mirror of
https://github.com/onionshare/onionshare.git
synced 2024-12-29 01:06:16 -05:00
Merge branch 'apparmor' of https://github.com/u451f/onionshare into u451f-apparmor
This commit is contained in:
commit
f2dbced33d
31
apparmor/abstractions/onionshare
Normal file
31
apparmor/abstractions/onionshare
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/nameservice>
|
||||||
|
#include <abstractions/python>
|
||||||
|
|
||||||
|
# Why are these not in abstractions/python?
|
||||||
|
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
|
||||||
|
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
|
||||||
|
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
|
||||||
|
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
|
||||||
|
/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
|
||||||
|
/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
|
||||||
|
|
||||||
|
/bin/dash rix,
|
||||||
|
/proc/*/mounts r,
|
||||||
|
/proc/*/fd/ r,
|
||||||
|
/sbin/ldconfig rix,
|
||||||
|
/sbin/ldconfig.real rix,
|
||||||
|
/bin/uname rix,
|
||||||
|
/{,lib/live/mount/rootfs/filesystem.squashfs/}etc/mime.types r,
|
||||||
|
/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/ r,
|
||||||
|
/{,lib/live/mount/rootfs/filesystem.squashfs/}usr/share/onionshare/** r,
|
||||||
|
/tmp/ rw,
|
||||||
|
/tmp/** rw,
|
||||||
|
|
||||||
|
# Allow all user data except .gnupg, .ssh and other potential
|
||||||
|
# places for critically sensitive application data.
|
||||||
|
audit deny @{HOME}/.* mrwkl,
|
||||||
|
audit deny @{HOME}/.*/ mrwkl,
|
||||||
|
audit deny @{HOME}/.*/** mrwkl,
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
owner @{HOME}/** r,
|
2
apparmor/local/usr.bin.onionshare
Normal file
2
apparmor/local/usr.bin.onionshare
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Site-specific additions and overrides for usr.bin.onionshare.
|
||||||
|
# For more details, please see /etc/apparmor.d/local/README.
|
2
apparmor/local/usr.bin.onionshare-gui
Normal file
2
apparmor/local/usr.bin.onionshare-gui
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Site-specific additions and overrides for usr.bin.onionshare-gui.
|
||||||
|
# For more details, please see /etc/apparmor.d/local/README.
|
10
apparmor/usr.bin.onionshare
Normal file
10
apparmor/usr.bin.onionshare
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#include <tunables/global>
|
||||||
|
|
||||||
|
/usr/bin/onionshare flags=(complain) {
|
||||||
|
#include <abstractions/onionshare>
|
||||||
|
|
||||||
|
/usr/bin/ r,
|
||||||
|
/usr/bin/onionshare r,
|
||||||
|
|
||||||
|
#include <local/usr.bin.onionshare>
|
||||||
|
}
|
26
apparmor/usr.bin.onionshare-gui
Normal file
26
apparmor/usr.bin.onionshare-gui
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#include <tunables/global>
|
||||||
|
|
||||||
|
/usr/bin/onionshare-gui flags=(complain) {
|
||||||
|
#include <abstractions/gnome>
|
||||||
|
#include <abstractions/ibus>
|
||||||
|
#include <abstractions/onionshare>
|
||||||
|
|
||||||
|
/usr/bin/ r,
|
||||||
|
/usr/bin/onionshare-gui r,
|
||||||
|
/proc/*/cmdline r,
|
||||||
|
/usr/share/icons/Adwaita/index.theme r,
|
||||||
|
|
||||||
|
# Why do these still emit audit journal entries?
|
||||||
|
owner @{HOME}/.config/ibus/bus/ rw,
|
||||||
|
owner @{HOME}/.config/ibus/bus/* rw,
|
||||||
|
deny @{HOME}/.ICEauthority r,
|
||||||
|
|
||||||
|
deny /{,lib/live/mount/rootfs/filesystem.squashfs/}etc/machine-id r,
|
||||||
|
deny /var/lib/dbus/machine-id.* rw,
|
||||||
|
|
||||||
|
# Accessibility support
|
||||||
|
owner /{,var/}run/user/*/at-spi2-*/ rw,
|
||||||
|
owner /{,var/}run/user/*/at-spi2-*/** rw,
|
||||||
|
|
||||||
|
#include <local/usr.bin.onionshare-gui>
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user