From ec1266fb9ee65e1309b222847ff7661827b9104f Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Fri, 4 Oct 2024 12:52:39 +0300 Subject: [PATCH] aMule, a file sharing program; not all executables --- apparmor.d/abstractions/app-open | 1 + apparmor.d/profiles-a-f/alc | 24 +++++++++++++++ apparmor.d/profiles-a-f/alcc | 20 ++++++++++++ apparmor.d/profiles-a-f/amule | 53 ++++++++++++++++++++++++++++++++ apparmor.d/profiles-a-f/cas | 25 +++++++++++++++ apparmor.d/profiles-a-f/ed2k | 22 +++++++++++++ apparmor.d/profiles-a-f/fileview | 26 ++++++++++++++++ 7 files changed, 171 insertions(+) create mode 100644 apparmor.d/profiles-a-f/alc create mode 100644 apparmor.d/profiles-a-f/alcc create mode 100644 apparmor.d/profiles-a-f/amule create mode 100644 apparmor.d/profiles-a-f/cas create mode 100644 apparmor.d/profiles-a-f/ed2k create mode 100644 apparmor.d/profiles-a-f/fileview diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c47c7ca69..6752e46c1 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,6 +26,7 @@ @{text_editors_path} rPUx, # Others + @{bin}/amule rPx, @{bin}/blueman-tray rPx, @{bin}/discord{,-ptb} rPx, @{bin}/draw.io rPUx, diff --git a/apparmor.d/profiles-a-f/alc b/apparmor.d/profiles-a-f/alc new file mode 100644 index 000000000..a7dcbba6c --- /dev/null +++ b/apparmor.d/profiles-a-f/alc @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alc +profile alc @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{user_documents_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alcc b/apparmor.d/profiles-a-f/alcc new file mode 100644 index 000000000..71f34d550 --- /dev/null +++ b/apparmor.d/profiles-a-f/alcc @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alcc +profile alcc @{exec_path} { + include + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule new file mode 100644 index 000000000..166f7e89d --- /dev/null +++ b/apparmor.d/profiles-a-f/amule @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/amule +profile amule @{exec_path} { + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{sh_path} Cx -> shell, + + # Previewing files isn't allowed + # because aMule opens viewers directly instead of via `xdg-open`. + # If aMule uses `xdg-open` in your time, + # uncomment the following line to allow previewing files. + # @{open_path} rPx -> child-open, + + @{exec_path} mr, + @{system_share_dirs}/amule/{,**} r, + owner @{HOME}/.aMule/{,**} rwk, + + include if exists + + profile shell flags=(attach_disconnected) { + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + @{bin}/uname rPx, + + @{sh_path} mr, + + deny /dev/tty rw, + deny @{HOME}/.aMule/{,**} rw, # file_inherit + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cas b/apparmor.d/profiles-a-f/cas new file mode 100644 index 000000000..d269870f6 --- /dev/null +++ b/apparmor.d/profiles-a-f/cas @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cas +profile cas @{exec_path} { + include + include + + @{exec_path} mr, + + @{system_share_dirs}/cas/{,**} r, + + owner @{HOME}/.aMule/aMule-online-sign.html w, + owner @{HOME}/.aMule/amulesig.dat r, + owner @{HOME}/.aMule/casrc rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ed2k b/apparmor.d/profiles-a-f/ed2k new file mode 100644 index 000000000..8da00da2a --- /dev/null +++ b/apparmor.d/profiles-a-f/ed2k @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ed2k +profile ed2k @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{HOME}/.aMule/ED2KLinks w, + owner @{HOME}/.aMule/ED2KLinks_lock wk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fileview b/apparmor.d/profiles-a-f/fileview new file mode 100644 index 000000000..438528a5d --- /dev/null +++ b/apparmor.d/profiles-a-f/fileview @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/fileview +profile fileview @{exec_path} { + include + include + + @{exec_path} mr, + + # This program parses aMule internal data files like "server.met". + # The paths to these files are given as arguments. + # The following directories are those that users likely want to read. + # However, this program is usable without the permissions below. + owner @{HOME}/.aMule/{,**} r, + @{user_documents_dirs}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor