aMule, a file sharing program; not all executables

2024-10-04 12:52:39 +03:00 · 2024-10-04 12:52:39 +03:00 · ec1266fb9e
commit ec1266fb9e
parent 91fc3adb63
7 changed files with 171 additions and 0 deletions
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -26,6 +26,7 @@
  @{text_editors_path}          rPUx,

  # Others
+  @{bin}/amule                  rPx,
  @{bin}/blueman-tray           rPx,
  @{bin}/discord{,-ptb}         rPx,
  @{bin}/draw.io                rPUx,
--- a/apparmor.d/profiles-a-f/alc
+++ b/apparmor.d/profiles-a-f/alc
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/alc
+profile alc @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
+
+  @{exec_path} mr,
+
+  @{user_documents_dirs}/{,**} rw,
+
+  include if exists <local/alc>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/alcc
+++ b/apparmor.d/profiles-a-f/alcc
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/alcc
+profile alcc @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/user-download-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/alcc>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/amule
+++ b/apparmor.d/profiles-a-f/amule
@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/amule
+profile amule @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{sh_path} Cx -> shell, 
+
+  # Previewing files isn't allowed
+  # because aMule opens viewers directly instead of via `xdg-open`.
+  # If aMule uses `xdg-open` in your time,
+  # uncomment the following line to allow previewing files.
+  # @{open_path} rPx -> child-open,
+
+  @{exec_path} mr,
+  @{system_share_dirs}/amule/{,**} r,
+  owner @{HOME}/.aMule/{,**} rwk,
+
+  include if exists <local/amule>
+
+  profile shell flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    network inet dgram,
+    network inet stream,
+    network inet6 dgram,
+    network inet6 stream,
+
+    @{bin}/uname rPx,
+
+    @{sh_path} mr,
+
+    deny /dev/tty rw,
+    deny @{HOME}/.aMule/{,**} rw, # file_inherit
+  }
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/cas
+++ b/apparmor.d/profiles-a-f/cas
@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cas
+profile cas @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{system_share_dirs}/cas/{,**} r,
+
+  owner @{HOME}/.aMule/aMule-online-sign.html w,
+  owner @{HOME}/.aMule/amulesig.dat r,
+  owner @{HOME}/.aMule/casrc rw,
+
+  include if exists <local/cas>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/ed2k
+++ b/apparmor.d/profiles-a-f/ed2k
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ed2k
+profile ed2k @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  owner @{HOME}/.aMule/ED2KLinks w,
+  owner @{HOME}/.aMule/ED2KLinks_lock wk,
+
+  include if exists <local/ed2k>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/fileview
+++ b/apparmor.d/profiles-a-f/fileview
@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/fileview
+profile fileview @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  # This program parses aMule internal data files like "server.met".
+  # The paths to these files are given as arguments.
+  # The following directories are those that users likely want to read.
+  # However, this program is usable without the permissions below.
+  owner @{HOME}/.aMule/{,**} r,
+  @{user_documents_dirs}/{,**} r,
+
+  include if exists <local/fileview>
+}
+
+# vim:syntax=apparmor