From a7b1aaa07aa1a95149db21c7d7abbdc5c9040f9c Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 30 Jul 2014 12:50:56 +0200
Subject: [PATCH 01/11] AppArmor profile for qutebrowser

---
 contrib/apparmor/usr.local.bin.qutebrowser | 62 ++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 contrib/apparmor/usr.local.bin.qutebrowser

diff --git a/contrib/apparmor/usr.local.bin.qutebrowser b/contrib/apparmor/usr.local.bin.qutebrowser
new file mode 100644
index 000000000..df3b86ea8
--- /dev/null
+++ b/contrib/apparmor/usr.local.bin.qutebrowser
@@ -0,0 +1,62 @@
+# AppArmor profile for qutebrowser
+# Tested on Debian jessie
+
+#include <tunables/global>
+
+/usr/local/bin/qutebrowser {
+
+    #include <abstractions/X>
+    capability dac_override,
+
+    /etc/localtime r,
+    /etc/ld.so.cache r,
+    /etc/locale.alias r,
+    /etc/fonts/fonts.conf r,
+    /etc/fonts/conf.d/ r,
+    /etc/fonts/conf.d/* r,
+    /etc/fonts/conf.avail/* r,
+    /etc/ssl/openssl.cnf r,
+    /etc/nsswitch.conf r,
+    /etc/resolv.conf r,
+    /etc/host.conf r,
+    /etc/gai.conf r,
+    /etc/hosts r,
+    /etc/passwd r,
+    /etc/ssl/certs/ r,
+
+    /usr/local/bin/ r,
+    /usr/local/bin/qutebrowser rix,
+    /usr/local/lib/python3.4/** r,
+    /usr/local/share/fonts/ r,
+    /usr/share/fonts/ r,
+    /usr/share/fonts/** r,
+    /usr/share/fontconfig/** r,
+    /usr/share/poppler/** r,
+    /usr/share/mime/** r,
+    /usr/share/ca-certificates/** r,
+    /usr/lib/x86_64-linux-gnu/** mr,
+    /usr/lib/mozilla/plugins/ r,
+    /usr/lib/gstreamer-0.10/ r,
+    /usr/lib/flashplugin-nonfree/libflashplayer.so mr,
+    /usr/lib/locale/locale-archive r,
+    /lib/x86_64-linux-gnu/* mr,
+    /var/cache/fontconfig/** r,
+    /proc/meminfo r,
+    /proc/** r,
+    /dev/urandom r,
+    /sys/devices/system/cpu/online r,
+
+    /usr/lib/python3/ mr,
+    /usr/lib/python3/** mr,
+    /usr/lib/python3.4/ r,
+    /usr/lib/python3.4/** mr,
+    /usr/bin/python3.4 r,
+
+    @{HOME}/.Xauthority r,
+    @{HOME}/.config/** krw,
+    @{HOME}/.local/** krw,
+    @{HOME}/.cache/** krw,
+    @{HOME}/.gstreamer-0.10/* krw,
+
+}
+

From c7da703af539b177d6f49da1304f804ca7a0ee11 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 11:37:24 +0200
Subject: [PATCH 02/11] mv

---
 .../apparmor/{usr.local.bin.qutebrowser => usr.bin.qutebrowser}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename contrib/apparmor/{usr.local.bin.qutebrowser => usr.bin.qutebrowser} (100%)

diff --git a/contrib/apparmor/usr.local.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
similarity index 100%
rename from contrib/apparmor/usr.local.bin.qutebrowser
rename to contrib/apparmor/usr.bin.qutebrowser

From 182d9cf33cfff25f159e6110491731cbb867bb40 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:10:35 +0200
Subject: [PATCH 03/11] improved AppArmor profile

---
 contrib/apparmor/usr.bin.qutebrowser | 50 ++++++++++------------------
 1 file changed, 17 insertions(+), 33 deletions(-)
 mode change 100644 => 100755 contrib/apparmor/usr.bin.qutebrowser

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
old mode 100644
new mode 100755
index df3b86ea8..7abd3ee76
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -3,48 +3,33 @@
 
 #include <tunables/global>
 
-/usr/local/bin/qutebrowser {
+/usr/bin/qutebrowser {
 
+    #include <abstractions/base>
+    #include <abstractions/audio>
+    #include <abstractions/fonts>
+    #include <abstractions/kde>
+    #include <abstractions/user-download>
     #include <abstractions/X>
+
     capability dac_override,
 
-    /etc/localtime r,
-    /etc/ld.so.cache r,
-    /etc/locale.alias r,
-    /etc/fonts/fonts.conf r,
-    /etc/fonts/conf.d/ r,
-    /etc/fonts/conf.d/* r,
-    /etc/fonts/conf.avail/* r,
-    /etc/ssl/openssl.cnf r,
     /etc/nsswitch.conf r,
     /etc/resolv.conf r,
     /etc/host.conf r,
-    /etc/gai.conf r,
     /etc/hosts r,
     /etc/passwd r,
+    /etc/gai.conf r,
+    /etc/ssl/openssl.cnf r,
     /etc/ssl/certs/ r,
 
-    /usr/local/bin/ r,
-    /usr/local/bin/qutebrowser rix,
+    /usr/bin/ r,
+    /usr/bin/qutebrowser rix,
+    /usr/lib/python3.4/** r,
     /usr/local/lib/python3.4/** r,
-    /usr/local/share/fonts/ r,
-    /usr/share/fonts/ r,
-    /usr/share/fonts/** r,
-    /usr/share/fontconfig/** r,
-    /usr/share/poppler/** r,
-    /usr/share/mime/** r,
     /usr/share/ca-certificates/** r,
-    /usr/lib/x86_64-linux-gnu/** mr,
-    /usr/lib/mozilla/plugins/ r,
-    /usr/lib/gstreamer-0.10/ r,
-    /usr/lib/flashplugin-nonfree/libflashplayer.so mr,
-    /usr/lib/locale/locale-archive r,
-    /lib/x86_64-linux-gnu/* mr,
-    /var/cache/fontconfig/** r,
-    /proc/meminfo r,
+
     /proc/** r,
-    /dev/urandom r,
-    /sys/devices/system/cpu/online r,
 
     /usr/lib/python3/ mr,
     /usr/lib/python3/** mr,
@@ -52,11 +37,10 @@
     /usr/lib/python3.4/** mr,
     /usr/bin/python3.4 r,
 
-    @{HOME}/.Xauthority r,
-    @{HOME}/.config/** krw,
-    @{HOME}/.local/** krw,
-    @{HOME}/.cache/** krw,
-    @{HOME}/.gstreamer-0.10/* krw,
+    @{HOME}/.config/qutebrowser/** krw,
+    @{HOME}/.local/share/qutebrowser/** krw,
+    @{HOME}/.cache/qutebrowser/** krw,
+    @{HOME}/.gstreamer-0.10/* r,
 
 }
 

From eb1af05a7787cd1f92ef640ad1263fe80c135bd4 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:10:49 +0200
Subject: [PATCH 04/11] -x

---
 contrib/apparmor/usr.bin.qutebrowser | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100755 => 100644 contrib/apparmor/usr.bin.qutebrowser

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
old mode 100755
new mode 100644

From 2c0c4a5b6a9171bfd9c41ac61bd859d58368dae8 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:16:57 +0200
Subject: [PATCH 05/11] make python matching version independent

---
 contrib/apparmor/usr.bin.qutebrowser | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 7abd3ee76..3c42df56a 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -33,9 +33,9 @@
 
     /usr/lib/python3/ mr,
     /usr/lib/python3/** mr,
-    /usr/lib/python3.4/ r,
-    /usr/lib/python3.4/** mr,
-    /usr/bin/python3.4 r,
+    /usr/lib/python3.?/ r,
+    /usr/lib/python3.?/** mr,
+    /usr/bin/python3.? r,
 
     @{HOME}/.config/qutebrowser/** krw,
     @{HOME}/.local/share/qutebrowser/** krw,

From bfddd162d996d42229139cb83e3936895c187027 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:20:48 +0200
Subject: [PATCH 06/11] make it better and better

---
 contrib/apparmor/usr.bin.qutebrowser | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 3c42df56a..740b36196 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -25,9 +25,7 @@
 
     /usr/bin/ r,
     /usr/bin/qutebrowser rix,
-    /usr/lib/python3.4/** r,
-    /usr/local/lib/python3.4/** r,
-    /usr/share/ca-certificates/** r,
+    /usr/bin/python3.? r,
 
     /proc/** r,
 
@@ -35,7 +33,8 @@
     /usr/lib/python3/** mr,
     /usr/lib/python3.?/ r,
     /usr/lib/python3.?/** mr,
-    /usr/bin/python3.? r,
+    /usr/local/lib/python3.?/** r,
+    /usr/share/ca-certificates/** r,
 
     @{HOME}/.config/qutebrowser/** krw,
     @{HOME}/.local/share/qutebrowser/** krw,

From 9e205c88c2c25ac04b069a9e223dc64e8053e5ce Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:29:03 +0200
Subject: [PATCH 07/11] and even bettererer

---
 contrib/apparmor/usr.bin.qutebrowser | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 740b36196..1315f7b4c 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -6,6 +6,7 @@
 /usr/bin/qutebrowser {
 
     #include <abstractions/base>
+    #include <abstractions/nameservice>
     #include <abstractions/audio>
     #include <abstractions/fonts>
     #include <abstractions/kde>
@@ -14,12 +15,6 @@
 
     capability dac_override,
 
-    /etc/nsswitch.conf r,
-    /etc/resolv.conf r,
-    /etc/host.conf r,
-    /etc/hosts r,
-    /etc/passwd r,
-    /etc/gai.conf r,
     /etc/ssl/openssl.cnf r,
     /etc/ssl/certs/ r,
 

From 425fd1ea6bcd6c82c2e0ea73dcbbd84fa487dd35 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:45:07 +0200
Subject: [PATCH 08/11] +ssl-abstractions, -proc +tmp

---
 contrib/apparmor/usr.bin.qutebrowser | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 1315f7b4c..ab5abcdcc 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -7,6 +7,8 @@
 
     #include <abstractions/base>
     #include <abstractions/nameservice>
+    #include <abstractions/openssl>
+    #include <abstractions/ssl_certs>
     #include <abstractions/audio>
     #include <abstractions/fonts>
     #include <abstractions/kde>
@@ -15,21 +17,17 @@
 
     capability dac_override,
 
-    /etc/ssl/openssl.cnf r,
-    /etc/ssl/certs/ r,
-
     /usr/bin/ r,
     /usr/bin/qutebrowser rix,
     /usr/bin/python3.? r,
 
-    /proc/** r,
-
     /usr/lib/python3/ mr,
     /usr/lib/python3/** mr,
     /usr/lib/python3.?/ r,
     /usr/lib/python3.?/** mr,
     /usr/local/lib/python3.?/** r,
-    /usr/share/ca-certificates/** r,
+
+    /tmp/* krw,
 
     @{HOME}/.config/qutebrowser/** krw,
     @{HOME}/.local/share/qutebrowser/** krw,

From 1da249f85bdc74cb13661c647281e6d46aea494e Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 12:50:33 +0200
Subject: [PATCH 09/11] allow detection of /tmp

---
 contrib/apparmor/usr.bin.qutebrowser | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index ab5abcdcc..9e9e76d87 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -27,6 +27,7 @@
     /usr/lib/python3.?/** mr,
     /usr/local/lib/python3.?/** r,
 
+    /proc/*/mounts r,
     /tmp/* krw,
 
     @{HOME}/.config/qutebrowser/** krw,

From 93040e0f30723724e13b98abaa6b626f7ef1bb9a Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 13:01:13 +0200
Subject: [PATCH 10/11] allow only to read/write own files

---
 contrib/apparmor/usr.bin.qutebrowser | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 9e9e76d87..5b33f9bb2 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -28,7 +28,7 @@
     /usr/local/lib/python3.?/** r,
 
     /proc/*/mounts r,
-    /tmp/* krw,
+    owner /tmp/** rwkl,
 
     @{HOME}/.config/qutebrowser/** krw,
     @{HOME}/.local/share/qutebrowser/** krw,

From b683a643f0edbe33a603b2aacd5daff939fa3818 Mon Sep 17 00:00:00 2001
From: Claude <longneck@scratchbook.ch>
Date: Wed, 27 Aug 2014 13:10:06 +0200
Subject: [PATCH 11/11] allow for local and systemwide installations

---
 contrib/apparmor/usr.bin.qutebrowser | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/contrib/apparmor/usr.bin.qutebrowser b/contrib/apparmor/usr.bin.qutebrowser
index 5b33f9bb2..2dc5398fe 100644
--- a/contrib/apparmor/usr.bin.qutebrowser
+++ b/contrib/apparmor/usr.bin.qutebrowser
@@ -3,7 +3,7 @@
 
 #include <tunables/global>
 
-/usr/bin/qutebrowser {
+profile qutebrowser /usr/{local/,}bin/qutebrowser {
 
     #include <abstractions/base>
     #include <abstractions/nameservice>
@@ -17,8 +17,8 @@
 
     capability dac_override,
 
-    /usr/bin/ r,
-    /usr/bin/qutebrowser rix,
+    /usr/{local/,}bin/ r,
+    /usr/{local/,}bin/qutebrowser rix,
     /usr/bin/python3.? r,
 
     /usr/lib/python3/ mr,