From 3565292642d1a8b553053cd38fa60f374a683f75 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Tue, 23 Nov 2021 02:10:00 +0300 Subject: [PATCH] Resolves #1 and #7. --- abstractions/3rd/network-allow | 4 + tunables/3rd/exts-image | 136 +++++++++++++++++++++++++++++++++ tunables/3rd/exts-video | 69 +++++++++++++++++ usr.bin.ristretto | 74 ++++++++++++------ 4 files changed, 258 insertions(+), 25 deletions(-) create mode 100644 abstractions/3rd/network-allow create mode 100644 tunables/3rd/exts-image create mode 100644 tunables/3rd/exts-video diff --git a/abstractions/3rd/network-allow b/abstractions/3rd/network-allow new file mode 100644 index 0000000..72b9a97 --- /dev/null +++ b/abstractions/3rd/network-allow @@ -0,0 +1,4 @@ +# vim:syntax=apparmor + + network tcp, + network udp, diff --git a/tunables/3rd/exts-image b/tunables/3rd/exts-image new file mode 100644 index 0000000..2dad5a9 --- /dev/null +++ b/tunables/3rd/exts-image @@ -0,0 +1,136 @@ +# vim:syntax=apparmor + +@{IMAGE_EXTS} = [wW][bB][mM][pP] +@{IMAGE_EXTS} += 3[dD][sS] +@{IMAGE_EXTS} += [qQ][iI][fF] +@{IMAGE_EXTS} += [wW][mM][fF] +@{IMAGE_EXTS} += [eE][rR][fF] +@{IMAGE_EXTS} += [pP][bB][mM] +@{IMAGE_EXTS} += [eE][pP][sS][iI] +@{IMAGE_EXTS} += [dD][nN][gG] +@{IMAGE_EXTS} += [kK][tT][xX]2 +@{IMAGE_EXTS} += [gG][iI][fF] +@{IMAGE_EXTS} += [cC][uU][rR] +@{IMAGE_EXTS} += [xX][cC][fF].[gG][zZ] +@{IMAGE_EXTS} += [pP][sS][dD] +@{IMAGE_EXTS} += [dD][dD][sS] +@{IMAGE_EXTS} += [rR][aA][wW] +@{IMAGE_EXTS} += [xX][cC][fF] +@{IMAGE_EXTS} += [jJ][nN][gG] +@{IMAGE_EXTS} += [aA][gG] +@{IMAGE_EXTS} += [pP][iI][cC][tT]2 +@{IMAGE_EXTS} += [lL][bB][mM] +@{IMAGE_EXTS} += [iI][cC][nN][sS] +@{IMAGE_EXTS} += [cC][rR][wW] +@{IMAGE_EXTS} += [hH][eE][iI][cC] +@{IMAGE_EXTS} += [sS][kK] +@{IMAGE_EXTS} += [jJ][pP][eE] +@{IMAGE_EXTS} += [sS][vV][gG] +@{IMAGE_EXTS} += [pP][nN][tT][gG] +@{IMAGE_EXTS} += [lL][wW][oO] +@{IMAGE_EXTS} += [eE][mM][fF] +@{IMAGE_EXTS} += [pP][iI][cC] +@{IMAGE_EXTS} += [mM][oO][sS] +@{IMAGE_EXTS} += [xX][cC][fF].[bB][zZ]2 +@{IMAGE_EXTS} += [fF][iI][tT][sS] +@{IMAGE_EXTS} += [eE][pP][sS][iI].[gG][zZ] +@{IMAGE_EXTS} += [fF][iI][gG] +@{IMAGE_EXTS} += [jJ][pP][mM] +@{IMAGE_EXTS} += [pP][aA][tT] +@{IMAGE_EXTS} += [kK][tT][xX] +@{IMAGE_EXTS} += [eE][pP][sS] +@{IMAGE_EXTS} += [gG]3 +@{IMAGE_EXTS} += [rR][lL][eE] +@{IMAGE_EXTS} += [lL][wW][sS] +@{IMAGE_EXTS} += [vV][dD][aA] +@{IMAGE_EXTS} += [aA][vV][iI][fF][sS] +@{IMAGE_EXTS} += [bB][mM][qQ] +@{IMAGE_EXTS} += [lL][wW][oO][bB] +@{IMAGE_EXTS} += [dD][jJ][vV] +@{IMAGE_EXTS} += [sS][rR]2 +@{IMAGE_EXTS} += [sS][gG][iI] +@{IMAGE_EXTS} += [jJ]2[cC] +@{IMAGE_EXTS} += [jJ][pP][fF] +@{IMAGE_EXTS} += [iI][cC][oO] +@{IMAGE_EXTS} += [eE][pP][sS][fF].[gG][zZ] +@{IMAGE_EXTS} += [eE][xX][rR] +@{IMAGE_EXTS} += [rR][aA][fF] +@{IMAGE_EXTS} += [sS][rR][fF] +@{IMAGE_EXTS} += [xX][bB][mM] +@{IMAGE_EXTS} += [rR][gG][bB] +@{IMAGE_EXTS} += [gG][bB][rR] +@{IMAGE_EXTS} += [hH][dD][rR] +@{IMAGE_EXTS} += [hH][rR][dD] +@{IMAGE_EXTS} += [bB][mM][pP] +@{IMAGE_EXTS} += [jJ][pP][gG]2 +@{IMAGE_EXTS} += [vV][sS][tT] +@{IMAGE_EXTS} += [jJ][pP][cC] +@{IMAGE_EXTS} += [kK]25 +@{IMAGE_EXTS} += [xX]3[fF] +@{IMAGE_EXTS} += [iI][fF][fF] +@{IMAGE_EXTS} += [sS][kK]1 +@{IMAGE_EXTS} += [sS][vV][gG][zZ] +@{IMAGE_EXTS} += [iI][lL][bB][mM] +@{IMAGE_EXTS} += [mM][dD][cC] +@{IMAGE_EXTS} += [dD][iI][bB] +@{IMAGE_EXTS} += [pP][eE][fF] +@{IMAGE_EXTS} += [rR][aA][sS] +@{IMAGE_EXTS} += [bB][aA][yY] +@{IMAGE_EXTS} += [mM][dD][iI] +@{IMAGE_EXTS} += [eE][pP][sS][fF].[bB][zZ]2 +@{IMAGE_EXTS} += [wW][eE][bB][pP] +@{IMAGE_EXTS} += [aA][vV][iI][fF] +@{IMAGE_EXTS} += [rR][pP] +@{IMAGE_EXTS} += [cC][sS]2 +@{IMAGE_EXTS} += [eE][pP][sS][fF] +@{IMAGE_EXTS} += [iI][eE][fF] +@{IMAGE_EXTS} += [pP][iI][cC][tT]1 +@{IMAGE_EXTS} += [kK][dD][cC] +@{IMAGE_EXTS} += [pP][cC][dD] +@{IMAGE_EXTS} += [pP][nN][mM] +@{IMAGE_EXTS} += [pP][iI][cC][tT] +@{IMAGE_EXTS} += [pP][nN][gG] +@{IMAGE_EXTS} += [nN][eE][fF] +@{IMAGE_EXTS} += [dD][cC][rR] +@{IMAGE_EXTS} += [tT][pP][iI][cC] +@{IMAGE_EXTS} += [tT][gG][aA] +@{IMAGE_EXTS} += [eE][pP][sS][iI].[bB][zZ]2 +@{IMAGE_EXTS} += [pP][cC][xX] +@{IMAGE_EXTS} += [cC][sS]1 +@{IMAGE_EXTS} += [rR][dD][cC] +@{IMAGE_EXTS} += [dD][xX][fF] +@{IMAGE_EXTS} += [gG][iI][hH] +@{IMAGE_EXTS} += [jJ][pP][gG] +@{IMAGE_EXTS} += [pP][gG][mM] +@{IMAGE_EXTS} += [jJ][pP][xX] +@{IMAGE_EXTS} += [pP][pP][mM] +@{IMAGE_EXTS} += [pP][cC][tT] +@{IMAGE_EXTS} += [jJ]2[kK] +@{IMAGE_EXTS} += [dD][jJ][vV][uU] +@{IMAGE_EXTS} += [sS][uU][nN] +@{IMAGE_EXTS} += [eE][pP][sS].[bB][zZ]2 +@{IMAGE_EXTS} += [cC][gG][mM] +@{IMAGE_EXTS} += [iI][cC][bB] +@{IMAGE_EXTS} += [dD][wW][gG] +@{IMAGE_EXTS} += [eE][pP][sS].[gG][zZ] +@{IMAGE_EXTS} += [mM][sS][oO][dD] +@{IMAGE_EXTS} += [oO][rR][aA] +@{IMAGE_EXTS} += [tT][iI][fF][fF] +@{IMAGE_EXTS} += [aA][rR][wW] +@{IMAGE_EXTS} += [mM][rR][wW] +@{IMAGE_EXTS} += [aA][sS][tT][cC] +@{IMAGE_EXTS} += [qQ][tT][iI][fF] +@{IMAGE_EXTS} += [tT][iI][fF] +@{IMAGE_EXTS} += [fF][fF][fF] +@{IMAGE_EXTS} += [xX][pP][mM] +@{IMAGE_EXTS} += [jJ][pP][gG][mM] +@{IMAGE_EXTS} += [hH][eE][iI][fF] +@{IMAGE_EXTS} += [cC][rR]2 +@{IMAGE_EXTS} += [oO][rR][fF] +@{IMAGE_EXTS} += [xX][wW][dD] +@{IMAGE_EXTS} += [rR][wW]2 +@{IMAGE_EXTS} += [pP][nN][xX] +@{IMAGE_EXTS} += [jJ][pP][eE][gG] +@{IMAGE_EXTS} += [jJ][pP]2 + +#include if exists diff --git a/tunables/3rd/exts-video b/tunables/3rd/exts-video new file mode 100644 index 0000000..d08f4bc --- /dev/null +++ b/tunables/3rd/exts-video @@ -0,0 +1,69 @@ +# vim:syntax=apparmor + +@{VIDEO_EXTS} = [aA][xX][vV] +@{VIDEO_EXTS} += [mM][jJ]2 +@{VIDEO_EXTS} += [wW][mM][pP] +@{VIDEO_EXTS} += [mM]2[tT][sS] +@{VIDEO_EXTS} += [mM][oO][vV][iI][eE] +@{VIDEO_EXTS} += [mM][xX][uU] +@{VIDEO_EXTS} += [mM][pP][gG] +@{VIDEO_EXTS} += [mM][lL][tT] +@{VIDEO_EXTS} += [oO][gG][mM] +@{VIDEO_EXTS} += [mM][pP]2 +@{VIDEO_EXTS} += [bB][dD][mM] +@{VIDEO_EXTS} += [mM][pP][lL][sS] +@{VIDEO_EXTS} += [aA][nN][iI][mM][1-9][jJ] +@{VIDEO_EXTS} += [vV][iI][vV] +@{VIDEO_EXTS} += [vV][iI][vV][oO] +@{VIDEO_EXTS} += [rR][vV][xX] +@{VIDEO_EXTS} += [fF][lL][iI] +@{VIDEO_EXTS} += [dD][iI][fF] +@{VIDEO_EXTS} += [fF][lL][vV] +@{VIDEO_EXTS} += [mM][pP][lL] +@{VIDEO_EXTS} += 3[gG][pP] +@{VIDEO_EXTS} += [cC][pP][iI] +@{VIDEO_EXTS} += [mM][jJ][pP][gG] +@{VIDEO_EXTS} += [mM][oO][oO][vV] +@{VIDEO_EXTS} += [mM][pP][eE][gG] +@{VIDEO_EXTS} += [fF]4[vV] +@{VIDEO_EXTS} += [mM]1[uU] +@{VIDEO_EXTS} += [qQ][tT] +@{VIDEO_EXTS} += [mM][jJ][pP]2 +@{VIDEO_EXTS} += [aA][vV][iI] +@{VIDEO_EXTS} += [cC][lL][pP][iI] +@{VIDEO_EXTS} += [bB][dD][mM][vV] +@{VIDEO_EXTS} += [wW][eE][sS][tT][lL][eE][yY] +@{VIDEO_EXTS} += [oO][gG][gG] +@{VIDEO_EXTS} += [wW][eE][bB][mM] +@{VIDEO_EXTS} += [mM][nN][gG] +@{VIDEO_EXTS} += [wW][mM][vV] +@{VIDEO_EXTS} += [0-9][0-9][0-9].[vV][dD][rR] +@{VIDEO_EXTS} += [fF][xX][mM] +@{VIDEO_EXTS} += [mM][jJ][pP][eE][gG] +@{VIDEO_EXTS} += [mM]4[vV] +@{VIDEO_EXTS} += [mM]4[uU] +@{VIDEO_EXTS} += [mM][pP]4 +@{VIDEO_EXTS} += [mM]2[tT] +@{VIDEO_EXTS} += [oO][gG][vV] +@{VIDEO_EXTS} += [dD][iI][vV][xX] +@{VIDEO_EXTS} += [qQ][tT][vV][rR] +@{VIDEO_EXTS} += 3[gG][pP][pP] +@{VIDEO_EXTS} += [tT][sS] +@{VIDEO_EXTS} += [fF][lL][cC] +@{VIDEO_EXTS} += [vV][oO][bB] +@{VIDEO_EXTS} += [lL][rR][vV] +@{VIDEO_EXTS} += [mM][kK]3[dD] +@{VIDEO_EXTS} += [rR][vV] +@{VIDEO_EXTS} += 3[gG][pP][pP]2 +@{VIDEO_EXTS} += [mM][tT][sS] +@{VIDEO_EXTS} += 3[gG][pP]2 +@{VIDEO_EXTS} += 3[gG]2 +@{VIDEO_EXTS} += [mM][oO][vV] +@{VIDEO_EXTS} += [mM][kK][vV] +@{VIDEO_EXTS} += [dD][vV] +@{VIDEO_EXTS} += [nN][sS][vV] +@{VIDEO_EXTS} += [aA][vV][fF] +@{VIDEO_EXTS} += [mM][pP][eE] +@{VIDEO_EXTS} += 3[gG][aA] + +#include if exists diff --git a/usr.bin.ristretto b/usr.bin.ristretto index 3582fa5..8415e79 100644 --- a/usr.bin.ristretto +++ b/usr.bin.ristretto @@ -1,11 +1,17 @@ # vim:syntax=apparmor -abi , - #include +#include + +#@{more_exts} = [xX][xX][xX] -# changeme; /home already included except dotfiles -@{PIC_DIRS}=/usr/share /var/local /media /mnt /tmp +# adjust in local; /home already included except dotfiles +@{RISTRETTO_DIRS_RO} = /usr/share +@{RISTRETTO_DIRS_RW} = /var/local /media /mnt /tmp +@{RISTRETTO_EXTS} = @{IMAGE_EXTS} +@{RISTRETTO_EXTS_SILENCED} = [hH][tT][mM] +@{RISTRETTO_EXTS_SILENCED} += [hH][tT][mM][lL] +#include if exists profile ristretto /usr/bin/ristretto { /usr/bin/ristretto r, @@ -17,40 +23,62 @@ profile ristretto /usr/bin/ristretto { #include #include #include -# #include +# #include # relaxed with large footprint + #include if exists + #include if exists # pictures on smb shares, etc + + @{RISTRETTO_DIRS_RO}/{,**/} r, # read dirs + @{RISTRETTO_DIRS_RO}/**.@{RISTRETTO_EXTS} r, # read files + @{RISTRETTO_DIRS_RW}/{,**/} r, + @{RISTRETTO_DIRS_RW}/**.@{RISTRETTO_EXTS} rwk, # write files (=delete) + + owner @{HOME}/{,[^.]*,**/} r, # dirs, but not dotdirs + owner @{HOME}/[^.]{,**/}*.@{RISTRETTO_EXTS} rwk, # files, but not dotfiles + owner /{,var/}run/user/[0-9]*/gvfs/{,**/} r, # USB storage + owner /{,var/}run/user/[0-9]*/gvfs/**.@{RISTRETTO_EXTS} rwk, + + owner @{HOME}/.cache/.fr-*/{,**/} r, # file roller + owner @{HOME}/.cache/.fr-*/**.@{RISTRETTO_EXTS} r, + owner @{HOME}/.cache/thumbnails/{,**} r, + + deny /**.@{RISTRETTO_EXTS_SILENCED} r, - owner @{HOME}/{,[^.]*}{,/**} rw, # home itself, not dotfiles, nested files - @{PIC_DIRS}/{,**} r, # read - @{PIC_DIRS}/{,**} w, # write (=delete) + # Trashing; dirs must exist + owner @{HOME}/.local/share/Trash/**.@{RISTRETTO_EXTS}{,.trashinfo}{,.??????} rwk, + owner @{HOME}/.local/share/gvfs-metadata/** r, - deny /var/log/{,**} mrwkl, # protect the logs + owner @{HOME}/.config/ristretto/{,**} rwk, + owner @{HOME}/.local/share/ristretto/{,**} rwk, - owner @{HOME}/.config/ristretto/{,**} rwk, - owner @{HOME}/.local/share/ristretto/{,**} rwk, - owner @{HOME}/.local/share/ r, - owner @{HOME}/.cache/thumbnails/{,**} r, + deny @{HOME}/.local/share/ r, + deny @{HOME}/.xsession-errors r, + deny @{HOME}/.xfce4-session.verbose-log{,.last} r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/{mountinfo,mounts} r, /{,var/}run/mount/utab r, - /etc/xfce[0-9]/defaults.list r, /etc/magic r, + /usr/share/xfce[3-5]/applications/mimeinfo.cache r, + /etc/xfce[0-9]/defaults.list r, + /usr/share/*ubuntu/applications/defaults.list r, + /usr/share/themes/** r, /var/lib/snapd/desktop/icons/ r, - owner /tmp/dbus-* w, + owner /tmp/dbus-* rw, # gnome-tiny /etc/gnome/defaults.list r, /etc/gtk-[0-9].[0-9]*/settings.ini r, # edit button; comment out for significantly less footprint - /{,usr/}bin/dash rPx -> ristretto//dash, - owner @{PROC}/@{pid}/fd/ r, + /{,usr/}bin/dash rPx -> ristretto_opener, # Ubuntu + /usr/lib/@{multiarch}/glib-[0-9].[0-9]*/gio-launch-desktop rPx -> ristretto_opener, # Debian dbus (send, receive) bus="session" path="/org/freedesktop/thumbnails/Thumbnailer1" interface="org.freedesktop.thumbnails.Thumbnailer1" - member="{Started,Ready,Finished,Queue,Dequeue}" + member="{Started,Ready,Finished,Queue,Dequeue,Error}" peer=(name=:*), dbus send @@ -137,14 +165,10 @@ profile ristretto /usr/bin/ristretto { member="ListMountableInfo" peer=(name=:*), - # pictures on smb shares, etc - network tcp, - network udp, - - include if exists + #include if exists } -profile ristretto//dash { +profile ristretto_opener { /{,usr/}bin/dash r, #include #include @@ -154,5 +178,5 @@ profile ristretto//dash { # sanitized, slightly less bad than Ux; "Use at your own risk." /usr/bin/gimp-[2-3].[0-9]{,[0-9]} Cx -> sanitized_helper, - include if exists + #include if exists }