And the chromium profile, with the warnings that
1. It really isn't ready to be generally be deployed, it will certainly need
some modification for debian
2. It uses an undocumented permission modifier "other" which will never be
officially supported
3. Its usefulness is questionable due to the broad perms it currently requires
# Last Modified: Sun Apr 2 02:54:46 2017
#include <tunables/global>
# Author: Jamie Strandboge <ja...@canonical.com>
# We need 'flags=(attach_disconnected)' in newer chromium versions
profile chromium /usr/lib/chromium-browser/chromium-browser
flags=(attach_disconnected) {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers.d/chromium-browser>
#include <abstractions/user-tmp>
#include <local/usr.bin.chromium-browser>
deny capability sys_ptrace,
capability sys_admin,
capability sys_chroot,
network inet stream,
network inet6 stream,
dbus send bus=system path="/org/freedesktop/UPower"
interface="org.freedesktop.UPower" member="EnumerateDevices",
dbus send bus="system" path="/org/freedesktop/UPower/devices/battery_BAT0"
interface="org.freedesktop.DBus.Properties" member="GetAll",
dbus send bus="system" path="/org/freedesktop/UPower/devices/battery_BAT0"
interface="org.freedesktop.DBus.Properties" member="GetAll",
dbus send bus="system" path="/"
interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects",
dbus send peer=(name=org.freedesktop.DBus label=unconfined),
dbus send bus="system" path="/org/bluez" interface="org.bluez.AgentManager1"
member="UnregisterAgent",
signal send peer=chromium//sandbox,
ptrace trace peer=@{profile_name},
unix (receive, send) peer=(label=chromium//sandbox),
deny other /proc/@{pid}/stat r,
deny other /proc/@{pid}/task/@{pid}/status r,
deny other /dev/shm/shmfd-* rw,
deny /run/udev/data/** r,
deny /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
deny /usr/lib/chromium-browser/** w,
deny @{PROC}/*/setgroups w,
deny @{PROC}/*/{u,g}id_map rw,
deny @{PROC}/[0-9]*/oom_{,score_}adj w,
/ r,
/**/ r,
/bin/dash ix,
/bin/ps rUx,
owner /dev/shm/shmfd-* rw,
/dev/video* r,
/etc/chromium-browser/policies/** r,
/etc/firefox/profile/bookmarks.html r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/passwd m,
/etc/udev/udev.conf r,
/etc/xdg/xubuntu/applications/defaults.list r,
/proc/@{pid}/task/@{pid}/status r,
/run/dbus/system_bus_socket rw,
/run/shm/shmfd-* rw,
/sys/devices/**/id{Vendor,Product} r,
/sys/devices/**/video4linux/*/name r,
/sys/devices/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
/sys/devices/system/cpu/cpu*/topology/core_id r,
/sys/devices/system/cpu/present r,
/sys/devices/virtual/block/**/removable r,
/sys/devices/virtual/block/**/size r,
/sys/devices/virtual/tty/tty0/active r,
owner /tmp/** m,
/usr/bin/gnome-open rix,
/usr/bin/gvfs-open rix,
/usr/bin/kdialog rix,
/usr/bin/lsb_release rCx -> lsb_release,
/usr/bin/which ix,
/usr/bin/xdg-open rix,
/usr/bin/xdg-settings rCx -> xdgsettings,
/usr/lib/chromium-browser/*.pak mr,
/usr/lib/chromium-browser/chrome-sandbox cx -> sandbox,
/usr/lib/chromium-browser/chromium-browser ix,
/usr/lib/chromium-browser/chromium-browser-sandbox cx -> sandbox,
/usr/lib/chromium-browser/locales/* mr,
/usr/lib/chromium-browser/xdg-settings rCx -> xdgsettings,
/usr/share/fonts/**/*.pfb m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/icons/**/*.cache m,
/usr/share/mime/mime.cache m,
/usr/{include,share,src}** r,
owner /{,var/}run/shm/shmfd-* mrw,
owner /{,var/}run/user/*/dconf/ rw,
owner /{,var/}run/user/*/dconf/user rw,
owner /{dev,run}/shm/pulse-shm* m,
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
owner @{HOME}/ r,
owner @{HOME}/.cache/chromium/ rw,
owner @{HOME}/.cache/chromium/** rw,
owner @{HOME}/.cache/chromium/Cache/* mr,
owner @{HOME}/.config/chromium/ rw,
owner @{HOME}/.config/chromium/** rwk,
owner @{HOME}/.config/chromium/**/Cache/* mr,
owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.local/share/mime/mime.cache m,
owner @{HOME}/.mozilla/** k,
owner @{HOME}/.mozilla/firefox/*/prefs.js r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.pki/nssdb/* rwk,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
@{PROC}/ r,
owner @{PROC}/*/stat r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/io r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/smaps r,
owner @{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/shmmax r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/bin/dash rix,
/etc/apt/apt.conf.d/ r,
/etc/debian_version r,
/etc/default/apport r,
/etc/lsb-release r,
/usr/bin/ r,
/usr/bin/dpkg-query rix,
/usr/bin/lsb_release r,
/usr/bin/python3.5 mr,
/usr/bin/python3.[0-4] r,
/usr/include/python2.[4567]/pyconfig.h r,
/usr/local/lib/python3.[0-4]/dist-packages/ r,
/usr/share/distro-info/debian.csv r,
/var/lib/dpkg/** r,
}
profile sandbox {
capability chown,
capability dac_override,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
signal (receive send) set=exists,
signal peer=@{profile_name},
signal receive peer=chromium,
signal receive peer=unconfined,
ptrace (read readby),
unix (receive, send) peer=(label=chromium),
unix (create),
unix peer=(label=@{profile_name}),
unix (getattr, getopt, setopt, shutdown) addr=none,
deny @{PROC}/[0-9]*/oom_adj w,
deny @{PROC}/[0-9]*/oom_score_adj w,
/dev/null rw,
/etc/ld.so.cache r,
/lib/@{multiarch}/ld-*.so* mr,
/lib/@{multiarch}/libc-*.so* mr,
/lib/@{multiarch}/libgcc_s.so* mr,
/lib/@{multiarch}/libld-*.so* mr,
/lib/@{multiarch}/libm-*.so* mr,
/lib/@{multiarch}/libpthread-*.so* mr,
/lib/libgcc_s.so* mr,
/lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/lib{,32,64}/ld-*.so* mr,
/lib{,32,64}/libc-*.so* mr,
/lib{,32,64}/libld-*.so* mr,
/lib{,32,64}/libm-*.so* mr,
/lib{,32,64}/libpthread-*.so* mr,
owner /run/shm/.org.chromium.Chromium.* rw,
owner /tmp/** rw,
/usr/bin/chromium-browser r,
/usr/lib/@{multiarch}/libstdc++.so* mr,
/usr/lib/chromium-browser/chrome-sandbox mr,
/usr/lib/chromium-browser/chromium-browser Px,
/usr/lib/chromium-browser/chromium-browser-sandbox r,
/usr/lib/libstdc++.so* mr,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
}
profile xdgsettings {
#include <abstractions/bash>
#include <abstractions/gnome>
unix (send, connect) peer=(label=unconfined addr=@/tmp/dbus-*),
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/mv rix,
/bin/readlink rix,
/bin/sed rix,
/bin/touch rix,
/bin/which rix,
/etc/ld.so.cache r,
/usr/bin/[gm]awk rix,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/gconftool-2 ix,
/usr/bin/tr rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-settings r,
/usr/lib/chromium-browser/xdg-settings r,
/usr/share/applications/*.desktop r,
owner @{HOME}/.local/share/applications/ w,
owner @{HOME}/.local/share/applications/mimeapps.list* rw,
}
}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
