diff options
| author | Bryan Quigley <gquigs@gmail.com> | 2015-04-20 14:01:54 -0400 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-04-21 13:05:28 +0000 |
| commit | 2dc69b55f4d349cc851d1b31e5634819bed64339 (patch) | |
| tree | 5cea758bba1a4e25685e716900dee4a4bab64efa /sysui | |
| parent | a497b913ba36ff52ad294223a1fda843c16ececf (diff) | |
Initial AppArmor profiles
Profiles and a script to help generate them for
different environments. Not part of the build system,
yet.
Change-Id: I502705631494b124f26a71d57a2c9a9eae130fb4
Reviewed-on: https://gerrit.libreoffice.org/15452
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sysui')
| -rw-r--r-- | sysui/desktop/apparmor/program.oosplash | 31 | ||||
| -rw-r--r-- | sysui/desktop/apparmor/program.open-url | 30 | ||||
| -rw-r--r-- | sysui/desktop/apparmor/program.senddoc | 35 | ||||
| -rw-r--r-- | sysui/desktop/apparmor/program.soffice.bin | 157 | ||||
| -rw-r--r-- | sysui/desktop/apparmor/program.xpdfimport | 25 | ||||
| -rwxr-xr-x | sysui/desktop/share/apparmor.sh | 44 |
6 files changed, 322 insertions, 0 deletions
diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash new file mode 100644 index 000000000000..80d6f588a82c --- /dev/null +++ b/sysui/desktop/apparmor/program.oosplash @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +profile libreoffice-oopslash INSTDIR-program/oosplash { + #include <abstractions/base> + + /etc/libreoffice/ r, + /etc/libreoffice/** r, + /etc/passwd r, + /etc/nsswitch.conf r, + /run/nscd/passwd r, + /usr/lib{,32,64}/ure/bin/javaldx Cx, + /usr/share/libreoffice/program/* r, + INSTDIR-program/soffice.bin rmPUx, + INSTDIR-ure/bin/javaldx rmPUx, + owner @{HOME}/.Xauthority r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, + unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), + unix peer=(addr=@/tmp/.X11-unix/* label=unconfined), +} diff --git a/sysui/desktop/apparmor/program.open-url b/sysui/desktop/apparmor/program.open-url new file mode 100644 index 000000000000..1d3d46638c65 --- /dev/null +++ b/sysui/desktop/apparmor/program.open-url @@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +profile libreoffice-open-url INSTDIR-program/open-url { + #include <abstractions/base> + #include <abstractions/ubuntu-helpers> + + owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random + #Note, usually it's lub or luc, don't know why. + /bin/sh rmix, + /bin/dash rmix, + /bin/bash rmix, + /bin/sed rmix, + /bin/grep rmix, + /usr/bin/xdg-open Cxr -> sanitized_helper, + /dev/null rw, + /usr/share/libreoffice/share/config/* r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, +} diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/program.senddoc new file mode 100644 index 000000000000..deb1fff5c892 --- /dev/null +++ b/sysui/desktop/apparmor/program.senddoc @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +profile libreoffice-senddoc INSTDIR-/usr/lib{,32,64}/libreoffice/program/senddoc { + #include <abstractions/base> + + owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random + #Note, usually it's lub or luc, don't know why. + /bin/sh rmix, + /bin/dash rmix, + /bin/bash rmix, + /bin/sed rmix, + /usr/bin/dirname rmix, + /usr/bin/basename rmix, + /bin/grep rmix, + /bin/uname rmix, + /usr/bin/xdg-open Cxr -> sanitized_helper, + /usr/bin/gnome-open Cxr -> sanitized_helper, + /dev/null rw, + INSTDIR-program/uri-encode rmPUx, + /usr/share/libreoffice/share/config/* r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, +} + diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin new file mode 100644 index 000000000000..1ae2cc64d86c --- /dev/null +++ b/sysui/desktop/apparmor/program.soffice.bin @@ -0,0 +1,157 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Authors: Jonathan Davies <jonathan.davies@canonical.com> +# Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +# This profile should enable the average LibreOffice user to get their +# work done while blocking some advanced usage +# Namely not tested and likely not working : embedded plugins, +# Using the LibreOffice SDK and other development tasks +# Everything else should be working + +#Defines all common supported file formats +#Some obscure ones we're excluded (mostly input) + +#Generic +@{libreoffice_ext} = [tT][xX][tT] #.txt +@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] #All the open document format +@{libreoffice_ext} += [xX][mMsS][lL] #.xml and xsl +@{libreoffice_ext} += [pP][dD][fF] #.pdf +@{libreoffice_ext} += [uU][oO][fFtTsSpP] #Unified office format +@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} #(x)htm(l) + +#Images +@{libreoffice_ext} += [jJ][pP][gG] +@{libreoffice_ext} += [jJ][pP][eE][gG] +@{libreoffice_ext} += [pP][nN][gG] +@{libreoffice_ext} += [sS][vV][gG] +@{libreoffice_ext} += [sS][vV][gG][zZ] +@{libreoffice_ext} += [tT][iI][fF] +@{libreoffice_ext} += [tT][iI][fF][fF] + +#Writer +@{libreoffice_ext} += [dD][oO][cCtT]{,x,X} +@{libreoffice_ext} += [rR][tT][fF] + +#Calc +@{libreoffice_ext} += [xX][lL][sSwWtT]{,x,X} +@{libreoffice_ext} += [dD][iIbB][fF] #.dif dbf +@{libreoffice_ext} += [cCtT][sS][vV] #.tsv .csv +@{libreoffice_ext} += [sS][lL][kK] + +#Impress/Draw +@{libreoffice_ext} += [pP][pP][tTsS]{,x,X} +@{libreoffice_ext} += [pP][oO][tT]{,m,M} +@{libreoffice_ext} += [sS][wW][fF] +@{libreoffice_ext} += [pP][sS][dD] #Photoshop + +#Math +@{libreoffice_ext} += [mM][mM][lL] + +@{libo_user_dirs} = @{HOME} /mnt /media + +#include <tunables/global> + +profile libreoffice-soffice INSTDIR-program/soffice.bin { + #include <abstractions/private-files-strict> + + #include <abstractions/audio> + #include <abstractions/bash> + #include <abstractions/cups-client> + #include <abstractions/dbus> + #include <abstractions/dbus-session> + #include <abstractions/dbus-accessibility> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/gnome> + #include <abstractions/python> + #include <abstractions/p11-kit> + + #List directories for file browser + / r, + /**/ r, + + owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own + owner @{libo_user_dirs}/**~lock.* rw, #lock file support + owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts + + # Settings + /etc/libreoffice/ r, + /etc/libreoffice/** r, + + /etc/cups/ppd/*.ppd r, + /proc/*/status r, + + owner @{HOME}/.config/libreoffice{,dev}/** rwk, + owner @{HOME}/.cache/fontconfig/** rw, + owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work + owner @{HOME}/.recently-used rwk, + + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + # allow schema to be read + /usr/share/glib-*/schemas/ r, + /usr/share/glib-*/schemas/** r, + + # bluetooth send to + network bluetooth, + + /bin/sh rmix, + /bin/bash rmix, + /bin/dash rmix, + /usr/bin/bluetooth-sendto rmPUx, + /usr/bin/lpr rmPUx, + /usr/bin/paperconf rmix, + + /dev/tty rw, + + /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, + owner @{HOME}/.cache/gstreamer-???/** rw, + unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this + + /usr/lib{,32,64}/jvm/ r, + /usr/lib{,32,64}/jvm/** r, + INSTDIR-** ra, + INSTDIR-**.so rm, + INSTDIR-program/gnome-open-url rmPUx, #This doesn't seem to be used on my install + INSTDIR-program/soffice.bin rmix, + INSTDIR-program/xpdfimport rPx, + INSTDIR-program/open-url rPx, + INSTDIR-program/senddoc rPx, + /usr/lib{,32,64}/ure/ r, + /usr/lib{,32,64}/ure/** rm, + + /usr/share/java/**.jar r, + /usr/share/hunspell/ r, + /usr/share/hunspell/** r, + /usr/share/hyphen/ r, + /usr/share/hyphen/** r, + /usr/share/mythes/ r, + /usr/share/mythes/** r, + /usr/share/liblangtag/ r, + /usr/share/liblangtag/** r, + /usr/share/libreoffice/ r, + /usr/share/libreoffice/** r, + /usr/share/yelp-xsl/xslt/mallard/** r, + /usr/share/libexttextcat/* r, + /usr/share/icu/** r, + /usr/share/locale-bundle/* r, + + /var/spool/libreoffice/ r, + /var/spool/libreoffice/** rw, + /var/cache/fontconfig/ rw, + + #Likely moving to abstractions in the future + owner @{HOME}/.icons/*/cursors/* r, + /usr/share/*-fonts/conf.avail/*.conf r, + /usr/share/fonts-config/conf.avail/*.conf r, +} diff --git a/sysui/desktop/apparmor/program.xpdfimport b/sysui/desktop/apparmor/program.xpdfimport new file mode 100644 index 000000000000..a83827fe3f07 --- /dev/null +++ b/sysui/desktop/apparmor/program.xpdfimport @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +profile libreoffice-xpdfimport INSTDIR-program/xpdfimport { + #include <abstractions/base> + + owner /tmp/* r, #Seems to need to read file created with pattern /tmp/RRRRRR + owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random + #Note, usually it's lub or luc, don't know why. + /usr/share/poppler/** r, + /usr/share/libreoffice/share/config/* r, + owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, +} + diff --git a/sysui/desktop/share/apparmor.sh b/sysui/desktop/share/apparmor.sh new file mode 100755 index 000000000000..848c113f61f8 --- /dev/null +++ b/sysui/desktop/share/apparmor.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# This file is part of the LibreOffice project. +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Author: Bryan Quigley <bryan.quigley@canonical.com> +# +# ------------------------------------------------------------------ + +# This is a simple script to help get AppArmor working on different distros + +INST_ROOT=$1 #Where libreoffice program folder can be found +PROFILESFROM=$2 #Where the profile files are +INSTALLTO=$3 #Where should the apparmor profiles live (to be be linked to) +INSTALL=$4 #True means try to run sudo to link (doesn't reload profiles) + +#For example to get this to work on Ubuntu 15.04 with stock LibreOffice: +# ./sysui/desktop/share/apparmor.sh /usr/lib/libreoffice/ sysui/desktop/apparmor/ /mnt/store/git/libo/instdir/apparmor-testing/ true + +mkdir -p $INSTALLTO + +#Need to convert / to . for profile names +INST_ROOT_FORMAT=${INST_ROOT/\//} +INST_ROOT_FORMAT=${INST_ROOT_FORMAT////.} + +#Need to escale / for sed +INST_ROOT_SED=${INST_ROOT////\\/} + +for filename in `ls $PROFILESFROM` +do + tourl=$INSTALLTO$INST_ROOT_FORMAT$filename + cat $PROFILESFROM$filename | sed "s/INSTDIR-/$INST_ROOT_SED/g" > $tourl + + if [ "$INSTALL" = true ] ; then + sudo rm /etc/apparmor.d/$INST_ROOT_FORMAT$filename + sudo ln -s $tourl /etc/apparmor.d/$INST_ROOT_FORMAT$filename + fi + +done |