Created
June 15, 2020 16:40
-
-
Save Talkless/261218250f45f125f8ac541e714ffcce to your computer and use it in GitHub Desktop.
AppArmor profile for Bisq
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <tunables/global> | |
@{bisq_prefix} = /opt/[Bb]isq | |
@{bisq_java_prefix} = /usr/lib/jvm/java-[0-9][0-9]-openjdk-* | |
@{bisq_local_data_prefix} = @{HOME}/.local/share/[Bbisq]* | |
@{bisq_tor_prefix} = @{bisq_local_data_prefix}/btc_mainnet/tor | |
profile bisq-desktop /opt/{[Bb]isq/bisq-desktop,Bisq/Bisq} { | |
#include <abstractions/X> | |
#include <abstractions/audio> | |
#include <abstractions/base> | |
#include <abstractions/dbus-accessibility> | |
#include <abstractions/dbus-session-strict> | |
#include <abstractions/dconf> | |
#include <abstractions/dri-enumerate> | |
#include <abstractions/fonts> | |
#include <abstractions/gnome> | |
#include <abstractions/kde> | |
#include <abstractions/mesa> | |
#include <abstractions/nameservice> | |
#include <abstractions/ubuntu-helpers> | |
# Main executable | |
@{bisq_prefix}/bisq-desktop r, # launcher script (built from source) | |
@{bisq_prefix}/Bisq rix, # launcher (distributed binary) | |
/{,usr/}bin/{,ba,da}sh ix, # for launcher script | |
# Additioanl executables | |
/{,usr/}bin/basename ix, | |
/{,usr/}bin/dirname ix, | |
/{,usr/}bin/ps Cx -> ps, | |
/{,usr/}bin/sed Cx -> sed, | |
/{,usr/}bin/uname ix, | |
/{,usr/}bin/which rix, | |
@{bisq_java_prefix}/bin/java ix, | |
owner @{bisq_tor_prefix}/tor Cx -> tor, | |
#TODO: use xdg-open (and similar) abstractions when they are available | |
/usr/bin/kde-open Cx -> sanitized_helper, | |
/usr/bin/xdg-open Cx -> sanitized_helper, | |
# Additional libaries | |
@{bisq_prefix}/**.so mr, # binary installation | |
# deny ptrace | |
deny ptrace (read) peer=bisq-desktop//sanitized_helper, # silence noise | |
# ptrace | |
ptrace (read) peer=bisq-desktop//ps, | |
ptrace (read,trace) peer=bisq-desktop//tor, | |
ptrace (trace) peer=bisq-desktop, | |
# Signals | |
signal send set=(term) peer=bisq-desktop//tor, | |
# Denied files | |
deny @{HOME}/.oracle_jre_usage/ w, # written by Java of binary installation | |
deny @{HOME}/.oracle_jre_usage/*.timestamp w, # written by Java of binary installation | |
# System files | |
/etc/java-[0-9][0-9]-openjdk/** r, | |
/etc/lsb-release r, # for crash handler | |
/etc/ssl/certs/java/cacerts r, | |
/etc/timezone r, | |
/sys/fs/cgroup/cpu,cpuacct/cpu.{cfs_quota_us,cfs_period_us,shares} r, | |
/sys/fs/cgroup/cpuset/{cpuset.cpus,cpuset.mems} r, # for crash handler | |
/sys/fs/cgroup/memory/memory.limit_in_bytes r, | |
/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/session-[0-9]*{,[0-9]}.scope/memory.limit_in_bytes r, | |
/sys/fs/cgroup/memory/user.slice/user-@{uid}.slice/user\@@{uid}.service/memory.{limit_in_bytes,max_usage_in_bytes,soft_limit_in_bytes,usage_in_bytes} r, | |
/sys/fs/cgroup/memory/{memory.soft_limit_in_bytes,memory.usage_in_bytes,memory.max_usage_in_bytes} r, # for crash handler | |
/usr/share/java/java-atk-wrapper.jar r, | |
@{PROC}/@{pids}/net/if_inet6 r, | |
@{PROC}/@{pids}/net/ipv6_route r, | |
@{PROC}/@{pids}/stat r, | |
@{PROC}/loadavg r, # for crash handler | |
@{PROC}/sys/kernel/{core_pattern,pid_max,threads-max} r, # for crash handler | |
@{PROC}/sys/vm/max_map_count r, # for crash handler | |
@{bisq_java_prefix}/lib/server/*.jsa mr, | |
@{bisq_prefix}/** r, | |
@{bisq_prefix}/app/hs_err_pid[0-9]*.log rw, # for crash handler (binary installation) | |
# User files | |
owner /tmp/hsperfdata_*/{,*} rw, | |
owner /tmp/xauth-@{uid}-_[0-9]*{,[0-9]} r, # TODO: move into X abstraction? | |
owner /{,var/}run/user/@{uid}/dconf/user rw, | |
owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/ w, | |
owner @{HOME}/.java/fonts/[0-9]*.[0-9]*.[0-9]*/fcinfo*.{properties,tmp} rw, | |
owner @{HOME}/.openjfx/ w, | |
owner @{HOME}/.openjfx/cache/ w, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/ rw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libdecora_sse.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglass.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libglassgtk3.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_freetype.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libjavafx_font_pango.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_es2.so mrw, | |
owner @{HOME}/.openjfx/cache/[0-9]*{,[0-9]}/libprism_sw.so mrw, | |
owner @{PROC}/@{pid}/cgroup r, | |
owner @{PROC}/@{pid}/cmdline r, | |
owner @{PROC}/@{pid}/coredump_filter rw, | |
owner @{PROC}/@{pid}/fd/ r, | |
owner @{PROC}/@{pid}/mountinfo r, | |
owner @{bisq_local_data_prefix}/{,**} rwk, | |
### | |
# Backported dri-common abstraction from a5e74c3be31fd5ed179c621308847aedd93fcf63 | |
# TODO: remove in >=2.13.3 profile | |
/usr/share/drirc.d/{,*.conf} r, | |
### End of backport | |
profile ps { | |
#include <abstractions/base> | |
# ptrace | |
ptrace (read), | |
# Main executable | |
/{,usr/}bin/ps mr, | |
# System files | |
/dev/tty r, | |
/etc/nsswitch.conf r, | |
/etc/passwd r, | |
@{PROC}/ r, | |
@{PROC}/@{pids}/{cmdline,stat} r, | |
@{PROC}/sys/kernel/{osrelease,pid_max} r, | |
@{PROC}/tty/drivers r, | |
@{PROC}/uptime r, | |
} | |
profile sed { | |
#include <abstractions/base> | |
# Main executable | |
/{,usr/}bin/sed mr, | |
} | |
profile tor { | |
#include <abstractions/base> | |
#include <abstractions/openssl> | |
# Main executable | |
owner @{bisq_tor_prefix}/tor mr, | |
# Networking | |
network netlink raw, | |
network tcp, | |
network udp, | |
# Signals | |
signal receive set=(term) peer=bisq-desktop, | |
# System files | |
@{PROC}/sys/kernel/random/uuid r, | |
# User files | |
owner @{bisq_tor_prefix}/** r, | |
owner @{bisq_tor_prefix}/*{.tmp,.new} rw, | |
owner @{bisq_tor_prefix}/.tor/*{.tmp,.new} rw, | |
owner @{bisq_tor_prefix}/.tor/control_auth_cookie rw, | |
owner @{bisq_tor_prefix}/cached-certs rw, | |
owner @{bisq_tor_prefix}/cached-microdesc-consensus rw, | |
owner @{bisq_tor_prefix}/cached-microdescs rw, | |
owner @{bisq_tor_prefix}/lock rwk, | |
owner @{bisq_tor_prefix}/pid rw, | |
owner @{bisq_tor_prefix}/state rw, | |
owner @{bisq_tor_prefix}/state.tmp rw, | |
owner @{bisq_tor_prefix}/unverified-microdesc-consensus rw, | |
owner @{bisq_tor_prefix}/{,**/} rw, # create subdirs | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment