From 994445ccfda3db457d45abb2be17caf43a0f5e59 Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig <u@451f.org>
Date: Sun, 17 Apr 2016 20:53:17 +0200
Subject: [PATCH 1/3] Imported Upstream version 0.9


From b5aa66c2393872337ac8f52b43c1904261bb4e27 Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig <u@451f.org>
Date: Sat, 19 Nov 2016 21:26:57 +0100
Subject: [PATCH 2/3] AppArmor profiles for Onionshare, written by Tails
 developers

---
 apparmor/abstractions/onionshare      | 31 +++++++++++++++++++++++++++
 apparmor/local/usr.bin.onionshare     |  2 ++
 apparmor/local/usr.bin.onionshare-gui |  2 ++
 apparmor/usr.bin.onionshare           | 10 +++++++++
 apparmor/usr.bin.onionshare-gui       | 26 ++++++++++++++++++++++
 5 files changed, 71 insertions(+)
 create mode 100644 apparmor/abstractions/onionshare
 create mode 100644 apparmor/local/usr.bin.onionshare
 create mode 100644 apparmor/local/usr.bin.onionshare-gui
 create mode 100644 apparmor/usr.bin.onionshare
 create mode 100644 apparmor/usr.bin.onionshare-gui

diff --git a/apparmor/abstractions/onionshare b/apparmor/abstractions/onionshare
new file mode 100644
index 00000000..d5c7c184
--- /dev/null
+++ b/apparmor/abstractions/onionshare
@@ -0,0 +1,31 @@
+#include <abstractions/base>
+#include <abstractions/nameservice>
+#include <abstractions/python>
+
+# Why are these not in abstractions/python?
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
+/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
+
+/bin/dash rix,
+/proc/*/mounts r,
+/proc/*/fd/ r,
+/sbin/ldconfig rix,
+/sbin/ldconfig.real rix,
+/bin/uname rix,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r,
+/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r,
+/tmp/ rw,
+/tmp/** rw,
+
+# Allow all user data except .gnupg, .ssh and other potential
+# places for critically sensitive application data.
+audit deny @{HOME}/.* mrwkl,
+audit deny @{HOME}/.*/ mrwkl,
+audit deny @{HOME}/.*/** mrwkl,
+owner @{HOME}/ r,
+owner @{HOME}/** r,
diff --git a/apparmor/local/usr.bin.onionshare b/apparmor/local/usr.bin.onionshare
new file mode 100644
index 00000000..6453771d
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/local/usr.bin.onionshare-gui b/apparmor/local/usr.bin.onionshare-gui
new file mode 100644
index 00000000..fa5ba3f0
--- /dev/null
+++ b/apparmor/local/usr.bin.onionshare-gui
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.bin.onionshare-gui.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor/usr.bin.onionshare b/apparmor/usr.bin.onionshare
new file mode 100644
index 00000000..225e5458
--- /dev/null
+++ b/apparmor/usr.bin.onionshare
@@ -0,0 +1,10 @@
+#include <tunables/global>
+
+/usr/bin/onionshare flags=(complain) {
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare r,
+
+  #include <local/usr.bin.onionshare>
+}
diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui
new file mode 100644
index 00000000..f41e0cd0
--- /dev/null
+++ b/apparmor/usr.bin.onionshare-gui
@@ -0,0 +1,26 @@
+#include <tunables/global>
+
+/usr/bin/onionshare-gui flags=(complain) {
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/onionshare>
+
+  /usr/bin/ r,
+  /usr/bin/onionshare-gui r,
+  /proc/*/cmdline r,
+  /usr/share/icons/Adwaita/index.theme rwk,
+
+  # Why do these still emit audit journal entries?
+  owner @{HOME}/.config/ibus/bus/ rw,
+  owner @{HOME}/.config/ibus/bus/* rw,
+  deny @{HOME}/.ICEauthority r,
+
+  deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r,
+  deny /var/lib/dbus/machine-id.* rw,
+
+  # Accessibility support
+  owner /{,var/}run/user/*/at-spi2-*/ rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  #include <local/usr.bin.onionshare-gui>
+}

From 9bc87b2d1f4548c7a7a26ec0c8469f13a5e1ccc9 Mon Sep 17 00:00:00 2001
From: Ulrike Uhlig <u@451f.org>
Date: Sat, 19 Nov 2016 21:27:57 +0100
Subject: [PATCH 3/3] Icons should simply  be readable

---
 apparmor/usr.bin.onionshare-gui | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor/usr.bin.onionshare-gui b/apparmor/usr.bin.onionshare-gui
index f41e0cd0..ed69e832 100644
--- a/apparmor/usr.bin.onionshare-gui
+++ b/apparmor/usr.bin.onionshare-gui
@@ -8,7 +8,7 @@
   /usr/bin/ r,
   /usr/bin/onionshare-gui r,
   /proc/*/cmdline r,
-  /usr/share/icons/Adwaita/index.theme rwk,
+  /usr/share/icons/Adwaita/index.theme r,
 
   # Why do these still emit audit journal entries?
   owner @{HOME}/.config/ibus/bus/ rw,