
11 | # - By default, full write access is granted to the owner of the
12 | # directories: /home, /media, /mnt, /srv, /net.
13 | # View in: /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
14 |
15 | # Requirements:
16 | # apparmor.d/tunables/confidential
17 | # apparmor.d/abstractions/chromium-base
18 | # apparmor.d/abstractions/chromium-base-xdgsettings
19 | # apparmor.d/abstractions/chromium-base-sandbox
20 | # apparmor.d/abstractions/kde-user
21 | # apparmor.d/abstractions/flatpak-snap
22 | # apparmor.d/abstractions/open-messaging
23 |
24 | include
25 | include
26 |
27 | # Chromium directory:
28 | @{CHROM_LIBDIR} = /usr/lib{,64}/chromium-browser
29 |
30 | # User directories, with write access
31 | # (downloads and desktop directories):
32 | @{USER_DIR} = @{HOME}/Descargas
33 | @{USER_DIR} += @{HOME}/Escritorio
34 |
35 | profile chromium-browser /usr/lib{,64}/chromium-browser/chromium-browser flags=(attach_disconnected) {
36 | # Base rules for Web browsers based on Chromium.
37 | include
38 |
39 | # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
40 | # you want access to productivity applications, adjust the following file
41 | # accordingly.
42 | # include
43 | # include
44 |
45 | # Required to open downloaded files.
46 | include
47 |
48 | # Block full access to sensitive data, as passwords and keys.
49 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
50 | deny @{CONFIDENTIAL_EXCEPT_CHROME} rwklmx,
51 |
52 | owner /{dev,run}/shm/{,.}org.chromium.* mrw,
53 |
54 | # User folders
55 | owner @{HOME}/ r,
56 | owner @{USER_DIR}/ r,
57 | owner @{USER_DIR}/** rw,
58 |
59 | # Chromium configuration
60 | owner @{HOME}/.config/chromium/ rw,
61 | owner @{HOME}/.config/chromium/** rwk,
62 | owner @{HOME}/.config/chromium/**/Cache/* mr,
63 | owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
64 | owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
65 | owner @{HOME}/.cache/chromium/{,**} rw,
66 | owner @{HOME}/.cache/chromium/Cache/* mr,
67 | owner @{HOME}/.local/share/.org.chromium.Chromium{,.[a-zA-Z0-9]*} rw,
68 |
69 | owner @{HOME}/.config/menus/ rw,
70 | owner @{HOME}/.config/menus/applications-merged/ rw,
71 | # owner @{HOME}/.config/menus/applications-merged/** rw,
72 | owner @{HOME}/.local/share/icons/ rw,
73 | owner @{HOME}/.local/share/icons/hicolor/ rw,
74 | # owner @{HOME}/.local/share/icons/hicolor/** rw,
75 |
76 | # Access to Chromium directory
77 | deny @{CHROM_LIBDIR}/** w, # Noisy
78 | @{CHROM_LIBDIR}/*.pak mr,
79 | @{CHROM_LIBDIR}/locales/* mr,
80 | @{CHROM_LIBDIR}/xdg-settings Cxr -> xdgsettings,
81 |
82 | # Allow transitions to ourself and our sandbox
83 | @{CHROM_LIBDIR}/chromium-browser ix,
84 | @{CHROM_LIBDIR}/chromium-browser-sandbox cx -> chromium_browser_sandbox,
85 | @{CHROM_LIBDIR}/chrome-sandbox cx -> chromium_browser_sandbox,
86 |
87 | # Allow communicating with sandbox
88 | unix (receive, send) peer=(label=@{CHROM_LIBDIR}/chromium-browser//chromium_browser_sandbox),
89 |
90 | # for CRX extensions
91 | owner /tmp/scoped_dir_*/ rw,
92 | owner /tmp/scoped_dir_*/.org.chromium.Chromium.* rw,
93 | owner /tmp/scoped_dir_*/CRX_INSTALL/ rw,
94 | owner /tmp/scoped_dir_*/CRX_INSTALL/** rw,
95 | owner /tmp/scoped_dir*/DECODED* rw,
96 | owner /tmp/scoped_dir_*/mccea*_[0-9]*.crx rw,
97 |
98 | # Binaries
99 | /usr/bin/xdg-desktop-menu ixr,
100 | /usr/bin/xdg-icon-resource ixr,
101 |
102 | /usr/bin/basename ixr,
103 | /usr/bin/cut ixr,
104 | /bin/mkdir ixr,
105 | /bin/readlink ixr,
106 | /bin/rm ixr,
107 | /bin/touch ixr,
108 | /bin/cp ixr,
109 | /bin/cat ixr,
110 | /bin/mktemp ixr,
111 |
112 | # Noisy
113 | audit deny @{HOME}/** x,
114 | audit deny owner /**/* x,
115 |
116 | profile xdgsettings flags=(attach_disconnected) {
117 | # Base rules for xdg-settings binary.
118 | include
119 |
120 | deny @{CONFIDENTIAL_EXCEPT_CHROME} rwklmx,
121 |
122 | @{CHROM_LIBDIR}/xdg-settings r,
123 |
124 | /dev/tty r,
125 | owner @{HOME}/.local/share/RecentDocuments/*.desktop wl,
126 | owner @{HOME}/.local/share/RecentDocuments/{,*.desktop}.[a-zA-Z0-9]* wk,
127 | }
128 |
129 | profile chromium_browser_sandbox flags=(attach_disconnected) {
130 | # Base rules for chromium-browser-sandbox binary.
131 | include
132 |
133 | signal (receive) peer=@{CHROM_LIBDIR}/chromium-browser,
134 | unix (receive, send) peer=(label=@{CHROM_LIBDIR}/chromium-browser),
135 |
136 | /usr/bin/chromium-browser r,
137 | @{CHROM_LIBDIR}/chromium-browser Px,
138 | @{CHROM_LIBDIR}/chromium-browser-sandbox r,
139 | @{CHROM_LIBDIR}/chrome-sandbox r,
140 | }
141 |
142 | # Site-specific additions and overrides. See local/README for details.
143 | include
144 | }
145 |
146 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
147 | # vim: syntax=apparmor
148 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.firefox:
--------------------------------------------------------------------------------
1 | # Author: Jamie Strandboge
2 | # Modifications: Nibaldo Gonzalez
3 | # Last change: Oct 23, 2019
4 |
5 | # Declare an apparmor variable to help with overrides
6 | @{MOZ_LIBDIR}=/usr/lib/firefox
7 |
8 | # NOTE: By default, full write access is granted to the owner of the
9 | # directories: /home, /media, /mnt, /srv, /net.
10 | # See in: /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
11 |
12 | # User directories, with write access
13 | # (downloads and desktop directories):
14 | @{USER_DIR} = @{HOME}/Descargas
15 | @{USER_DIR} += @{HOME}/Escritorio
16 |
17 | #include
18 | #include
19 |
20 | # We want to confine the binaries that match:
21 | # /usr/lib/firefox/firefox
22 | # /usr/lib/firefox/firefox
23 | # but not:
24 | # /usr/lib/firefox/firefox.sh
25 | /usr/lib/firefox/firefox{,*[^s][^h]} {
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 |
39 | #include
40 | #include
41 |
42 | #include
43 | dbus (send)
44 | bus=session
45 | peer=(name=org.a11y.Bus),
46 | dbus (receive)
47 | bus=session
48 | interface=org.a11y.atspi**,
49 | dbus (receive, send)
50 | bus=accessibility,
51 |
52 | # Block full access to sensitive data, as passwords and keys.
53 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. See in: tunables/confidential.
54 | deny @{CONFIDENTIAL_EXCEPT_MOZILLA} rwklmx,
55 |
56 | # Plasma browser integration support (temporary solution)
57 | /usr/bin/plasma-browser-integration-host Cxr -> sanitized_helper,
58 | unix (send, receive) type=(seqpacket) peer=(label=@{profile_name}//sanitized_helper, addr=none),
59 | unix (send, receive) type=(stream) peer=(label=@{profile_name}//sanitized_helper, addr=none),
60 |
61 | ptrace (trace) peer=@{profile_name},
62 | capability sys_admin,
63 | capability sys_chroot,
64 | capability sys_ptrace,
65 | network netlink raw,
66 | unix (send, receive) type=(stream),
67 | unix (send, receive) type=(seqpacket),
68 | unix (send, receive) type=(raw),
69 | /run/mount/utab r,
70 | owner @{PROC}/[0-9]*/{uid_map,gid_map,setgroups} rw,
71 |
72 | dbus (send)
73 | bus=system
74 | interface=org.freedesktop.DBus.Properties
75 | path=/org/freedesktop/hostname[0-9]*
76 | member=GetAll,
77 |
78 | # for networking
79 | network inet stream,
80 | network inet6 stream,
81 | @{PROC}/[0-9]*/net/arp r,
82 | @{PROC}/[0-9]*/net/if_inet6 r,
83 | @{PROC}/[0-9]*/net/ipv6_route r,
84 | @{PROC}/[0-9]*/net/dev r,
85 | @{PROC}/[0-9]*/net/wireless r,
86 | dbus (send)
87 | bus=system
88 | path=/org/freedesktop/NetworkManager
89 | member=state,
90 | dbus (receive)
91 | bus=system
92 | path=/org/freedesktop/NetworkManager,
93 |
94 | # should maybe be in abstractions
95 | /etc/ r,
96 | /etc/mime.types r,
97 | /etc/mailcap r,
98 | /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
99 | /etc/xfce4/defaults.list r,
100 | /usr/share/xubuntu/applications/defaults.list r,
101 | owner @{HOME}/.local/share/applications/defaults.list r,
102 | owner @{HOME}/.local/share/applications/mimeapps.list r,
103 | owner @{HOME}/.local/share/applications/mimeinfo.cache r,
104 | /var/lib/snapd/desktop/applications/mimeinfo.cache r,
105 | /var/lib/snapd/desktop/applications/*.desktop r,
106 | owner /tmp/** m,
107 | owner /var/tmp/** m,
108 | owner /{,var/}run/shm/shmfd-* rw,
109 | owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk,
110 | /tmp/.X[0-9]*-lock r,
111 | /etc/udev/udev.conf r,
112 | # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
113 | # Possibly move to an abstraction if anything else needs it.
114 | deny /run/udev/data/** r,
115 | # let the shell know we launched something
116 | dbus (send)
117 | bus=session
118 | interface=org.gtk.gio.DesktopAppInfo
119 | member=Launched,
120 |
121 | /etc/timezone r,
122 | /etc/wildmidi/wildmidi.cfg r,
123 |
124 | # firefox specific
125 | /etc/firefox*/ r,
126 | /etc/firefox*/** r,
127 | /etc/xul-ext/** r,
128 | /etc/xulrunner-2.0*/ r,
129 | /etc/xulrunner-2.0*/** r,
130 | /etc/gre.d/ r,
131 | /etc/gre.d/* r,
132 |
133 | # noisy
134 | deny @{MOZ_LIBDIR}/** w,
135 | deny /usr/lib/firefox-addons/** w,
136 | deny /usr/lib/xulrunner-addons/** w,
137 | deny /usr/lib/xulrunner-*/components/*.tmp w,
138 | deny /.suspended r,
139 | deny /boot/initrd.img* r,
140 | deny /boot/vmlinuz* r,
141 | deny /var/cache/fontconfig/ w,
142 | deny @{HOME}/.local/share/recently-used.xbel r,
143 |
144 | # TODO: investigate
145 | deny /usr/bin/gconftool-2 x,
146 |
147 | # These are needed when a new user starts firefox and firefox.sh is used
148 | @{MOZ_LIBDIR}/** ixr,
149 | /usr/bin/basename ixr,
150 | /usr/bin/dirname ixr,
151 | /usr/bin/pwd ixr,
152 | /sbin/killall5 ixr,
153 | /bin/which ixr,
154 | /usr/bin/tr ixr,
155 | @{PROC}/ r,
156 | @{PROC}/[0-9]*/cmdline r,
157 | @{PROC}/[0-9]*/mountinfo r,
158 | @{PROC}/[0-9]*/stat r,
159 | owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
160 | @{PROC}/[0-9]*/status r,
161 | @{PROC}/filesystems r,
162 | @{PROC}/sys/vm/overcommit_memory r,
163 | /sys/devices/pci[0-9]*/**/uevent r,
164 | /sys/devices/platform/**/uevent r,
165 | /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
166 | /sys/devices/pci*/**/{,subsystem_}device r,
167 | /sys/devices/pci*/**/{,subsystem_}vendor r,
168 | /sys/devices/system/node/node[0-9]*/meminfo r,
169 | # /sys/devices/pci[0-9]*/**/{config,revision} r,
170 | owner @{HOME}/.cache/thumbnails/** w,
171 |
172 |
173 | /etc/mtab r,
174 | /etc/fstab r,
175 |
176 | # Needed for the crash reporter
177 | owner @{PROC}/[0-9]*/environ r,
178 | owner @{PROC}/[0-9]*/auxv r,
179 | /etc/lsb-release r,
180 | /usr/bin/expr ix,
181 | /sys/devices/system/cpu/ r,
182 | /sys/devices/system/cpu/** r,
183 |
184 | # about:memory
185 | owner @{PROC}/[0-9]*/statm r,
186 | owner @{PROC}/[0-9]*/smaps r,
187 |
188 | # Needed for container to work in xul builds
189 | /usr/lib/xulrunner-*/plugin-container ixr,
190 |
191 | # allow access to documentation and other files the user may want to look
192 | # at in /usr and /opt
193 | /usr/ r,
194 | /usr/** r,
195 | /opt/ r,
196 | /opt/** r,
197 |
198 | # so browsing directories works
199 | / r,
200 | /**/ r,
201 |
202 | # Downloads and Desktop folders
203 | owner @{HOME}/ r,
204 | owner @{USER_DIR}/ r,
205 | owner @{USER_DIR}/** rw,
206 |
207 | owner @{HOME}/{*,[^.]*/**}.{[jJ][sS][oO][nN],[hH][tT][mM][lL]} rw, # To backup bookmarks
208 | owner @{HOME}/dwhelper/{,**} rw,
209 | owner @{HOME}/mozilla.pdf rw,
210 |
211 | # Noisy
212 | audit deny /{data,media,mnt,srv,net}/** mx,
213 | audit deny /{,var/}tmp/** mx,
214 | audit deny @{HOME}/{*,[^.]**} mx,
215 | audit deny @{HOME}/.[^amf]*/** m,
216 | audit deny @{HOME}/.[^a]*/** x,
217 | # audit deny @{HOME}/** x,
218 | # audit deny owner /**/* x,
219 |
220 | owner @{HOME}/.app/net.downloadhelper.coapp-*/** r,
221 | owner @{HOME}/.app/net.downloadhelper.coapp-*/bin/{net.downloadhelper.coapp-linux-*,xdg-open} ix,
222 | owner @{HOME}/.app/net.downloadhelper.coapp-*/converter/build/linux/[0-9]*/ff{mpeg,play,probe} ix,
223 | owner @{HOME}/.app/net.downloadhelper.coapp-*/converter/build/linux/[0-9]*/*.so{,.*} m,
224 | deny @{PROC}/version r,
225 |
226 | deny @{HOME}/.local/share/{applications,flatpak}/** w,
227 | audit deny @{HOME}/.* w,
228 | audit deny @{HOME}/.bash_history r,
229 |
230 | # Nosy: included in abstraction/base
231 | /etc/ld.so.conf r,
232 | /etc/ld.so.conf.d/*.conf r,
233 | # Noisy: included in abstraction/gnome -> abstraction/fonts
234 | owner @{HOME}/.cache/fontconfig/*.cache-* rw,
235 |
236 | owner @{HOME}/.cache/mesa_shader_cache/** rw,
237 | # owner @{HOME}/.cache/mesa_shader_cache/**.tmp k,
238 |
239 | # per-user firefox configuration
240 | owner @{HOME}/.{firefox,mozilla}/ rw,
241 | owner @{HOME}/.{firefox,mozilla}/** rw,
242 | owner @{HOME}/.{firefox,mozilla}/**/*.{mdb,db,parentlock,sqlite}* k,
243 | owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
244 | owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
245 | owner @{HOME}/.gnome2/firefox* rwk,
246 | owner @{HOME}/.cache/mozilla/{,firefox/} rw,
247 | owner @{HOME}/.cache/mozilla/firefox/** rw,
248 | owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
249 | owner @{HOME}/.config/gtk-3.0/bookmarks r,
250 | owner @{HOME}/.config/dconf/user w,
251 | # To set the browser as the default
252 | owner /{,var/}run/user/*/dconf/user w,
253 | owner @{HOME}/.config/mimeapps.list{,.[a-zA-Z0-9]*} rwk,
254 | owner @{HOME}/.local/share/mime/packages/*-extension-{,?}html.xml{,.[a-zA-Z0-9]*} rwk,
255 | dbus (send)
256 | bus=session
257 | path=/org/gnome/GConf/Server
258 | member=GetDefaultDatabase
259 | peer=(label=unconfined),
260 | dbus (send)
261 | bus=session
262 | path=/org/gnome/GConf/Database/*
263 | member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
264 | peer=(label=unconfined),
265 | dbus (send)
266 | bus=session
267 | path=/org/gtk/vfs/mounttracker
268 | interface=org.gtk.vfs.MountTracker
269 | member=ListMountableInfo
270 | peer=(label=unconfined),
271 |
272 | # gnome-session
273 | dbus (send)
274 | bus=session
275 | path=/org/gnome/SessionManager
276 | interface=org.gnome.SessionManager
277 | member={Inhibit,Uninhibit}
278 | peer=(label=unconfined),
279 |
280 | # unity screen API
281 | dbus (send)
282 | bus=system
283 | interface="org.freedesktop.DBus.Introspectable"
284 | path="/com/canonical/Unity/Screen"
285 | member="Introspect"
286 | peer=(label=unconfined),
287 | dbus (send)
288 | bus=system
289 | interface="com.canonical.Unity.Screen"
290 | path="/com/canonical/Unity/Screen"
291 | member={keepDisplayOn,removeDisplayOnRequest}
292 | peer=(label=unconfined),
293 |
294 | # freedesktop.org ScreenSaver
295 | dbus (send)
296 | bus=session
297 | path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
298 | interface=org.freedesktop.ScreenSaver
299 | member={Inhibit,UnInhibit,SimulateUserActivity}
300 | peer=(label=unconfined),
301 |
302 | # gnome, kde and cinnamon screensaver
303 | dbus (send)
304 | bus=session
305 | path=/{,ScreenSaver}
306 | interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
307 | member=SimulateUserActivity
308 | peer=(label=unconfined),
309 |
310 | # UPower
311 | dbus (send)
312 | bus=system
313 | path=/org/freedesktop/UPower
314 | interface=org.freedesktop.UPower
315 | member=EnumerateDevices
316 | peer=(label=unconfined),
317 |
318 | #
319 | # Extensions
320 | # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
321 | # Allow 'x' for downloaded extensions, but inherit policy for safety
322 | owner @{HOME}/.mozilla/**/extensions/** mixr,
323 |
324 | deny @{MOZ_LIBDIR}/update.test w,
325 | deny /usr/lib/mozilla/extensions/**/ w,
326 | deny /usr/lib/xulrunner-addons/extensions/**/ w,
327 | deny /usr/share/mozilla/extensions/**/ w,
328 | deny /usr/share/mozilla/ w,
329 |
330 | # Miscellaneous (to be abstracted)
331 | # Ideally these would use a child profile. They are all ELF executables
332 | # so running with 'Ux', while not ideal, is ok because we will at least
333 | # benefit from glibc's secure execute.
334 | /usr/bin/mkfifo Uxr, # investigate
335 | /bin/ps Uxr,
336 | /bin/uname Uxr,
337 |
338 | /usr/bin/lsb_release Cxr -> lsb_release,
339 | profile lsb_release {
340 | #include
341 | #include
342 | /usr/bin/lsb_release r,
343 | /bin/dash ixr,
344 | /usr/bin/dpkg-query ixr,
345 | /usr/include/python2.[4567]/pyconfig.h r,
346 | /etc/lsb-release r,
347 | /etc/debian_version r,
348 | /usr/share/distro-info/*.csv r,
349 | /var/lib/dpkg/** r,
350 |
351 | /usr/local/lib/python3.[0-6]/dist-packages/ r,
352 | /usr/bin/ r,
353 | /usr/bin/python3.[0-6] mr,
354 |
355 | # file_inherit
356 | deny /tmp/gtalkplugin.log w,
357 | }
358 |
359 | # Addons
360 | #include
361 |
362 | # Site-specific additions and overrides. See local/README for details.
363 | #include
364 | }
365 |
366 | # kate: syntax AppArmor Security Profile; replace-tabs on; tab-width 2; indent-width 2; remove-trailing-spaces mod;
367 | # vim: syntax=apparmor
368 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.gwenview:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Gwenview
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: March 12, 2019
5 |
6 | # Requirements:
7 | # apparmor.d/tunables/confidential
8 | # apparmor.d/abstractions/kde-user
9 | # apparmor.d/abstractions/flatpak-snap
10 | # apparmor.d/abstractions/general-security
11 | # apparmor.d/abstractions/block-networking
12 | # apparmor.d/abstractions/open-browser
13 | # apparmor.d/abstractions/open-email
14 |
15 | include
16 | include
17 |
18 | # Some files supported:
19 | # bmp
20 | @{IMG_EXT} = [bB][mM][pP]
21 | # jp2
22 | @{IMG_EXT} += [jJ][pP]2
23 | # jpg, jpeg
24 | @{IMG_EXT} += [jJ][pP]{,[eE]}[gG]
25 | # tif, tiff
26 | @{IMG_EXT} += [tT][iI][fF]{,[fF]}
27 | # ico, icb
28 | @{IMG_EXT} += [iI][cC][oObB]
29 | # wbmp
30 | @{IMG_EXT} += [wW][bB][mM][pP]
31 | # webps
32 | @{IMG_EXT} += [wW][eE][bB][pP]
33 | # dds
34 | @{IMG_EXT} += [dD][dD][sS]
35 | # eps
36 | @{IMG_EXT} += [eE][pP][sS]
37 | # icns
38 | @{IMG_EXT} += [iI][cC][nN][sS]
39 | # pcx
40 | @{IMG_EXT} += [pP][cC][xX]
41 | # png
42 | @{IMG_EXT} += [pP][nN][gG]
43 | # pbm, pgm, ppm
44 | @{IMG_EXT} += [pP][bBgGpP][mM]
45 | # rgb
46 | @{IMG_EXT} += [rR][gG][bB]
47 | # xbp, xpm
48 | @{IMG_EXT} += [xX][bBpP][mM]
49 |
50 | @{TMP_FILE} = \#[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
51 |
52 | profile gwenview /usr/bin/gwenview {
53 | include
54 | include
55 | include
56 | include
57 | include
58 | include
59 | include
60 | include
61 | include
62 | include
63 |
64 | include
65 | include
66 |
67 | # Blocks binaries, precompiled libraries, etc.
68 | include
69 |
70 | # Block network connection
71 | include
72 |
73 | # Needed to open links (only for some Web browsers/e-mail clients).
74 | include
75 | include
76 |
77 | # Block full access to sensitive data, as passwords and keys.
78 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
79 | deny @{CONFIDENTIAL_VIEWER} rwklmx,
80 |
81 | # Full reading access
82 | /{,**/,**} r,
83 |
84 | # Write access in Home directory and mounted drives
85 | owner @{HOME}/** rw,
86 | owner /{data,media,mnt,srv,net}/** rw,
87 |
88 | owner /**/@{TMP_FILE} rwk,
89 | link subset /{home,data,media,mnt,srv,net}/**.[a-zA-Z0-9]* -> "/{home,data,media,mnt,srv,net}/{,**/}@{TMP_FILE}",
90 |
91 | owner /**/*.@{IMG_EXT} rw,
92 | owner /**/*.@{IMG_EXT}.[a-zA-Z0-9]* rwk,
93 | link /**/*.@{IMG_EXT}.[a-zA-Z0-9]* -> "/**/@{TMP_FILE}",
94 |
95 | deny owner @{HOME}/@{TMP_FILE} m,
96 | deny owner /tmp/@{TMP_FILE} m,
97 | deny owner /**/@{TMP_FILE} m,
98 |
99 | # Gwenview configuration
100 | owner @{HOME}/.local/share/{,org.kde.}gwenview/** rwk,
101 | owner @{HOME}/.config/{,org.kde.}gwenviewrc rw,
102 | owner @{HOME}/.config/{,org.kde.}gwenviewrc.[a-zA-Z0-9]* rwk,
103 | owner @{HOME}/.config/session/ rw,
104 | owner @{HOME}/.config/session/.* rwk,
105 | owner @{HOME}/.config/session/{,org.kde.}gwenview* rwk,
106 | owner @{HOME}/.cache/thumbnails/** rw,
107 | owner @{HOME}/.cache/thumbnails/*/*.[a-zA-Z0-9]* rwk,
108 | owner @{HOME}/.cache/mesa_shader_cache/**.tmp rwk,
109 |
110 | include
111 | owner @{HOME}/.local/share/baloo/index-lock rwk,
112 | owner @{HOME}/.config/session/@{TMP_FILE} rwk,
113 | owner @{HOME}/.cache/thumbnails/*/@{TMP_FILE} rwk,
114 |
115 | link @{HOME}/.config/{,org.kde.}gwenviewrc.[a-zA-Z0-9]* -> "/home/*/.config/@{TMP_FILE}",
116 | link @{HOME}/.local/share/{,org.kde.}gwenview/** -> "/home/*/.local/share/{,org.kde.}gwenview/{,**/}@{TMP_FILE}",
117 | link @{HOME}/.config/session/{,org.kde.}gwenview* -> "/home/*/.config/session/@{TMP_FILE}",
118 | link @{HOME}/.cache/thumbnails/*/*.[a-zA-Z0-9]* -> "/home/*/.cache/thumbnails/*/*",
119 |
120 | allow owner @{HOME}/.local/share/flatpak/exports/share/icons/** rw,
121 |
122 | # Libraries and binaries
123 | /usr/bin/gwenview ixr,
124 | /usr/bin/dolphin PUx,
125 | /usr/bin/plasma-discover PUx,
126 | /usr/bin/khelpcenter Cxr -> sanitized_helper,
127 |
128 | /usr/bin/digikam PUx,
129 | /usr/bin/gimp PUx,
130 | /usr/bin/gimp-2.8 PUx,
131 | /usr/bin/inkscape PUx,
132 | /usr/bin/krita PUx,
133 | /usr/bin/skanlite PUx,
134 | /usr/bin/darktable PUx,
135 | /usr/bin/mirage PUx,
136 | /usr/bin/kate PUx,
137 | /usr/bin/* Pixr,
138 |
139 | /usr/lib/gamin/gam_server Pixr,
140 | /usr/lib{,64,/@{multiarch}}/qt5/** r,
141 | /usr/lib{,64,/@{multiarch}}/qt5/plugins/{,**/}*.so m,
142 | /usr/lib{,64,/@{multiarch}}/qt5/{bin,libexec}/** ix,
143 | deny /usr/lib{,64,/@{multiarch}}/vlc/plugins/plugins.dat{,.*} w,
144 |
145 | # Temporal files
146 | owner /tmp/** rwkl,
147 | owner /var/tmp/kdecache-*/* rwkl,
148 | owner /run/user/[0-9]*/ksocket-*/** rwk,
149 | owner /run/user/[0-9]*/bus rwk,
150 | owner /run/user/[0-9]*/*-socket rwk,
151 | owner /run/user/[0-9]*/kdeinit5* rwk,
152 | owner /run/user/[0-9]*/@{TMP_FILE} rwk,
153 | link /run/user/[0-9]*/* -> "/run/user/[0-9]*/@{TMP_FILE}",
154 |
155 | signal (send) set=(term) peer=unconfined,
156 | unix (send receive connect) type=stream addr=none peer=(label=unconfined),
157 | }
158 |
159 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
160 | # vim: syntax=apparmor
161 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.ktorrent:
--------------------------------------------------------------------------------
1 | # Author: Nibaldo Gonzalez
2 | # Last change: February 27, 2018
3 |
4 | # NOTE:
5 | # - This profile is made for KTorrent 5. It does not work
6 | # in older versions (with QT 4).
7 | # - This profile is more restrictive than the one provided
8 | # in .
9 | # - This profile is only tested on Ubuntu 16.04 & KDE Plasma 5.
10 |
11 | include
12 | include
13 |
14 | # IMPORTANT: Modify according to KTorrent configuration:
15 | # Download directory
16 | @{DOWNLOAD_DIR} = @{HOME}/Descargas/Torrents
17 | # Torrents information directory
18 | @{TORRENT_INF_DIR} = @{HOME}/.local/share/ktorrent
19 |
20 | /usr/bin/ktorrent {
21 | include
22 | include
23 | include
24 | include
25 | include
26 | include
27 | include
28 | include
29 | include
30 |
31 | include
32 | include
33 | include
34 | include
35 |
36 | # Blocks binaries, precompiled libraries, etc.
37 | include
38 |
39 | # Block full access to sensitive data, as passwords and keys.
40 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
41 | include
42 |
43 | # Needed to open links (only for some Web browsers/e-mail clients).
44 | include
45 | include
46 |
47 | # Required to open downloaded files.
48 | include
49 |
50 | # Access to Home
51 | owner @{DOWNLOAD_DIR}/{,**} rw, # Just read/write in the download directory
52 | owner @{HOME}/**.[tT][oO][rR][rR][eE][nN][tT] r, # Only read .torrent files
53 | owner @{HOME}/{,**/} r, # Only read directories
54 | deny @{HOME}/**/.directory r,
55 |
56 | # KTorrent configuration
57 | owner @{TORRENT_INF_DIR}/{,**} rwk,
58 | owner @{HOME}/.cache/ktorrent/{,**} rwk,
59 | owner @{HOME}/.config/ktorrent* rwk,
60 | owner @{HOME}/.kde/share/apps/ktorrent/{,**} rwk,
61 | owner @{HOME}/.local/share/kxmlgui5/ktorrent/{,**} rw,
62 | owner @{HOME}/.local/share/kxmlgui5/ rw,
63 |
64 | owner @{HOME}/.config/session/ktorrent_* rwk,
65 | owner @{HOME}/.config/session/.[a-zA-Z0-9]* rwk,
66 | owner @{HOME}/.config/session/\#[0-9]* rwk,
67 | link @{HOME}/.config/session/ktorrent_* -> "/home/*/.config/session/#[0-9]*",
68 |
69 | # Local configuration
70 | include
71 | owner @{HOME}/.config/kde.org/libphonon.conf r,
72 |
73 | deny /{media,mnt,srv,net}/** rwklmx, # Block access to mounted drives & other directories
74 |
75 | # Binaries
76 | /usr/bin/ktorrent r,
77 | /usr/bin/kdialog ixr,
78 | /usr/bin/kdeinit5 ixr,
79 | /usr/bin/kde-open{,5} ixr,
80 | /usr/bin/{gnome,gvfs,xdg}-open ixr,
81 | /usr/bin/khelpcenter Cxr -> sanitized_helper,
82 | /usr/bin/pulseaudio Pixr,
83 |
84 | # Libraries
85 | /usr/lib{,64}/ r,
86 | /usr/lib{,64}/libktorrent.so.* mr,
87 | /usr/lib{64,/@{multiarch}}/qt5/plugins/{,**/} r,
88 | /usr/lib{64,/@{multiarch}}/qt5/plugins/**.so mr,
89 | deny /usr/lib{,64,/@{multiarch}}/vlc/plugins/plugins.dat* w,
90 |
91 | /usr/share/alsa/{,*.conf} r,
92 | /usr/share/color-schemes/{,**} r,
93 | /usr/share/GeoIP/{,*} r,
94 | /usr/share/icons/{,**} r,
95 | /usr/share/knotifications5/{,*} r,
96 | /usr/share/kservices5/{,**/,**.protocol} r,
97 | /usr/share/kxmlgui5/ktorrent/{,**} r,
98 | /usr/share/plasma/{,**} r,
99 | /usr/share/qt5/{,**} r,
100 | /usr/share/sounds/{,**} r,
101 | /usr/share/mime/ r,
102 | /usr/share/templates/ r,
103 |
104 | /etc/xdg/{,**} r,
105 | /etc/xdg/Trolltech.conf k,
106 | /etc/pulse/client.conf r,
107 | /etc/machine-id r,
108 | /etc/timezone r,
109 | /etc/udev/udev.conf r,
110 | deny /etc/fstab r,
111 |
112 | /dev/**/ r,
113 | /dev/tty r,
114 | /dev/snd/controlC[0-9]* r,
115 | owner /{dev,run,var/run}/shm/pulse-shm-* rwk,
116 |
117 | /sys/**/ r,
118 | /sys/devices/**/uevent r,
119 | /sys/devices/pci[0-9]*/**/{config,revision} r,
120 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
121 | @{PROC}/sys/kernel/core_pattern r,
122 | owner @{PROC}/@{pid}/mounts r,
123 |
124 | # Temp files
125 | owner /run/user/[0-9]*/kioclient*.slave-socket rwk,
126 | owner /run/user/[0-9]*/ktorrent*.slave-socket rwk,
127 | owner /run/user/[0-9]*/pulse/native rwk,
128 | owner /run/user/[0-9]*/\#[0-9]* rwk,
129 | link /run/user/[0-9]*/{ktorrent,kioclient}*.slave-socket -> "/run/user/[0-9]*/#[0-9]*",
130 |
131 | signal (send) set=(term) peer=unconfined,
132 | unix (send, receive) type=(stream) peer=(label=@{profile_name}//sanitized_helper addr=none),
133 | }
134 |
135 | # kate: syntax AppArmor Security Profile
136 | # vim: syntax=apparmor
137 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.mpv:
--------------------------------------------------------------------------------
1 | # AppArmor profile for mpv media player
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: October 29, 2020
5 |
6 | # NOTE: By default, the internet connection is blocked.
7 | # To allow video streaming, uncomment the include rule:
8 | # and remove:
9 |
10 | # Requirements:
11 | # apparmor.d/tunables/confidential
12 | # apparmor.d/tunables/media-extensions
13 | # apparmor.d/abstractions/confidential-deny
14 | # apparmor.d/abstractions/block-networking
15 |
16 | include
17 | include
18 | include
19 |
20 | # Directories where videos and data are stored
21 | @{DATA_DIR} = /{data,home,media,mnt,srv,net,cdrom}
22 |
23 | profile mpv /usr/bin/mpv {
24 | include
25 | include
26 | include
27 | include
28 | include
29 | include
30 | include
31 |
32 | # Block network connection:
33 | include
34 | # Allow network connection (uncomment this line):
35 | # include
36 |
37 | # Block full access to sensitive data, as passwords and keys.
38 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
39 | include
40 |
41 | # Only reading access in Home directory, mounted drives and others directories
42 | @{DATA_DIR}/** r,
43 |
44 | # Supported files
45 | /**?.@{MEDIA_EXT} r,
46 |
47 | # Configuration
48 | owner @{HOME}/.config/ rw,
49 | owner @{HOME}/.config/mpv/ rw,
50 | owner @{HOME}/.config/mpv/** rwk,
51 |
52 | owner @{HOME}/mpv-shot[0-9]*.jpg rw,
53 |
54 | /etc/mpv/{,**} r,
55 | /etc/nsswitch.conf r,
56 | deny /etc/passwd r,
57 | /etc/udev/udev.conf r,
58 | /etc/vdpau_wrapper.cfg r,
59 | /etc/glvnd/{,**} r,
60 | /usr/share/{glvnd,drirc.d}/{,**} r,
61 |
62 | /sys/**/ r,
63 | /sys/devices/**/uevent r,
64 | /sys/devices/system/**/meminfo r,
65 | /sys/devices/pci[0-9]*/**/{config,revision} r,
66 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
67 |
68 | # Device access
69 | /dev/ati/{,**} r,
70 | /dev/dri/{,**} r,
71 | /dev/tty rw,
72 | audit deny /dev/{video,audio}* rwlkmx,
73 |
74 | # Binaries and libraries
75 | /usr/bin/mpv ixr,
76 | /usr{,/local}/bin/youtube-dl Pxr,
77 | /usr/bin/{dbus-send,xdg-screensaver,xset} Pixr,
78 | /bin/{grep,hostname,mv,sed,which} Pixr,
79 | deny /usr/lib{,64,/@{multiarch}}/vlc/plugins/plugins.dat{,.*} w,
80 |
81 | # Block compiled libraries & executables
82 | audit deny @{DATA_DIR}/** mx,
83 | audit deny owner /**/* mx,
84 |
85 | deny /run/udev/data/** rwklmx,
86 | deny owner /**/*.py* r,
87 | deny @{DATA_DIR}/**.py* r,
88 | deny owner @{HOME}/.recently-used.xbel* rw,
89 | deny owner @{HOME}/.local/share/recently-used.xbel* rw,
90 |
91 | # Temp files
92 | owner /tmp/xauth-* r,
93 |
94 | /run/systemd/userdb/{,**} r,
95 | /run/systemd/userdb/io.systemd.DynamicUser w,
96 | @{PROC}/sys/kernel/random/boot_id r,
97 |
98 | #unix (send, receive) type=(stream) protocol=0 peer=(addr=none),
99 | }
100 |
101 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
102 | # vim: syntax=apparmor
103 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.okular:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Okular
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: October 13, 2019
5 |
6 | # Requirements:
7 | # apparmor.d/tunables/confidential
8 | # apparmor.d/abstractions/kde-user
9 | # apparmor.d/abstractions/confidential-deny
10 | # apparmor.d/abstractions/flatpak-snap
11 | # apparmor.d/abstractions/general-security
12 | # apparmor.d/abstractions/block-networking
13 | # apparmor.d/abstractions/open-browser
14 | # apparmor.d/abstractions/open-email
15 |
16 | include
17 | include
18 |
19 | profile okular /usr/bin/okular {
20 | include
21 | include
22 | include
23 | include
24 | include
25 | include
26 | include
27 | include
28 | include
29 | include
30 | include
31 |
32 | include
33 | include
34 |
35 | # Block full access to sensitive data, as passwords and keys.
36 | # View in: tunables/confidential.
37 | include
38 |
39 | # Needed to open links (only for some Web browsers/e-mail clients).
40 | include
41 | include
42 | # include
43 | # include
44 | # include
45 | # include
46 | # include
47 |
48 | /{,**/} r, # Read only directories
49 |
50 | # Write access in Home directory and mounted drives
51 | owner @{HOME}/** rw,
52 | owner /{data,media,mnt,srv,net}/** rw,
53 | /{data,home,media,mnt,srv,net}/** r,
54 |
55 | # Files supported:
56 | /**.[pP][dD][fF] rw, # pdf
57 | /**.[oO][kK][uU][lL][aA][rR] rw, # okular
58 | /**.[tT][xX][tT] rw, # txt
59 |
60 | /**.[bB][mM][pP] r, # bmp
61 | /**.[bBgGxX][zZ] r, # bz, gz, xz
62 | /**.[fF][bB][23]{,.[zZ][iI][pP]} r, # fb2, fb3
63 | /**.[cC][bB][rRzZtTaA7] r, # cbr, cbz, cbt, cba, cb7
64 | /**.[cC][hH][mM] r, # chm
65 | /**.[dD][dD][sS] r, # dds
66 | /**.[dD][jJ][vV][uU] r, # djvu
67 | /**.[dD][vV][iI] r, # dvi
68 | /**.[eE][pP][uU][bB] r, # epub
69 | /**.[fF][aA][xX] r, # fax
70 | /**.[fF][dD][fF] r, # fdf
71 | /**.[gG][iI][fF] r, # gif
72 | /**.[hH][tT][mM][lL] r, # html
73 | /**.[iI][cC][oObB] r, # ico, icb
74 | /**.[iI][cC][nN][sS] r, # icns
75 | /**.[jJ][pP]{,[eE]}[gG] r, # jpg, jpeg
76 | /**.[mM][oO][bB][iI] r, # mobi
77 | /**.[oO][dD][tT] r, # odt
78 | /**.[pP][cC][xX] r, # pcx
79 | /**.[pP][iI][cC] r, # pic
80 | /**.[pP][bBgGpP][mM] r, # pbm, pgm, ppm
81 | /**.[pP][nN][gGmM] r, # png, pnm
82 | /**.{,[eE]}[pP][sS] r, # ps, eps
83 | /**.[rR][dD][fF] r, # rdf
84 | /**.[rR][sS][sS] r, # rss
85 | /**.[sS][vV][gG]{,[zZ]} r, # svg, svgz
86 | /**.[tT][iI][fF]{,[fF]} r, # tif, tiff
87 | /**.[wW][bB][mM][pP] r, # wbmp
88 | /**.[wW][eE][bB][pP] r, # webp
89 | /**.[xX][bBpP][sSmM] r, # xbm, xps, xpm
90 |
91 | # Okular configuration
92 | owner @{HOME}/.local/share/okular/** rw,
93 | owner @{HOME}/.config/okular{,part}rc rw,
94 | owner @{HOME}/.config/okular{,part}rc.[a-zA-Z0-9]* rwk,
95 | owner @{HOME}/.config/session/ rw,
96 | owner @{HOME}/.config/session/.* rwk,
97 | owner @{HOME}/.config/session/okular* rwk,
98 | owner @{HOME}/.cache/okular/** rw,
99 | owner @{HOME}/.cache/okular/qmlcache/{,**/}*.qmlc m,
100 | # For old versions
101 | owner @{HOME}/.kde/share/apps/okular/** rw,
102 | owner @{HOME}/.kde/share/config/okular{,part}rc rw,
103 | owner @{HOME}/.kde/share/config/okular{,part}rc.[a-zA-Z0-9]* rwk,
104 |
105 | include
106 | owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
107 |
108 | owner @{HOME}/.config/session/#[0-9]{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]} rwk,
109 | link @{HOME}/.config/session/okular* -> "/home/*/.config/session/#[0-9]*",
110 | link @{HOME}/.config/okular{,part}rc{,.[a-zA-Z0-9]*} -> "/home/*/.config/#[0-9]*",
111 | link @{HOME}/.local/share/okular/** -> "/home/*/.local/share/okular/**",
112 |
113 | /usr/share/** r,
114 |
115 | /etc/fstab r,
116 | /etc/nsswitch.conf r,
117 | /etc/passwd r,
118 | /etc/rpc r,
119 | /etc/udev/udev.conf r,
120 | /etc/xdg/** r,
121 |
122 | /sys/devices/**/uevent r,
123 | /sys/devices/pci[0-9]*/**/{busnum,config,revision} r,
124 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
125 | /sys/devices/pci[0-9]*/**/id{Product,Vendor} r,
126 | @{PROC}/sys/kernel/random/boot_id r,
127 | @{PROC}/sys/kernel/core_pattern r,
128 | owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
129 | owner @{PROC}/@{pid}/task/[0-9]*/stat r,
130 |
131 | # Binaries
132 | /usr/bin/okular ixr,
133 | /usr/bin/plasma-discover PUx,
134 | /usr/bin/khelpcenter Cxr -> sanitized_helper,
135 | # File managers
136 | /usr/bin/dolphin Cx -> sanitized_helper, # Plasma
137 | /usr/bin/krusader Cx -> sanitized_helper,
138 | /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
139 | /usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
140 | /usr/bin/thunar Cx -> sanitized_helper, # XFCE
141 | # Helpers
142 | /usr/bin/{exo,gnome,gvfs,xdg}-open ix,
143 | /usr/bin/kde-open{,5} ix,
144 | /usr/bin/kdeinit{4,5} ix,
145 | /usr/bin/kdialog ix,
146 |
147 | # Qt5
148 | /usr/lib{,64,/@{multiarch}}/qt5/** r,
149 | /usr/lib{,64,/@{multiarch}}/qt5/plugins/{,**/}*.so m,
150 | /usr/lib{,64,/@{multiarch}}/qt5/qml/{,**/}*.{so,jsc,qmlc} m,
151 | /usr/lib{,64,/@{multiarch}}/qt5/{bin,libexec}/** ix,
152 | deny /usr/lib{,64,/@{multiarch}}/vlc/plugins/plugins.dat* w,
153 |
154 | /usr/lib/@{multiarch}/libexec/kf5/** ix,
155 |
156 | # Temporal files and sockets
157 | owner /tmp/** rwlk,
158 | owner /{,var/}tmp/kde{,cache}-*/ rw,
159 | owner /{,var/}tmp/kde{,cache}-*/** rwk,
160 | owner /{,var/}run/user/[0-9]*/*-socket rwk,
161 | owner /{,var/}run/user/[0-9]*/bus rw,
162 | owner /{,var/}run/user/[0-9]*/kdeinit5* rwk,
163 | owner /{,var/}run/user/[0-9]*/ksocket-*/ rw,
164 | owner /{,var/}run/user/[0-9]*/ksocket-*/** rwk,
165 | /run/dbus/system_bus_socket w,
166 |
167 | owner /run/user/[0-9]*/#[0-9]{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]}{,[0-9]} rwk,
168 | link /run/user/[0-9]*/*-socket -> "/run/user/[0-9]*/#[0-9]*",
169 |
170 | # PulseAudio
171 | /etc/pulse/{client,daemon}.conf r,
172 | owner /{dev,run,var/run}/shm/pulse-shm-* rwk,
173 | owner /{,var/}run/user/[0-9]*/pulse/ rw,
174 | owner /{,var/}run/user/[0-9]*/pulse/{native,pid,*lock} rwk,
175 |
176 | /dev/tty r,
177 | /dev/snd/controlC[0-9]* r,
178 |
179 | signal (send) set=(term) peer=unconfined,
180 |
181 | audit deny @{HOME}/.local/share/applications/** w,
182 | audit deny @{HOME}/.local/share/flatpak/** w,
183 | audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
184 | audit deny @{HOME}/.app/** w,
185 | audit deny @{HOME}/.* w,
186 | deny @{HOME}/.bash_history r,
187 |
188 | audit deny /dev/{video,audio}* rwlkmx,
189 | deny /run/udev/data/** rwklmx,
190 |
191 | # Noisy
192 | audit deny owner /**/* x,
193 | audit deny @{HOME}/** x,
194 | audit deny @{HOME}/{*,[^.]**,.[^c]**} m,
195 | audit deny /{data,media,mnt,srv,net,cdrom,var,run,tmp}/** mx,
196 | }
197 |
198 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
199 | # vim: syntax=apparmor
200 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.opera:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Opera Web browser
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: January 05, 2018
5 | # This AppArmor profile is based on the Chromium profile
6 | # by Jamie Strandboge
7 |
8 | # NOTE:
9 | # - Important: Check & change the user download & desktop directory.
10 | # - By default, there is only write access to the download & desktop directory.
11 | # - This profile is only tested on Ubuntu 16.04 & KDE Plasma 5.
12 |
13 | # Requirements:
14 | # apparmor.d/tunables/confidential
15 | # apparmor.d/abstractions/chromium-base
16 | # apparmor.d/abstractions/chromium-base-xdgsettings
17 | # apparmor.d/abstractions/chromium-base-sandbox
18 | # apparmor.d/abstractions/kde-user
19 | # apparmor.d/abstractions/flatpak-snap
20 | # apparmor.d/abstractions/open-some-applications
21 |
22 | include
23 | include
24 |
25 | # The Opera directory can be:
26 | # /usr/lib/x86_64-linux-gnu/opera/ [Ubuntu, Debian] [64 bits]
27 | # /usr/lib/i386-linux-gnu/opera/ [Ubuntu, Debian] [32 bits]
28 | # /usr/lib/opera/ [Arch Linux]
29 | # /usr/lib64/opera/ [OpenSUSE, Fedora] [64 bits]
30 | # For general use: /usr/lib{,64,/x86_64-linux-gnu,/i386-linux-gnu}/opera/opera
31 | # This directory is used for Ubuntu, Debian and OpenSUSE (64 bits):
32 | @{OPERA_LIBDIR} = /usr/lib{64,/x86_64-linux-gnu}/opera
33 |
34 | # User directories, with write access
35 | # (downloads and desktop directories):
36 | @{USER_DIR} = @{HOME}/Descargas
37 | @{USER_DIR} += @{HOME}/Escritorio
38 |
39 | /usr/lib{64,/x86_64-linux-gnu}/opera/opera flags=(attach_disconnected) {
40 | # Base rules for Web browsers based on Chromium.
41 | include
42 | include
43 |
44 | # Required to open downloaded files.
45 | include
46 |
47 | # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if you
48 | # want access to productivity applications, adjust the following file accordingly.
49 | ## include
50 |
51 | # Block full access to sensitive data, as passwords and keys.
52 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
53 | deny @{CONFIDENTIAL_EXCEPT_OPERA} rwklmx,
54 |
55 | /sys/devices/pci[0-9]*/**/{bConfigurationValue,descriptors,manufacturer,product,serial} r,
56 | owner /{dev,run}/shm/{,.}org.chromium.* mrw,
57 | owner /{dev,run}/shm/{,.}com.opera.* mrw,
58 |
59 | # Access to Home, removable medias & other folders
60 | @{HOME}/{,*,[^.]**} r,
61 | /{data,media,mnt,srv,net}/** r,
62 |
63 | # User folders
64 | owner @{HOME}/ r,
65 | owner @{USER_DIR}/ r,
66 | owner @{USER_DIR}/** rw,
67 |
68 | # Opera configuration
69 | owner @{HOME}/.config/opera/ rw,
70 | owner @{HOME}/.config/opera/** rwk,
71 | owner @{HOME}/.config/opera/**/Cache/* mr,
72 | owner @{HOME}/.cache/opera/{,**} rw,
73 | owner @{HOME}/.cache/opera/Cache/* mr,
74 | owner @{HOME}/.local/share/.org.chromium.Chromium{,.[a-zA-Z0-9]*} rw,
75 |
76 | # Access to Opera directory
77 | deny @{OPERA_LIBDIR}/** w, # Noisy
78 | @{OPERA_LIBDIR}/*.pak mr,
79 | @{OPERA_LIBDIR}/locales/* mr,
80 |
81 | @{OPERA_LIBDIR}/opera ix,
82 | @{OPERA_LIBDIR}/opera_sandbox cx -> opera_sandbox,
83 | @{OPERA_LIBDIR}/opera_autoupdate ixrk,
84 | @{OPERA_LIBDIR}/opera_crashreporter ixr,
85 | @{OPERA_LIBDIR}/xdg-settings Cxr -> xdgsettings,
86 |
87 | # Allow communicating with sandbox
88 | unix (receive, send) peer=(label=@{OPERA_LIBDIR}/opera//opera_sandbox),
89 |
90 | /bin/which ixr,
91 |
92 | # Noisy
93 | audit deny @{HOME}/** x,
94 | audit deny owner /**/* x,
95 |
96 | profile xdgsettings flags=(attach_disconnected) {
97 | # Base rules for xdg-settings binary.
98 | include
99 |
100 | deny @{CONFIDENTIAL_EXCEPT_OPERA} rwklmx,
101 |
102 | @{OPERA_LIBDIR}/xdg-settings r,
103 | }
104 |
105 | profile opera_sandbox flags=(attach_disconnected) {
106 | # Base rules for opera_sandbox binary.
107 | include
108 |
109 | signal (receive) peer=@{OPERA_LIBDIR}/opera,
110 | unix (receive, send) peer=(label=@{OPERA_LIBDIR}/opera),
111 |
112 | /usr/bin/opera r,
113 | @{OPERA_LIBDIR}/opera Px,
114 | @{OPERA_LIBDIR}/opera_sandbox r,
115 | @{OPERA_LIBDIR}/opera_autoupdate ixrk,
116 | @{OPERA_LIBDIR}/opera_crashreporter ixr,
117 | }
118 |
119 | # Site-specific additions and overrides. See local/README for details.
120 | include
121 | }
122 |
123 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
124 | # vim: syntax=apparmor
125 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.qbittorrent:
--------------------------------------------------------------------------------
1 | # AppArmor profile for qBittorrent
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: July 15, 2019
5 |
6 | # NOTE:
7 | # - This profile is more restrictive than the one provided
8 | # in .
9 | # - This profile is only tested on Ubuntu 18.04 & 16.04 with KDE Plasma 5.
10 |
11 | # Requirements:
12 | # apparmor.d/tunables/confidential
13 | # apparmor.d/abstractions/networkmanager-strict
14 | # apparmor.d/abstractions/udisk-strict
15 | # apparmor.d/abstractions/flatpak-snap
16 | # apparmor.d/abstractions/general-security
17 | # apparmor.d/abstractions/confidential-deny
18 | # apparmor.d/abstractions/open-browser
19 | # apparmor.d/abstractions/open-email
20 | # apparmor.d/abstractions/open-some-applications
21 | # apparmor.d/abstractions/kde-user
22 |
23 | include
24 | include
25 |
26 | # - Important: Check & change the torrents directory
27 | # according to qBittorrent configuration.
28 | # - By default, there is only write access to the torrent directory.
29 |
30 | # Torrents directory. Modify according to qBittorrent configuration.
31 | @{TORRENTS_DIR} = @{HOME}/Descargas/Torrents
32 |
33 | profile qbittorrent /usr/bin/qbittorrent {
34 | include
35 | include
36 | include
37 | include
38 | include
39 | include
40 | include
41 |
42 | include
43 | include
44 | include
45 | include
46 |
47 | # Blocks binaries, precompiled libraries, etc.
48 | include
49 |
50 | # Block full access to sensitive data, as passwords and keys.
51 | # Includes /boot/**, /var/log/** & /etc/apparmor.d/** directories. View in: tunables/confidential.
52 | include
53 |
54 | # Needed to open links (only for some Web browsers/e-mail clients).
55 | include
56 | include
57 |
58 | # Required to open downloaded files.
59 | include
60 |
61 | network netlink dgram,
62 |
63 | ## include
64 | # NOTE: The application does not start with bus=system
65 | dbus (send)
66 | bus=*
67 | path=/org/freedesktop/DBus
68 | interface=org.freedesktop.DBus
69 | member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
70 | peer=(name=org.freedesktop.DBus),
71 | # member={Hello,AddMatch,RemoveMatch,GetNameOwner}
72 | # peer=(name=org.freedesktop.DBus label=unconfined)
73 | dbus (receive)
74 | bus=system
75 | path=/org/freedesktop/NetworkManager
76 | interface=org.freedesktop.NetworkManager
77 | member=PropertiesChanged,
78 |
79 | # Access to Home
80 | owner @{TORRENTS_DIR}/{,**} rw, # Just read/write in the Torrents directory
81 | owner @{HOME}/**.[tT][oO][rR][rR][eE][nN][tT] r, # Only read .torrent files
82 | owner @{HOME}/{,[^.]**/} r, # Only read directories
83 | deny @{HOME}/{,**/}.directory r,
84 |
85 | # qBittorrent configuration
86 | owner @{HOME}/.config/qBittorrent/{,**} rwk,
87 | owner @{HOME}/.config/qBittorrentrc* rwk,
88 | owner @{HOME}/.local/share/data/qBittorrent/{,**} rwk,
89 | owner @{HOME}/.local/share/data/ rw,
90 | owner @{HOME}/.cache/qBittorrent/{,**} rw,
91 |
92 | # Local configuration
93 | include
94 | owner @{HOME}/.config/kio* r,
95 | owner @{HOME}/.config/kdebugrc rw,
96 | owner @{HOME}/.config/kde.org/libphonon.conf r,
97 | owner @{HOME}/.kde/share/config/{kde,kio}* r,
98 | owner @{HOME}/.kde/share/config/ktinfowidgetpluginrc rw,
99 | owner @{HOME}/.kde/share/config/kcookiejarrc r,
100 | owner @{HOME}/.kde/share/config/breezerc r,
101 | owner @{HOME}/.kde/share/config/ktimezonedrc r,
102 | owner @{HOME}/.kde/share/config/*.new rwk,
103 | owner @{HOME}/.local/share/qt_temp.* rwk,
104 | owner @{HOME}/.local/share/kservices5/{,**} r,
105 | owner @{HOME}/.cache/mesa_shader_cache/** rw,
106 |
107 | link @{HOME}/.config/qBittorrentrc* -> "/home/*/.config/#[0-9]*",
108 | link @{HOME}/.config/qBittorrent/* -> "/home/*/.config/qBittorrent/#[0-9]*",
109 | link @{HOME}/.config/qBittorrent/**/* -> "/home/*/.config/qBittorrent/**/#[0-9]*",
110 | link @{HOME}/.config/qBittorrent/qBittorrent.conf -> "/home/*/.config/qBittorrent/qBittorrent_new.conf",
111 |
112 | #link @{HOME}/.local/share/data/qBittorrent/BT_backup/* -> "/home/*/.local/share/data/qBittorrent/BT_backup/#[0-9]*",
113 | link @{HOME}/.local/share/data/qBittorrent/* -> "/home/*/.local/share/data/qBittorrent/#[0-9]*",
114 | link @{HOME}/.local/share/data/qBittorrent/**/* -> "/home/*/.local/share/data/qBittorrent/**/#[0-9]*",
115 |
116 | deny /{media,mnt,srv,net}/** rwklmx, # Block access to mounted drives & other directories
117 |
118 | # Binaries
119 | /usr/bin/qbittorrent r,
120 | /usr/bin/kdeinit{4,5} ixr,
121 | /usr/bin/{gnome,gvfs,xdg}-open ixr,
122 | /usr/bin/kde-open{,5} ixr,
123 | /usr/bin/kdialog ixr,
124 |
125 | # Libraries
126 | /usr/lib{,64,/@{multiarch}}/qt5/plugins/{,**/} r,
127 | /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
128 | #/usr/lib{,64,/@{multiarch}}/libQt5*.so{,.[0-9]*} m,
129 |
130 | /usr/share/color-schemes/{,**} r,
131 | /usr/share/GeoIP/{,*} r,
132 | /usr/share/knotifications5/{,*} r,
133 | /usr/share/kservices5/{,**/,**.protocol} r,
134 | /usr/share/plasma/{,**} r,
135 | /usr/share/qt5/{,**} r,
136 | /usr/share/sounds/{,**} r,
137 | /usr/share/mime/ r,
138 | /usr/share/templates/ r,
139 | /usr/share/hwdata/pnp.ids r,
140 | /usr/share/drirc.d/{,**} r,
141 |
142 | /etc/xdg/{,**} r,
143 | /etc/machine-id r,
144 | /etc/pulse/client.conf r,
145 | /etc/ssl/openssl.cnf r,
146 | /etc/udev/udev.conf r,
147 | deny /etc/fstab r,
148 |
149 | /dev/**/ r,
150 | /dev/tty r,
151 | owner /{dev,run,var/run}/shm/pulse-shm-* rwk,
152 |
153 | /sys/**/ r,
154 | /sys/devices/**/uevent r,
155 | /sys/devices/pci[0-9]*/**/{busnum,config,revision} r,
156 | /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
157 | /sys/devices/pci[0-9]*/**/id{Product,Vendor} r,
158 | owner @{PROC}/@{pid}/mounts r,
159 | @{PROC}/sys/kernel/random/boot_id r,
160 | @{PROC}/sys/kernel/core_pattern r, # investigate
161 | #owner @{PROC}/@{pid}/mountinfo r, # investigate
162 |
163 | # Temporal files & sockets
164 | owner /tmp/xauth-[0-9]* r,
165 | owner /tmp/*-qBitto* rwk,
166 | owner /tmp/qt_temp.* rwk,
167 | owner /tmp/qtsingleapp-qBitto-* rwk,
168 | owner /tmp/[0-9]*/ rw,
169 | owner /tmp/.[a-zA-Z0-9]*/{,*} rw,
170 | owner /{,var/}tmp/{,.}qBitto** rwk,
171 | owner /var/tmp/kdecache-*/{,*} rwk,
172 | owner /run/user/[0-9]*/ksocket-*/{,qBitto*} rwk,
173 | owner /run/user/[0-9]*/kioclient*-socket rwk,
174 | owner /run/user/[0-9]*/qBitto*-socket rwk,
175 | owner /run/user/[0-9]*/#[0-9]* rwk,
176 |
177 | link /run/user/[0-9]*/qBittorrent*.slave-socket -> "/run/user/[0-9]*/#[0-9]*",
178 | link /tmp/.qBittorrent/* -> "/tmp/.qBittorrent/#[0-9]*",
179 |
180 | owner /run/user/[0-9]*/bus rwk,
181 | /{,var/}run/dbus/system_bus_socket rw,
182 |
183 | signal (send) set=(term) peer=unconfined,
184 | }
185 |
186 | # kate: syntax AppArmor Security Profile; replace-tabs off; remove-trailing-spaces mod;
187 | # vim: syntax=apparmor
188 |
--------------------------------------------------------------------------------
/apparmor.d/usr.bin.thunderbird:
--------------------------------------------------------------------------------
1 | # AppArmor profile for Thunderbird
2 | # ---------------------------------------------
3 | # Author: Nibaldo Gonzalez
4 | # Last change: October 15, 2018
5 | # This AppArmor profile is based on the Firefox profile
6 | # by Jamie Strandboge
7 | # And on the Thunderbird profile
8 | # by Simon Deziel
9 |
10 | # NOTE:
11 | # - Important: Check & change the user download & desktop directories.
12 | # - By default, there is only write access to the download & desktop directories.
13 | # - This profile was designed with the intention of working
14 | # correctly in the KDE Plasma 5 desktop environment.
15 |
16 | # Requirements:
17 | # apparmor.d/tunables/confidential
18 | # apparmor.d/abstractions/flatpak-snap
19 | # apparmor.d/abstractions/open-browser
20 | # apparmor.d/abstractions/open-some-applications
21 |
22 | include
23 | include
24 |
25 | # Thunderbird directory:
26 | @{THUNB_LIBDIR} = /usr/lib{,64}/thunderbird
27 |
28 | # User directories, with write access
29 | # (downloads and desktop directories):
30 | @{USER_DIR} = @{HOME}/Descargas
31 | @{USER_DIR} += @{HOME}/Escritorio
32 |
33 | profile thunderbird /usr/lib{,64}/thunderbird/thunderbird{,*[^s][^h]} {
34 | include
35 | include
36 | include
37 | include
38 | include
39 | include