From 122a26ac790c56a124397966293ddf110f768db8 Mon Sep 17 00:00:00 2001
From: Cameron Norman <camerontnorman@gmail.com>
Date: Tue, 10 Oct 2017 23:18:22 -0700
Subject: Add AppArmor profile

---
 .gitignore                        |  1 +
 Makefile.am                       | 20 +++++++++++++++++--
 configure.ac                      | 16 +++++++++++++++
 data/apparmor/usr.bin.redshift.in | 42 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 77 insertions(+), 2 deletions(-)
 create mode 100644 data/apparmor/usr.bin.redshift.in

diff --git a/.gitignore b/.gitignore
index 76659d4..077bca2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,6 +56,7 @@ src/redshift-gtk/__pycache__/
 /data/appdata/redshift-gtk.appdata.xml
 /data/applications/redshift.desktop
 /data/applications/redshift-gtk.desktop
+/data/apparmor/usr.bin.redshift
 
 *.su
 *.gch
diff --git a/Makefile.am b/Makefile.am
index 3f941d6..7e58f08 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -39,6 +39,9 @@ SYSTEMD_USER_UNIT_IN_FILES = \
 APPDATA_IN_FILES = \
 	data/appdata/redshift-gtk.appdata.xml.in
 
+APPARMOR_IN_FILES = \
+	data/apparmor/usr.bin.redshift.in
+
 
 # Icons
 if ENABLE_GUI
@@ -103,6 +106,17 @@ appdata_DATA = $(APPDATA_IN_FILES:.xml.in=.xml)
 endif
 
 
+# AppArmor profile
+if ENABLE_APPARMOR
+apparmordir = @sysconfdir@/apparmor.d
+apparmor_DATA = $(APPARMOR_IN_FILES:.in=)
+
+$(apparmor_DATA): $(APPARMOR_IN_FILES) Makefile
+	$(AM_V_GEN)$(MKDIR_P) $(@D) && \
+		sed -e "s|\@bindir\@|$(bindir)|g" "$(srcdir)/$(@:=.in)" > $@
+endif
+
+
 
 EXTRA_DIST = \
 	$(EXTRA_ROOTDOC_FILES) \
@@ -111,12 +125,14 @@ EXTRA_DIST = \
 	$(_UBUNTU_MONO_LIGHT_FILES) \
 	$(DESKTOP_IN_FILES) \
 	$(SYSTEMD_USER_UNIT_IN_FILES) \
-	$(APPDATA_IN_FILES)
+	$(APPDATA_IN_FILES) \
+	$(APPARMOR_IN_FILES)
 
 CLEANFILES = \
 	$(desktop_DATA) \
 	$(systemduserunit_DATA) \
-	$(appdata_DATA)
+	$(appdata_DATA) \
+	$(apparmor_DATA)
 
 
 # Update PO translations
diff --git a/configure.ac b/configure.ac
index 14663e2..be0b51a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -331,6 +331,21 @@ AS_IF([test -n "$with_systemduserunitdir" -a "x$with_systemduserunitdir" != xno]
 AM_CONDITIONAL([ENABLE_SYSTEMD], [test "x$enable_systemd" != xno])
 
 
+# Check for AppArmor
+AC_MSG_CHECKING([whether to enable AppArmor profile])
+AC_ARG_ENABLE([apparmor], [AC_HELP_STRING([--enable-apparmor],
+	[enable AppArmor profile])],
+        [enable_apparmor=$enableval],[enable_apparmor=no])
+AS_IF([test "x$enable_apparmor" != xno], [
+        AC_MSG_RESULT([yes])
+	enable_apparmor=yes
+], [
+        AC_MSG_RESULT([no])
+	enable_apparmor=no
+])
+AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" != xno])
+
+
 # Checks for header files.
 AC_CHECK_HEADERS([locale.h stdint.h stdlib.h string.h unistd.h signal.h])
 
@@ -373,4 +388,5 @@ echo "
     GUI:		${enable_gui}
     Ubuntu icons:	${enable_ubuntu}
     systemd units:	${enable_systemd} ${systemduserunitdir}
+    AppArmor profile:   ${enable_apparmor}
 "
diff --git a/data/apparmor/usr.bin.redshift.in b/data/apparmor/usr.bin.redshift.in
new file mode 100644
index 0000000..d6696db
--- /dev/null
+++ b/data/apparmor/usr.bin.redshift.in
@@ -0,0 +1,42 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+@bindir@/redshift {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/X>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/GeoClue2/Client/[0-9]*,
+
+  dbus receive
+       bus=system
+       path=/org/freedesktop/GeoClue2/Manager,
+
+  # Allow but log any other dbus activity
+  audit dbus bus=system,
+
+  owner @{HOME}/.config/redshift.conf r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.redshift>
+}
-- 
cgit v1.2.3-70-g09d2