Dear maintainer,

could you please review and merge the following AppArmor profile?

Called "XChat" but the package name was just not renamed to "HexChat".
The profile is tested with HexChat.

https://github.com/Whonix/apparmor-profile-xchat

Direct links to relevant files:

https://github.com/Whonix/apparmor-profile-xchat/blob/master/etc/apparmor.d/usr.bin.hexchat

https://github.com/Whonix/apparmor-profile-xchat/blob/master/etc/apparmor.d/abstractions/xchat-based

Cheers,
Patrick

Hi Patrick,

Thank you for your contribution!

However, I don't use AppArmor (or any other LSM for what it's worth…),
so I would be somewhat hard pressed to properly review this.

What would you think of properly integreting it into the upstream
package at https://github.com/hexchat/hexchat ?  That would include
adding a new meson option and related build system changes.

Mattia Rizzolo:


That would be better indeed but I was sent here. :)

https://github.com/hexchat/hexchat/issues/1577

ahem :s

Alright, let me see if I can find somebody to have a look at those 2
files…

Hello Mattia, Patrick,

Thanks so much for proposing an AppArmor profile for HexChat.

I've got a few comments; I'll paste in the entire 'main' block of the
profile, and add my comments inline.:


## Copyright (C) 2014 troubadour <trobador@riseup.net>
## Copyright (C) 2014 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/fonts>
   #include <abstractions/kde>
   #include <abstractions/gnome>
   #include <abstractions/X>
   #include <abstractions/audio>

This should also #include <abstractions/nameservice>

   deny @{PROC}/** r,

   @{HOME}/ r,
   @{HOME}/.config/** rwk,
   @{HOME}/.xchat2/ r,
   @{HOME}/.xchat2/** rwixk,
   @{HOME}/.config/ r,
   @{HOME}/.config/hexchat/ r,
   @{HOME}/.config/hexchat/** rwixk,
   @{HOME}/.kde/share/config/gtkrc-2.0 r,
   @{HOME}/.kde/share/config/oxygenrc r,
   @{HOME}/.*/lib/python*/** r,

   /bin/grep rix,
   /bin/uname rix,
   /bin/mkdir rix,
   /bin/rm rix,

   /usr/bin/grep rix,
   /usr/bin/uname rix,
   /usr/bin/mkdir rix,
   /usr/bin/rm rix,

   /dev/tty rwix,
   /dev/null rw,

   /etc/passwd r,
   /etc/group r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/resolv.conf r,
   /etc/gai.conf r,
   /etc/nsswitch.conf r,

The lines between /etc/passwd and /etc/nsswitch.conf could be removed with
abstractions/nameservice added.

   /etc/ld.so.cache r,
   /etc/machine-id r,
   /etc/os-release r,
   /etc/xdg/xfce4/helpers.rc r,
   /etc/xfce4/defaults.list r,
   /etc/python*/sitecustomize.py r,

   /lib/*-linux-gnu/** mr,

This line is very broad -- and overlaps with a lot of the libraries listed
in abstractions/base -- if you found any libraries that are DENIED because
they don't match a rule already in abstractions/base, it would be best to
list them with a specific rule.

   /usr/bin/xchat rix,
   /usr/bin/xdg-open rix,
   /usr/bin/dbus-send rix,
   /usr/bin/xprop  rix,
   /usr/bin/exo-open rix,
   /usr/bin/sensible-browser rix,
   /usr/bin/zenity rix,
   /usr/bin/torbrowser rix,
   /usr/bin/basename rix,
   /usr/bin/kde4-config rix,
   /usr/bin/aplay rix,

I'm really worried about these. I can appreciate trying to provide a
profile that lets people click on links as usual, but actually running
these applications in hexchat's profile will lead to bugs.

This also means the hexchat profile may need to be much wider, just to
accomodate these other programs.


   /usr/lib/*-linux-gnu/** mrix,

This line is also very broad -- and shouldn't be needed with
abstractions/base.

   /usr/lib/xchat/plugins/* mr,
   /usr/lib/perl*/** mr,
   /var/lib/snapd/desktop/applications/ r,

Granting permission to read this directory without permission to read the
*.desktop files is a bit wasted. What happens if this is denied?

   ## The Ux permission is too dangerous to be enabled by default.
   #/usr/lib/firefox-esr/firefox* Ux,

   /usr/lib/python*/lib-dynload/*.so mr,

   /usr/local/lib/python*/dist-packages/ r,
   /usr/local/lib/python*/dist-packages/* r,

   /usr/share/icons/** r,
   /usr/share/enchant/* r,
   /usr/share/myspell/dicts/ r,
   /usr/share/hunspell/ r,
   /usr/share/hunspell/* r,
   /usr/share/ca-certificates/** r,
   /usr/share/xfce4/helpers/* r,
   /usr/share/xfce4/applications/ r,
   /usr/share/xfce4/applications/mimeinfo.cache r,
   /usr/share/zenity/* r,
   /usr/share/fontconfig/** r,
   /usr/share/poppler/cMap/ r,
   /usr/share/poppler/cMap/** r,
   /usr/share/perl*/** mr,
   /usr/share/tcltk/tcl8.5/* r,
   /usr/share/pyshared/* r,
   /usr/share/aspell/ r,
   /usr/share/aspell/** r,

   /var/lib/aspell/* r,

   /run/*/resolv.conf r,

This shouldn't be needed with abstractions/nameservice added.


I know that the helper applications is a difficult point here. The more
secure option is to prevent them from being used. The friendliest option
is to use PUx execution rules to either launch them confined, if the user
has profiles for them, or unconfined, if the user doesn't have profiles.

But having an unconfined way out of the profile drastically reduces the
value of the profile.

Desktop applications are difficult to confine because many users want to
use them to do everything. Other users don't mind some restrictions for
security gains. And it's very hard to provide one profile for both.

It may not make sense to enable the profile by default. I'd rather have
the tighter profile, without helper applications, but that may not reflect
what most users would actually want.

Thanks

Hi Patrick,

I realize only now that you probably haven't seen this email from Seth,
since he sent it only to the bug report and not also to the reporters.

Could you please revise your patch following their suggestions?

https://bugs.debian.org/951331#23


- Mattia

Mattia Rizzolo:


This has been done. Please check. Also pull requests welcome.

Kind regards,
Patrick

Hello,

Bug #951331 in hexchat reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/hexchat/-/commit/16083bcf2486f33f0020f332e0d30bf8fa363f4b
------------------------------------------------------------------------
Include an apparmor prpfile.

Closes: #951331
Thanks: Patrick Schleizer <adrelanos@whonix.org> for the contribution
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/951331

I'm asking friends for testing (since I don't use it).


I already committed to a separate branch, though I expect to just merge
it soon and upload.

I hope further improvements gets sent our way too ^^

Control: tag -1 -pending

Unfortunately, that testing showed some issues.

[329190.993264] audit: type=1400 audit(1642420765.354:126): apparmor="DENIED" operation="connect" profile="/usr/bin/hexchat" pid=967103 comm="hexchat" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-0fDmto1XGK" peer="unconfined"
[329191.029276] audit: type=1400 audit(1642420765.390:127): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/usr/share/enchant-2/enchant.ordering" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[329191.033456] audit: type=1400 audit(1642420765.394:128): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/etc/machine-id" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[329191.033463] audit: type=1400 audit(1642420765.394:129): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/etc/machine-id" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[329191.034635] audit: type=1400 audit(1642420765.394:130): apparmor="DENIED" operation="connect" profile="/usr/bin/hexchat" name="/run/user/1000/bus" pid=967103 comm="hexchat" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
[329191.035041] audit: type=1400 audit(1642420765.398:131): apparmor="DENIED" operation="connect" profile="/usr/bin/hexchat" name="/run/user/1000/bus" pid=967103 comm="pool-hexchat" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
[329191.090387] audit: type=1400 audit(1642420765.450:132): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/usr/share/enchant-2/enchant.ordering" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[329191.248574] audit: type=1400 audit(1642420765.610:133): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/home/user/.local/lib/python3.8/site-packages/" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[329191.248637] audit: type=1400 audit(1642420765.610:134): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/usr/local/lib/python3.8/dist-packages/" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[329191.260383] audit: type=1400 audit(1642420765.622:135): apparmor="DENIED" operation="open" profile="/usr/bin/hexchat" name="/home/user/.local/lib/python3.8/site-packages/" pid=967103 comm="hexchat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


So, in particular, it seems that:

* file transfer is not working anymore
* loading of plugins seems have some issues

Hi,

I am working on the package for the new HexChat fork, ZoiteChat. You can
see the ITP at https://bugs.debian.org/1128236 .

I would like to include an AppArmor profile if that makes sense. I see
this was still a work in progress at the last update, have there been
any improvements since 2022?

sney

Thank you!

I've been kind of MIA in the past months/years, but I am around.  Feel
free to yoller if you need help.

Haven't heard anything from anybody nope.