From dd72b5976bc4dccef37fcdb111f14d9627d6e8f3 Mon Sep 17 00:00:00 2001
From: robertmin2 <129261636+robertmin2@users.noreply.github.com>
Date: Fri, 12 Apr 2024 01:23:53 +0300
Subject: [PATCH] AppArmor Profiles for Electrum

AppArmor Profiles for Electrum
---
 contrib/apparmor/README.md              | 32 ++++++++++++++++++
 contrib/apparmor/abstractions/electrum  | 43 +++++++++++++++++++++++++
 contrib/apparmor/electrum.appimage      | 36 +++++++++++++++++++++
 contrib/apparmor/usr.local.bin.electrum | 15 +++++++++
 4 files changed, 126 insertions(+)
 create mode 100644 contrib/apparmor/README.md
 create mode 100644 contrib/apparmor/abstractions/electrum
 create mode 100644 contrib/apparmor/electrum.appimage
 create mode 100644 contrib/apparmor/usr.local.bin.electrum

diff --git a/contrib/apparmor/README.md b/contrib/apparmor/README.md
new file mode 100644
index 000000000..3cf582f79
--- /dev/null
+++ b/contrib/apparmor/README.md
@@ -0,0 +1,32 @@
+# Electrum AppArmor Profiles
+AppArmor is a Mandatory Access Control (MAC) system which confines programs to a limited set of resources.
+AppArmor confinement is provided via profiles loaded into the kernel.
+
+## Installation
+
+Copy the AppArmor profile from `contrib/apparmor/` to `/etc/apparmor.d/`:
+```
+sudo cp -R -L contrib/apparmor/* /etc/apparmor.d
+```
+Reload the AppArmor profiles to apply the changes:
+```
+sudo systemctl reload apparmor
+```
+Verify that the profile is loaded:
+```
+sudo apparmor_status
+```
+Look for the entry corresponding to `electrum`
+
+## Usage 
+After installing the AppArmor profile, electrum will be restricted to the permissions specified in the profile.
+
+## Compatibility
+The help tab may not function as expected as browser permissions can be tricky (Tarball Binaries)
+
+These AppArmor profiles have been tested on the following operating systems:
+```
+Debian 12
+Ubuntu 23.10
+Kali Linux 6.6
+```
diff --git a/contrib/apparmor/abstractions/electrum b/contrib/apparmor/abstractions/electrum
new file mode 100644
index 000000000..299718752
--- /dev/null
+++ b/contrib/apparmor/abstractions/electrum
@@ -0,0 +1,43 @@
+include <abstractions/base>
+include <abstractions/fonts>
+include <abstractions/user-tmp>
+include <abstractions/X>
+include <abstractions/wayland>
+include <abstractions/mesa>
+include <abstractions/dri-enumerate>
+include <abstractions/nameservice>
+include <abstractions/openssl>
+include <abstractions/vulkan>
+include <abstractions/python>
+include if exists <abstractions/evince>
+include if exists <abstractions/xdg-open> 
+include if exists <abstractions/ubuntu-browsers>
+include if exists <abstractions/snap_browsers>
+  
+  owner @{PROC}/@{pid}/{mounts,fd/} r,
+
+  /{usr/,}sbin/ldconfig ix,
+  /{usr/,}bin/{file,dash,dirname,uname} rix,
+  /{usr/,}bin/@{multiarch}-gcc-8 ix,
+  /{usr/,}bin/@{multiarch}-ld.bfd ix,
+  /etc/mime.types r,
+  @{system_share_dirs}/{mime,icons}/{**,} r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/** rw,
+  @{sys}/class/ r,
+  @{sys}/bus/ r,
+  /etc/udev/udev.conf r,
+  /etc/magic r,
+  @{sys}/devices/pci*/**/usb*/**{busnum,devnum,descriptors,speed,bConfigurationValue} r,
+  /dev/ r,
+  /{var/,}run/udev/data/* r,
+  @{sys}/bus/usb/devices/ r,
+  /{usr/,}/bin/uname rix,
+  owner @{user_share_dirs}/mime/** r,
+  
+  /{,run/}user/**/dconf/* rw,
+  /{var/,}lib/dbus/** r,
+  /etc/apt/apt.conf.d/ r,
+  /etc/machine-id r,
+  /{usr/,}bin/xdg-open ix,
+  /{usr/,}bin/evince ix,
diff --git a/contrib/apparmor/electrum.appimage b/contrib/apparmor/electrum.appimage
new file mode 100644
index 000000000..53d0e3844
--- /dev/null
+++ b/contrib/apparmor/electrum.appimage
@@ -0,0 +1,36 @@
+# Credits : Mikhail Morfikov
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/fusermount{,3}
+profile fusermount @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice> 
+
+  # To mount anything:
+  #  fusermount: mount failed: Operation not permitted
+  capability sys_admin,
+
+  # For jmtpfs
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  # Where to mount ISO files
+  owner @{HOME}/*/ rw,
+  owner @{HOME}/*/*/ rw,
+  owner @{HOME}/.cache/**/ rw,
+
+  # Be able to mount ISO images
+  mount fstype={fuse,fuse.*}, 
+  unmount fstype={fuse,fuse.*},
+
+  /etc/fuse.conf r,
+
+  /dev/fuse rw,
+
+  @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/fusermount>
+}
diff --git a/contrib/apparmor/usr.local.bin.electrum b/contrib/apparmor/usr.local.bin.electrum
new file mode 100644
index 000000000..281c4c53a
--- /dev/null
+++ b/contrib/apparmor/usr.local.bin.electrum
@@ -0,0 +1,15 @@
+#Credits: Anton Nesterov
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{electrum_exec_path} = /{usr/,usr/local/,*/*/.local/,}bin/electrum
+
+profile electrum @{electrum_exec_path} {
+  include <abstractions/electrum>
+
+  @{electrum_exec_path} mr,
+  owner @{HOME}/.electrum/{**,} rw,
+  owner @{HOME}/.local/{**,} mrw,
+
+}