Hello,
Am Dienstag, 11. Februar 2014 schrieb Seth Arnold:
> Author: Jamie Strandboge <ja...@canonical.com>
> Description: chromium-browser profile
> Forwarded: yes
>
> ---
> profiles/apparmor.d/usr.bin.chromium-browser | 221
Just to make sure I understand this correct - you propose to add this
profile to bzr trunk to the set of default profiles, right?
Short summary: The profile contains some restrictions that will result
in quite some annoyed users (especially the restriction to ~/Public and
~/Downloads). Therefore I'm not sure if it should be in the set of
profiles that are enabled by default.
I'm thinking about introducing an "apparmor-profiles-paranoid" package
(with a big warning that it _will_ break what a typical user often does)
since some time - maybe this profile would be a reason to finally do it
;-)
See below for more details.
> Index: b/profiles/apparmor.d/usr.bin.chromium-browser
> ===================================================================
> --- /dev/null
> +++ b/profiles/apparmor.d/usr.bin.chromium-browser
> @@ -0,0 +1,221 @@
> +# Author: Jamie Strandboge <ja...@canonical.com>
> +#include <tunables/global>
> +
> +# We need 'flags=(attach_disconnected)' in newer chromium versions
> +/usr/lib/chromium-browser/chromium-browser
> flags=(attach_disconnected) {
> + #include <abstractions/audio>
> + #include <abstractions/cups-client>
> + #include <abstractions/dbus-session>
just curious - would dbus-session-strict be enough?
> + #include <abstractions/gnome>
> + #include <abstractions/ibus>
> + #include <abstractions/nameservice>
> + #include <abstractions/user-tmp>
> +
> + # This include specifies which ubuntu-browsers.d abstractions to
> use. Eg, if + # you want access to productivity applications, adjust
> the following file + # accordingly.
> + #include <abstractions/ubuntu-browsers.d/chromium-browser>
Users of other distributions will *love* ubuntu-browsers.d ;-)
I know that it's only a name, nevertheless it would be a good idea to
rename it (not the most urgent problem, but... ;-)
[...]
> + # Default profile allows downloads to ~/Downloads and uploads from
> ~/Public
This comment is wrong - uploads are allowed from ~/Public/ and
~/Downloads/ ;-)
That said: yes, I know this setup is very secure, but I'm also sure it
will cause some ;-) bugreports like "I can't download files to
~/coolstuff"
The perfect solution would be to wait for the content helper - what's
the current status there?
> + owner @{HOME}/ r,
> + owner @{HOME}/Public/ r,
> + owner @{HOME}/Public/* r,
> + owner @{HOME}/Downloads/ r,
> + owner @{HOME}/Downloads/* rw,
> +
> + # Helpers
> + /usr/bin/xdg-open ixr,
> + /usr/bin/gnome-open ixr,
> + /usr/bin/gvfs-open ixr,
> + # TODO: kde, xfce
Oh nice - this TODO will result in the next flood of bugreports
(according to a survey > 70% of the openSUSE users use KDE as their
desktop - guess how many annoyed users and bugreports that means...)
Hint: For KDE, it is probably /usr/bin/kde-open
> + profile xdgsettings {
[...]
> + # Setting the default browser
[...]
> + owner @{HOME}/.local/share/applications/ w,
Hmm, why write permissions for the directory?
> + owner @{HOME}/.local/share/applications/mimeapps.list* rw,
Personally, I'd say a browser should never be allowed to change the
default browser (and I'd even forbid to check if it is the current
default browser - I'm not the biggest fan of the "hey, I'm not your
default browser" warnings ;-)
Additionally, there's a chance that malicious code changes the default
application for a file the user just downloaded, which could in theory
cause some delayed remote code execution (somewhat similar to "stored
XSS")
> + }
> +
> + # Site-specific additions and overrides. See local/README for
> details.
> + #include <local/usr.bin.chromium-browser>
Hiding this #include between two child profiles is, hmm, interesting ;-)
Can you move it to a more visible place, please? (like the end of the
main profile, above the child profiles)
> +profile chromium_browser_sandbox {
[...]
> + # *Sigh*
> + capability sys_ptrace,
Nice comment, but not too useful for the average user...
Regards,
Christian Boltz
--
Graphisch??? Wie meinen? Hast du zuviel Fleisch von zu "gluecklichen"
Rindern gefuttert? *scnr* Wozu zum Henker sollte man sowas brauchen?
Logo ginge auch per ASCII :) (Logo? welches Logo? Wozu ueberhaupt?)
[David Haller in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
