Talkless/gist:261218250f45f125f8ac541e714ffcce

## gistfile1.txt
#include <tunables/global>

@{bisq_prefix} = /opt/[Bb]isq
@{bisq_java_prefix} = /usr/lib/jvm/java-[0-9][0-9]-openjdk-*
@{bisq_local_data_prefix} = @{HOME}/.local/share/[Bbisq]*
@{bisq_tor_prefix} = @{bisq_local_data_prefix}/btc_mainnet/tor

profile bisq-desktop /opt/{[Bb]isq/bisq-desktop,Bisq/Bisq} {
    #include <abstractions/X>
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/dbus-accessibility>
    #include <abstractions/dbus-session-strict>
    #include <abstractions/dconf>
    #include <abstractions/dri-enumerate>
    #include <abstractions/fonts>
    #include <abstractions/gnome>
    #include <abstractions/kde>
    #include <abstractions/mesa>
    #include <abstractions/nameservice>
    #include <abstractions/ubuntu-helpers>

    # Main executable

    @{bisq_prefix}/bisq-desktop r, # launcher script (built from source)
    @{bisq_prefix}/Bisq rix, # launcher (distributed binary)
    /{,usr/}bin/{,ba,da}sh ix, # for launcher script

    # Additioanl executables

    /{,usr/}bin/basename ix,
    /{,usr/}bin/dirname ix,
    /{,usr/}bin/ps Cx -> ps,
    /{,usr/}bin/sed Cx -> sed,
    /{,usr/}bin/uname ix,
    /{,usr/}bin/which rix,
    @{bisq_java_prefix}/bin/java ix,
    owner @{bisq_tor_prefix}/tor Cx -> tor,
    #TODO: use xdg-open (and similar) abstractions when they are available
    /usr/bin/kde-open Cx -> sanitized_helper,
    /usr/bin/xdg-open Cx -> sanitized_helper,

    # Additional libaries

    @{bisq_prefix}/**.so mr, # binary installation

    # deny ptrace

    deny ptrace (read) peer=bisq-desktop//sanitized_helper, # silence noise

    # ptrace

    ptrace (read) peer=bisq-desktop//ps,
    ptrace (read,trace) peer=bisq-desktop//tor,
    ptrace (trace) peer=bisq-desktop,

    # Signals

    signal send set=(term) peer=bisq-desktop//tor,

    # Denied files

    deny @{HOME}/.oracle_jre_usage/ w, # written by Java of binary installation
    deny @{HOME}/.oracle_jre_usage/*.timestamp w, # written by Java of binary installation

    # System files

    /etc/java-[0-9][0-9]-openjdk/** r,
    /etc/lsb-release r, # for crash handler
    /etc/ssl/certs/java/cacerts r,
    /etc/timezone r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.{cfs_quota_us,cfs_period_us,shares} r,
    /sys/fs/cgroup/cpuset/{cpuset.cpus,cpuset.mems} r, # for crash handler
    /sys/fs/cgroup/memory/memory.limit_in_bytes r,
    /sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/session-[0-9]*{,[0-9]}.scope/memory.limit_in_bytes r,
    /sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/user\@@{uid}.service/memory.{limit_in_bytes,max_usage_in_bytes,soft_limit_in_bytes,usage_in_bytes} r,
    /sys/fs/cgroup/memory/{memory.soft_limit_in_bytes,memory.usage_in_bytes,memory.max_usage_in_bytes} r, # for crash handler
    /usr/share/java/java-atk-wrapper.jar r,
    @{PROC}/@{pids}/net/if_inet6 r,
    @{PROC}/@{pids}/net/ipv6_route r,
    @{PROC}/@{pids}/stat r,
    @{PROC}/loadavg r, # for crash handler
    @{PROC}/sys/kernel/{core_pattern,pid_max,threads-max} r, # for crash handler
    @{PROC}/sys/vm/max_map_count r, # for crash handler
    @{bisq_java_prefix}/lib/server/*.jsa mr,
    @{bisq_prefix}/** r,
    @{bisq_prefix}/app/hs_err_pid[0-9]*.log rw, # for crash handler (binary installation)

    # User files

    owner /tmp/hsperfdata_*/{,*} rw,
    owner /tmp/xauth-@{uid}-_[0-9]*{,[0-9]} r, # TODO: move into X abstraction?
    owner /{,var/}run/user/@{uid}/dconf/user rw,
    owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/ w,
    owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/fcinfo*.{properties,tmp} rw,
    owner @{HOME}/.openjfx/ w,
    owner @{HOME}/.openjfx/cache/ w,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/ rw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libdecora_sse.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglass.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglassgtk3.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_freetype.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_pango.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_es2.so mrw,
    owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_sw.so mrw,
    owner @{PROC}/@{pid}/cgroup r,
    owner @{PROC}/@{pid}/cmdline r,
    owner @{PROC}/@{pid}/coredump_filter rw,
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/mountinfo r,
    owner @{bisq_local_data_prefix}/{,**} rwk,

    ###
    # Backported dri-common abstraction from a5e74c3be31fd5ed179c621308847aedd93fcf63
    # TODO: remove in >=2.13.3 profile
    /usr/share/drirc.d/{,*.conf}    r,
    ### End of backport

    profile ps {
        #include <abstractions/base>

        # ptrace

        ptrace (read),

        # Main executable

        /{,usr/}bin/ps mr,

        # System files

        /dev/tty r,
        /etc/nsswitch.conf r,
        /etc/passwd r,
        @{PROC}/ r,
        @{PROC}/@{pids}/{cmdline,stat} r,
        @{PROC}/sys/kernel/{osrelease,pid_max} r,
        @{PROC}/tty/drivers r,
        @{PROC}/uptime r,

    }

    profile sed {
        #include <abstractions/base>

        # Main executable

        /{,usr/}bin/sed mr,

    }

    profile tor {
        #include <abstractions/base>
        #include <abstractions/openssl>

        # Main executable

        owner @{bisq_tor_prefix}/tor mr,

        # Networking

        network netlink raw,
        network tcp,
        network udp,

        # Signals

        signal receive set=(term) peer=bisq-desktop,

        # System files

        @{PROC}/sys/kernel/random/uuid r,

        # User files

        owner @{bisq_tor_prefix}/** r,
        owner @{bisq_tor_prefix}/*{.tmp,.new} rw,
        owner @{bisq_tor_prefix}/.tor/*{.tmp,.new} rw,
        owner @{bisq_tor_prefix}/.tor/control_auth_cookie rw,
        owner @{bisq_tor_prefix}/cached-certs rw,
        owner @{bisq_tor_prefix}/cached-microdesc-consensus rw,
        owner @{bisq_tor_prefix}/cached-microdescs rw,
        owner @{bisq_tor_prefix}/lock rwk,
        owner @{bisq_tor_prefix}/pid rw,
        owner @{bisq_tor_prefix}/state rw,
        owner @{bisq_tor_prefix}/state.tmp rw,
        owner @{bisq_tor_prefix}/unverified-microdesc-consensus rw,
        owner @{bisq_tor_prefix}/{,**/} rw, # create subdirs
    }

}
	#include <tunables/global>

	@{bisq_prefix} = /opt/[Bb]isq
	@{bisq_java_prefix} = /usr/lib/jvm/java-[0-9][0-9]-openjdk-*
	@{bisq_local_data_prefix} = @{HOME}/.local/share/[Bbisq]*
	@{bisq_tor_prefix} = @{bisq_local_data_prefix}/btc_mainnet/tor

	profile bisq-desktop /opt/{[Bb]isq/bisq-desktop,Bisq/Bisq} {
	#include <abstractions/X>
	#include <abstractions/audio>
	#include <abstractions/base>
	#include <abstractions/dbus-accessibility>
	#include <abstractions/dbus-session-strict>
	#include <abstractions/dconf>
	#include <abstractions/dri-enumerate>
	#include <abstractions/fonts>
	#include <abstractions/gnome>
	#include <abstractions/kde>
	#include <abstractions/mesa>
	#include <abstractions/nameservice>
	#include <abstractions/ubuntu-helpers>

	# Main executable

	@{bisq_prefix}/bisq-desktop r, # launcher script (built from source)
	@{bisq_prefix}/Bisq rix, # launcher (distributed binary)
	/{,usr/}bin/{,ba,da}sh ix, # for launcher script

	# Additioanl executables

	/{,usr/}bin/basename ix,
	/{,usr/}bin/dirname ix,
	/{,usr/}bin/ps Cx -> ps,
	/{,usr/}bin/sed Cx -> sed,
	/{,usr/}bin/uname ix,
	/{,usr/}bin/which rix,
	@{bisq_java_prefix}/bin/java ix,
	owner @{bisq_tor_prefix}/tor Cx -> tor,
	#TODO: use xdg-open (and similar) abstractions when they are available
	/usr/bin/kde-open Cx -> sanitized_helper,
	/usr/bin/xdg-open Cx -> sanitized_helper,

	# Additional libaries

	@{bisq_prefix}/**.so mr, # binary installation

	# deny ptrace

	deny ptrace (read) peer=bisq-desktop//sanitized_helper, # silence noise

	# ptrace

	ptrace (read) peer=bisq-desktop//ps,
	ptrace (read,trace) peer=bisq-desktop//tor,
	ptrace (trace) peer=bisq-desktop,

	# Signals

	signal send set=(term) peer=bisq-desktop//tor,

	# Denied files

	deny @{HOME}/.oracle_jre_usage/ w, # written by Java of binary installation
	deny @{HOME}/.oracle_jre_usage/*.timestamp w, # written by Java of binary installation

	# System files

	/etc/java-[0-9][0-9]-openjdk/** r,
	/etc/lsb-release r, # for crash handler
	/etc/ssl/certs/java/cacerts r,
	/etc/timezone r,
	/sys/fs/cgroup/cpu,cpuacct/cpu.{cfs_quota_us,cfs_period_us,shares} r,
	/sys/fs/cgroup/cpuset/{cpuset.cpus,cpuset.mems} r, # for crash handler
	/sys/fs/cgroup/memory/memory.limit_in_bytes r,
	/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/session-[0-9]*{,[0-9]}.scope/memory.limit_in_bytes r,
	/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/user\@@{uid}.service/memory.{limit_in_bytes,max_usage_in_bytes,soft_limit_in_bytes,usage_in_bytes} r,
	/sys/fs/cgroup/memory/{memory.soft_limit_in_bytes,memory.usage_in_bytes,memory.max_usage_in_bytes} r, # for crash handler
	/usr/share/java/java-atk-wrapper.jar r,
	@{PROC}/@{pids}/net/if_inet6 r,
	@{PROC}/@{pids}/net/ipv6_route r,
	@{PROC}/@{pids}/stat r,
	@{PROC}/loadavg r, # for crash handler
	@{PROC}/sys/kernel/{core_pattern,pid_max,threads-max} r, # for crash handler
	@{PROC}/sys/vm/max_map_count r, # for crash handler
	@{bisq_java_prefix}/lib/server/*.jsa mr,
	@{bisq_prefix}/** r,
	@{bisq_prefix}/app/hs_err_pid[0-9]*.log rw, # for crash handler (binary installation)

	# User files

	owner /tmp/hsperfdata_/{,} rw,
	owner /tmp/xauth-@{uid}-_[0-9]*{,[0-9]} r, # TODO: move into X abstraction?
	owner /{,var/}run/user/@{uid}/dconf/user rw,
	owner @{HOME}/.java/fonts/[0-9].[0-9].[0-9]*/ w,
	owner @{HOME}/.java/fonts/[0-9].[0-9].[0-9]/fcinfo.{properties,tmp} rw,
	owner @{HOME}/.openjfx/ w,
	owner @{HOME}/.openjfx/cache/ w,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/ rw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libdecora_sse.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglass.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglassgtk3.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_freetype.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_pango.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_es2.so mrw,
	owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_sw.so mrw,
	owner @{PROC}/@{pid}/cgroup r,
	owner @{PROC}/@{pid}/cmdline r,
	owner @{PROC}/@{pid}/coredump_filter rw,
	owner @{PROC}/@{pid}/fd/ r,
	owner @{PROC}/@{pid}/mountinfo r,
	owner @{bisq_local_data_prefix}/{,**} rwk,

	###
	# Backported dri-common abstraction from a5e74c3be31fd5ed179c621308847aedd93fcf63
	# TODO: remove in >=2.13.3 profile
	/usr/share/drirc.d/{,*.conf} r,
	### End of backport

	profile ps {
	#include <abstractions/base>

	# ptrace

	ptrace (read),

	# Main executable

	/{,usr/}bin/ps mr,

	# System files

	/dev/tty r,
	/etc/nsswitch.conf r,
	/etc/passwd r,
	@{PROC}/ r,
	@{PROC}/@{pids}/{cmdline,stat} r,
	@{PROC}/sys/kernel/{osrelease,pid_max} r,
	@{PROC}/tty/drivers r,
	@{PROC}/uptime r,

	}

	profile sed {
	#include <abstractions/base>

	# Main executable

	/{,usr/}bin/sed mr,

	}

	profile tor {
	#include <abstractions/base>
	#include <abstractions/openssl>

	# Main executable

	owner @{bisq_tor_prefix}/tor mr,

	# Networking

	network netlink raw,
	network tcp,
	network udp,

	# Signals

	signal receive set=(term) peer=bisq-desktop,

	# System files

	@{PROC}/sys/kernel/random/uuid r,

	# User files

	owner @{bisq_tor_prefix}/** r,
	owner @{bisq_tor_prefix}/*{.tmp,.new} rw,
	owner @{bisq_tor_prefix}/.tor/*{.tmp,.new} rw,
	owner @{bisq_tor_prefix}/.tor/control_auth_cookie rw,
	owner @{bisq_tor_prefix}/cached-certs rw,
	owner @{bisq_tor_prefix}/cached-microdesc-consensus rw,
	owner @{bisq_tor_prefix}/cached-microdescs rw,
	owner @{bisq_tor_prefix}/lock rwk,
	owner @{bisq_tor_prefix}/pid rw,
	owner @{bisq_tor_prefix}/state rw,
	owner @{bisq_tor_prefix}/state.tmp rw,
	owner @{bisq_tor_prefix}/unverified-microdesc-consensus rw,
	owner @{bisq_tor_prefix}/{,**/} rw, # create subdirs
	}

	}