Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update opt.zoom.ZoomLauncher #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update opt.zoom.ZoomLauncher #1

wants to merge 1 commit into from

Conversation

drzraf
Copy link

@drzraf drzraf commented Nov 4, 2020
edited
Loading

Some /sbin => /usr/bin/ substitution (ubuntu)
Allowed some dbus calls

Note: apparmor rewrote my changes (automatically order lines, etc...), I didn't kept note of them... sorry for the diff.

The only last complains is that every 10 minutes, Zoom pools for process running on the machine (opening all /proc/*/cmdline)
(AVC apparmor="DENIED" operation="ptrace" profile="/opt/zoom/ZoomLauncher" pid=31790 comm="pidof" requested_mask="read" denied_mask="read" peer="unconfined") which I don't know how to properly silence (and deny).

Update opt.zoom.ZoomLauncher
d976726 
Some /sbin => /usr/bin/ substitution (ubuntu)
Allowed some dbus calls

Note: apparmor rewrote my changes (automatically order lines, etc...), I didn't kept note of them... sorry for the diff.
@drzraf drzraf mentioned this pull request Nov 5, 2020
Open
@drzraf
Copy link
Author

drzraf commented Nov 5, 2020
edited
Loading

I aa-cleanprof /opt/zoom/ZoomLauncher your file to compare with mine:

diff --git a/opt.zoom.ZoomLauncher b/opt.zoom.ZoomLauncher.new
index 9e0652b..e445267 100644
--- a/opt.zoom.ZoomLauncher
+++ b/opt.zoom.ZoomLauncher.new
@@ -22,6 +22,18 @@
   dbus receive bus=system path=/org/freedesktop/NetworkManager,
   dbus send bus=session peer=(name=org.a11y.Bus),
   dbus send bus=system path=/org/freedesktop/NetworkManager member=state,
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Server
+       interface=org.gnome.GConf.Server
+       member=GetDefaultDatabase
+       peer=(label=unconfined),
+
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Database/*
+       member=LookupExtended
+       peer=(label=unconfined),
 
   signal send set=usr2 peer=/usr/bin/pacmd,
 
@@ -32,18 +44,20 @@
   deny @{HOME}/.Private mrwlk,
   deny @{PROC}/[0-9]*/cmdline mrwlk,
 
-  /bin/cat ix,
-  /bin/dash ix,
-  /bin/grep ix,
-  /bin/ps rUx,
-  /bin/readlink ix,
-  /bin/uname rUx,
+  /usr/bin/cat ix,
+  /usr/bin/dash ix,
+  /usr/bin/grep ix,
+  /usr/bin/ps rUx,
+  /usr/bin/readlink ix,
+  /usr/bin/uname rUx,
+  /usr/bin/gconftool-2 ix,
   /dev/dri/ r,
   /dev/tty rw,
   /dev/video[0-9] mrw,
   /etc/debian-version r,
   /etc/os-release r,
   /etc/passwd m,
+  /etc/timezone r,
   /opt/ r,
   /opt/zoom/ mr,
   /opt/zoom/** mr,
@@ -61,7 +75,8 @@
   /opt/zoom/xcbglintegrations/*.so mr,
   /opt/zoom/zoom ix,
   /opt/zoom/zopen ix,
-  /sbin/killall5 ix,
+  /usr/sbin/killall5 ix,
+  /usr/bin/pidof ix,
   /sys/bus/pci/devices/ r,
   /sys/devices/pci[0-9]*/**/{busnum,class,config,device,devnum,descriptors,irq,resource,revision,speed,subsystem_device,subsystem_vendor,uevent,vendor} r,
   /sys/devices/system/cpu/cpu*/cache/index*/{type,level,shared_cpu_map,size} r,
@@ -102,6 +117,7 @@
   owner "@{HOME}/.config/Unknown Organization/**" rwk,
   owner /dev/shm/.org.chromium.Chromium* mrw,
   owner /{,var/}run/user/*/dconf/user rw,
+  owner @{HOME}/.config/QtProject.conf r,
   owner @{HOME}/.cache/mesa_shader_cache/ rw,
   owner @{HOME}/.cache/mesa_shader_cache/** rwk,
   owner @{HOME}/.cache/mesa_shader_cache/index mrw,

  • Syntax for signal (send) peer=/usr/bin/pacmd set=(usr2), must be changed to signal send set=usr2 peer=/usr/bin/pacmd, (not clearly visible in above diff).

  • From a quick look to strace, /usr/bin/gconftool-2 is used to fetch http/ftp proxy settings. Still, I hope apparmor could allow finer restriction there because gconftool is powerful. (Could simply just assume to deny it)

  • Blocking pidof may be complementary to avoid processes listing (deny ptrace read peer=unconfined [not tried yet])

  • NB: I think zoom-snap's ticket wasn't the right place you wanted to reply to.

@drzraf
Copy link
Author

drzraf commented Dec 10, 2020

Do you mind aa-cleanprof /opt/zoom/ZoomLauncher your file in master so that we have a common base for rules ordering?

@detrout
Copy link
Owner

detrout commented Dec 11, 2020

That's a totally reasonable request, I just need a few spare minutes to get files in the right places for aa-cleanprof.

@drzraf
Copy link
Author

drzraf commented May 18, 2021

ping?

@drzraf
Copy link
Author

drzraf commented Apr 25, 2022

Ping, about aa-cleanprof

@detrout
Copy link
Owner

detrout commented Apr 26, 2022

I did just push my last update after running aa-cleanprof though i also had given up on the .deb version and switched to the flatpak version because it provides easier updates while still being somewhat contained.

@drzraf
Copy link
Author

drzraf commented Apr 26, 2022

I didn't noted that aa-cleanprof added flags=(complain) to the profile... what disables actual restrictions.
Could you remove that flags=(complain) ?

@drzraf
Copy link
Author

drzraf commented Apr 26, 2022

switched to the flatpak version because it provides easier updates while still being somewhat contained.

Do you know if this handle Zoom latest 5.10.x : These even require cap sys_admin to work...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drzraf @detrout