# apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{,usr/}{,local/}bin/rustdesk profile rustdesk @{exec_path} { include include include include include include include include include include include capability dac_read_search, capability dac_override, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, # discovery dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), dbus (send) bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents peer=(name=org.a11y.atspi.Registry), dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} peer=(name=org.a11y.atspi.Registry), dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set peer=(name=:*), @{exec_path} mrix, /{,usr/}bin/w rPx, /{,usr/}bin/ps rPx, /{,usr/}bin/whoami rPx, /{,usr/}bin/loginctl rPx, /{,usr/}bin/curl rix, /{,usr/}bin/ls rix, /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python, /{,usr/}bin/{,ba,da}sh rPx -> rustdesk_shell, /etc/gdm{,3}/custom.conf r, owner @{HOME}/.local/ w, owner @{user_share_dirs}/ w, owner @{user_share_dirs}/logs/ w, owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw, owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r, @{PROC}/uptime r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, # grep ps @{PROC} r, capability sys_ptrace, ptrace (read), @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/io r, @{PROC}/@{pid}/task/ r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/io r, @{PROC}/@{pid}/task/@{tid}/status r, # service and GUI intercommunication @{HOME}/.Xauthority r, @{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r, @{run}/user/@{uid}/gdm{,3}/Xauthority r, /tmp/[rR]ust[dD]esk/{,**} rw, /tmp/.X11-unix/ r, /var/lib/lightdm/.Xauthority r, # pulse /dev/shm/ r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,*} r, owner @{run}/user/@{uid}/pulse/ r, owner @{run}/user/@{uid}/pulse/native rw, owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw, owner /tmp/pulse-*/ rw, # gtk-tiny /usr/share/themes/{,**} r, /etc/gtk-3.0/settings.ini r, /usr/share/themes/*/gtk-3.0/gtk.css r, # file transfer owner @{HOME}/ r, # fails otherwise owner @{HOME}/[rR]ust[dD]esk/{,**} rw, # file_inherit, X-tiny owner @{HOME}/.xsession-errors w, # Do not reveal username (pop-up only) # deny /etc/passwd r, # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary. # deny /{,usr/}bin/sudo x, /{,usr/}bin/sudo rCx -> sudo, profile sudo { include include include include include capability sys_resource, capability setuid, capability setgid, capability audit_write, network netlink raw, /{,usr/}bin/sudo r, /etc/sudo.conf r, /etc/sudoers r, /etc/pam.d/* r, /etc/login.defs r, /etc/shadow r, /etc/security/capability.conf r, /etc/security/limits.conf r, /etc/security/limits.d/{,*} r, /etc/security/pam_env.conf r, /etc/sudoers.d/{,*} r, /etc/environment r, /etc/default/locale r, @{lib}/sudo/libsudo_util.so* mr, @{lib}/sudo/sudoers.so mr, @{PROC}/1/limits r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /{,usr/}{,local/}bin/rustdesk rPx, /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python, include if exists } include if exists } profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py { include @{exec_path} r, include if exists } profile rustdesk_python { include include include capability dac_read_search, capability dac_override, /{,usr/}bin/python3.[0-9]* r, /{,usr/}bin/{,ba,da}sh rix, /{,usr/}bin/chmod rix, /{,usr/}bin/uname rPx, /usr/share/rustdesk/files/pynput_service.py rPx, /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r, /usr/share/[rR]ust[dD]esk/files/{,**} r, /tmp/[rR]ust[dD]esk/ w, /tmp/[rR]ust[dD]esk/pynput_service rw, @{run}/user/@{uid}/gdm{,3}/Xauthority r, owner @{PROC}/@{pid}/fd/ r, # X-tiny /tmp/.X11-unix/* rw, owner @{HOME}/.xsession-errors w, owner @{HOME}/.Xauthority r, include if exists } profile rustdesk_shell { include capability sys_ptrace, capability dac_read_search, deny capability dac_override, ptrace (read), /{,usr/}bin/{,ba,da}sh r, /{,usr/}bin/tr rix, /{,usr/}bin/{,e}grep rix, /{,usr/}bin/tail rix, /{,usr/}bin/xargs rix, /{,usr/}bin/sed rix, /{,usr/}bin/cat rix, /{,usr/}bin/ps rPx, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/environ r, include if exists }