working apparmor profile for debian sid #594
Description
Hi,
I've installed the latest package from debian sid:
$ apt-cache policy ricochet-im
ricochet-im:
Installed: 1.1.4-2+b1
Candidate: 1.1.4-2+b1
Version table:
*** 1.1.4-2+b1 500
500 http://ftp.de.debian.org/debian sid/main amd64 Packages
100 /var/lib/dpkg/status
AppArmor chokes on this because permissions for ~/.local ~/.cache ~/.config prevents ricochet from correctly setting up the config, directories and local user environment when launched for the first time. The effect is that ricochet starts, appears to be working at first sight but actually is unable to maintain state (a unique ricochet id across application restarts).
Here is a working /etc/apparmor.d/usr.bin.ricochet config:
# Last Modified: Mon Jul 17 00:25:38 2017
#include <tunables/global>
# AppArmor Ricochet profile for Debian GNU/Linux
# This profile is Free Software and released under the same license as Ricochet
# itself.
#
# Copyleft 2015 Jacob Appelbaum <[email protected]>
#
/usr/bin/ricochet {
#include <abstractions/audio>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/fonts>
#include <abstractions/openssl>
/usr/lib/** mr,
# Allow TCP connections
network inet stream,
network inet6 stream,
# Allow Ricochet to exec pulseaudio
# This makes me very sad...
# as it seems that you can't isolate playing and recording :(
/usr/bin/pulseaudio rix,
# Allow Ricochet to exec tor
/usr/bin/tor rix,
# Tor in turn needs various things
/usr/share/tor/geoip r,
/usr/share/tor/geoip6 r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
# Allow Ricochet to read tor daemons auth cookie
/run/tor/control.authcookie r,
# Allow Ricochet to read itself
/usr/bin/ricochet r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/environ r,
# Allow Ricochet to generate audio
owner /{dev,run}/shm/pulse-shm* m,
# Allow Ricochet to draw the UX
/dev/dri/ r,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/uevent r,
/run/udev/data/* r,
# Allow Ricochet to load GTK themes
/usr/share/themes/* r,
/usr/share/themes/**/* r,
owner @{HOME}/.gtkrc-2.0 r,
# Allow Ricochet to look up all your machine's PII
# Why does it need this stuff? BAD NEWS BEARS
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# changes required to make this work on Debian sid on Sun Jan 13 18:24:17 CET 2019
# your device id might most likely not match your machine so adapt it for yourself
# after checking the logs:
/sys/devices/pci0000:00/0000:00:02.0/** r,
/proc/sys/kernel/random/boot_id r,
/usr/share/hwdata/* r,
owner @{HOME}/.local/share/Ricochet/ rwl,
owner @{HOME}/.local/share/Ricochet/** mrwkl,
owner @{HOME}/.cache/Ricochet/ rw,
owner @{HOME}/.cache/Ricochet/** rwkl,
owner @{HOME}/.config/gtk-3.0/* r,
}
Note that this will still result in errors from fontconfig (which should be solved with including abstractions/fonts and I've not been able to track this down yet - though it doesn't seem to do any harm)
Jan 13 19:18:11 tinkerbell kernel: [125185.401432] audit: type=1400 audit(1547403491.578:2316): apparmor="DENIED" operation="open" profile="/usr/bin/ricochet" name="/usr/share/fontconfig/conf.avail/" pid=13995 comm="ricochet" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I'm aware that this should be reported to the debian maintainers however I've noticed some issues with apparmor mentioned here so I thought I'll also report this here.
thanks for this piece awesome software!!