Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AppArmor profile for Bisq
#include <tunables/global>
@{bisq_prefix} = /opt/[Bb]isq
@{bisq_java_prefix} = /usr/lib/jvm/java-[0-9][0-9]-openjdk-*
@{bisq_local_data_prefix} = @{HOME}/.local/share/[Bbisq]*
@{bisq_tor_prefix} = @{bisq_local_data_prefix}/btc_mainnet/tor
profile bisq-desktop /opt/{[Bb]isq/bisq-desktop,Bisq/Bisq} {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/dri-enumerate>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/kde>
#include <abstractions/mesa>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-helpers>
# Main executable
@{bisq_prefix}/bisq-desktop r, # launcher script (built from source)
@{bisq_prefix}/Bisq rix, # launcher (distributed binary)
/{,usr/}bin/{,ba,da}sh ix, # for launcher script
# Additioanl executables
/{,usr/}bin/basename ix,
/{,usr/}bin/dirname ix,
/{,usr/}bin/ps Cx -> ps,
/{,usr/}bin/sed Cx -> sed,
/{,usr/}bin/uname ix,
/{,usr/}bin/which rix,
@{bisq_java_prefix}/bin/java ix,
owner @{bisq_tor_prefix}/tor Cx -> tor,
#TODO: use xdg-open (and similar) abstractions when they are available
/usr/bin/kde-open Cx -> sanitized_helper,
/usr/bin/xdg-open Cx -> sanitized_helper,
# Additional libaries
@{bisq_prefix}/**.so mr, # binary installation
# deny ptrace
deny ptrace (read) peer=bisq-desktop//sanitized_helper, # silence noise
# ptrace
ptrace (read) peer=bisq-desktop//ps,
ptrace (read,trace) peer=bisq-desktop//tor,
ptrace (trace) peer=bisq-desktop,
# Signals
signal send set=(term) peer=bisq-desktop//tor,
# Denied files
deny @{HOME}/.oracle_jre_usage/ w, # written by Java of binary installation
deny @{HOME}/.oracle_jre_usage/*.timestamp w, # written by Java of binary installation
# System files
/etc/java-[0-9][0-9]-openjdk/** r,
/etc/lsb-release r, # for crash handler
/etc/ssl/certs/java/cacerts r,
/etc/timezone r,
/sys/fs/cgroup/cpu,cpuacct/cpu.{cfs_quota_us,cfs_period_us,shares} r,
/sys/fs/cgroup/cpuset/{cpuset.cpus,cpuset.mems} r, # for crash handler
/sys/fs/cgroup/memory/memory.limit_in_bytes r,
/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/session-[0-9]*{,[0-9]}.scope/memory.limit_in_bytes r,
/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/user\@@{uid}.service/memory.{limit_in_bytes,max_usage_in_bytes,soft_limit_in_bytes,usage_in_bytes} r,
/sys/fs/cgroup/memory/{memory.soft_limit_in_bytes,memory.usage_in_bytes,memory.max_usage_in_bytes} r, # for crash handler
/usr/share/java/java-atk-wrapper.jar r,
@{PROC}/@{pids}/net/if_inet6 r,
@{PROC}/@{pids}/net/ipv6_route r,
@{PROC}/@{pids}/stat r,
@{PROC}/loadavg r, # for crash handler
@{PROC}/sys/kernel/{core_pattern,pid_max,threads-max} r, # for crash handler
@{PROC}/sys/vm/max_map_count r, # for crash handler
@{bisq_java_prefix}/lib/server/*.jsa mr,
@{bisq_prefix}/** r,
@{bisq_prefix}/app/hs_err_pid[0-9]*.log rw, # for crash handler (binary installation)
# User files
owner /tmp/hsperfdata_*/{,*} rw,
owner /tmp/xauth-@{uid}-_[0-9]*{,[0-9]} r, # TODO: move into X abstraction?
owner /{,var/}run/user/@{uid}/dconf/user rw,
owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/ w,
owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/fcinfo*.{properties,tmp} rw,
owner @{HOME}/.openjfx/ w,
owner @{HOME}/.openjfx/cache/ w,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/ rw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libdecora_sse.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglass.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglassgtk3.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_freetype.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_pango.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_es2.so mrw,
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_sw.so mrw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/coredump_filter rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{bisq_local_data_prefix}/{,**} rwk,
###
# Backported dri-common abstraction from a5e74c3be31fd5ed179c621308847aedd93fcf63
# TODO: remove in >=2.13.3 profile
/usr/share/drirc.d/{,*.conf} r,
### End of backport
profile ps {
#include <abstractions/base>
# ptrace
ptrace (read),
# Main executable
/{,usr/}bin/ps mr,
# System files
/dev/tty r,
/etc/nsswitch.conf r,
/etc/passwd r,
@{PROC}/ r,
@{PROC}/@{pids}/{cmdline,stat} r,
@{PROC}/sys/kernel/{osrelease,pid_max} r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
}
profile sed {
#include <abstractions/base>
# Main executable
/{,usr/}bin/sed mr,
}
profile tor {
#include <abstractions/base>
#include <abstractions/openssl>
# Main executable
owner @{bisq_tor_prefix}/tor mr,
# Networking
network netlink raw,
network tcp,
network udp,
# Signals
signal receive set=(term) peer=bisq-desktop,
# System files
@{PROC}/sys/kernel/random/uuid r,
# User files
owner @{bisq_tor_prefix}/** r,
owner @{bisq_tor_prefix}/*{.tmp,.new} rw,
owner @{bisq_tor_prefix}/.tor/*{.tmp,.new} rw,
owner @{bisq_tor_prefix}/.tor/control_auth_cookie rw,
owner @{bisq_tor_prefix}/cached-certs rw,
owner @{bisq_tor_prefix}/cached-microdesc-consensus rw,
owner @{bisq_tor_prefix}/cached-microdescs rw,
owner @{bisq_tor_prefix}/lock rwk,
owner @{bisq_tor_prefix}/pid rw,
owner @{bisq_tor_prefix}/state rw,
owner @{bisq_tor_prefix}/state.tmp rw,
owner @{bisq_tor_prefix}/unverified-microdesc-consensus rw,
owner @{bisq_tor_prefix}/{,**/} rw, # create subdirs
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment