Control: tag -1 moreinfo Hi Patrick,
I realize only now that you probably haven't seen this email from Seth, since he sent it only to the bug report and not also to the reporters. Could you please revise your patch following their suggestions? https://bugs.debian.org/951331#23 - Mattia On Sat, Feb 29, 2020 at 04:30:59AM +0000, Seth Arnold wrote: > Hello Mattia, Patrick, > > Thanks so much for proposing an AppArmor profile for HexChat. > > I've got a few comments; I'll paste in the entire 'main' block of the > profile, and add my comments inline.: > > > ## Copyright (C) 2014 troubadour <troba...@riseup.net> > ## Copyright (C) 2014 - 2019 ENCRYPTED SUPPORT LP <adrela...@riseup.net> > ## See the file COPYING for copying conditions. > > #include <abstractions/base> > #include <abstractions/bash> > #include <abstractions/fonts> > #include <abstractions/kde> > #include <abstractions/gnome> > #include <abstractions/X> > #include <abstractions/audio> > > This should also #include <abstractions/nameservice> > > deny @{PROC}/** r, > > @{HOME}/ r, > @{HOME}/.config/** rwk, > @{HOME}/.xchat2/ r, > @{HOME}/.xchat2/** rwixk, > @{HOME}/.config/ r, > @{HOME}/.config/hexchat/ r, > @{HOME}/.config/hexchat/** rwixk, > @{HOME}/.kde/share/config/gtkrc-2.0 r, > @{HOME}/.kde/share/config/oxygenrc r, > @{HOME}/.*/lib/python*/** r, > > /bin/grep rix, > /bin/uname rix, > /bin/mkdir rix, > /bin/rm rix, > > /usr/bin/grep rix, > /usr/bin/uname rix, > /usr/bin/mkdir rix, > /usr/bin/rm rix, > > /dev/tty rwix, > /dev/null rw, > > /etc/passwd r, > /etc/group r, > /etc/host.conf r, > /etc/hosts r, > /etc/resolv.conf r, > /etc/gai.conf r, > /etc/nsswitch.conf r, > > The lines between /etc/passwd and /etc/nsswitch.conf could be removed with > abstractions/nameservice added. > > /etc/ld.so.cache r, > /etc/machine-id r, > /etc/os-release r, > /etc/xdg/xfce4/helpers.rc r, > /etc/xfce4/defaults.list r, > /etc/python*/sitecustomize.py r, > > /lib/*-linux-gnu/** mr, > > This line is very broad -- and overlaps with a lot of the libraries listed > in abstractions/base -- if you found any libraries that are DENIED because > they don't match a rule already in abstractions/base, it would be best to > list them with a specific rule. > > /usr/bin/xchat rix, > /usr/bin/xdg-open rix, > /usr/bin/dbus-send rix, > /usr/bin/xprop rix, > /usr/bin/exo-open rix, > /usr/bin/sensible-browser rix, > /usr/bin/zenity rix, > /usr/bin/torbrowser rix, > /usr/bin/basename rix, > /usr/bin/kde4-config rix, > /usr/bin/aplay rix, > > I'm really worried about these. I can appreciate trying to provide a > profile that lets people click on links as usual, but actually running > these applications in hexchat's profile will lead to bugs. > > This also means the hexchat profile may need to be much wider, just to > accomodate these other programs. > > > /usr/lib/*-linux-gnu/** mrix, > > This line is also very broad -- and shouldn't be needed with > abstractions/base. > > /usr/lib/xchat/plugins/* mr, > /usr/lib/perl*/** mr, > /var/lib/snapd/desktop/applications/ r, > > Granting permission to read this directory without permission to read the > *.desktop files is a bit wasted. What happens if this is denied? > > ## The Ux permission is too dangerous to be enabled by default. > #/usr/lib/firefox-esr/firefox* Ux, > > /usr/lib/python*/lib-dynload/*.so mr, > > /usr/local/lib/python*/dist-packages/ r, > /usr/local/lib/python*/dist-packages/* r, > > /usr/share/icons/** r, > /usr/share/enchant/* r, > /usr/share/myspell/dicts/ r, > /usr/share/hunspell/ r, > /usr/share/hunspell/* r, > /usr/share/ca-certificates/** r, > /usr/share/xfce4/helpers/* r, > /usr/share/xfce4/applications/ r, > /usr/share/xfce4/applications/mimeinfo.cache r, > /usr/share/zenity/* r, > /usr/share/fontconfig/** r, > /usr/share/poppler/cMap/ r, > /usr/share/poppler/cMap/** r, > /usr/share/perl*/** mr, > /usr/share/tcltk/tcl8.5/* r, > /usr/share/pyshared/* r, > /usr/share/aspell/ r, > /usr/share/aspell/** r, > > /var/lib/aspell/* r, > > /run/*/resolv.conf r, > > This shouldn't be needed with abstractions/nameservice added. > > > I know that the helper applications is a difficult point here. The more > secure option is to prevent them from being used. The friendliest option > is to use PUx execution rules to either launch them confined, if the user > has profiles for them, or unconfined, if the user doesn't have profiles. > > But having an unconfined way out of the profile drastically reduces the > value of the profile. > > Desktop applications are difficult to confine because many users want to > use them to do everything. Other users don't mind some restrictions for > security gains. And it's very hard to provide one profile for both. > > It may not make sense to enable the profile by default. I'd rather have > the tighter profile, without helper applications, but that may not reflect > what most users would actually want. > > Thanks -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
