Hi, On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote: > On Fri, 2017 Sep 29 00:18+0200, Guido Günther wrote: > > > > Attaching to this the report is fine. I can handle it from there. > > Okay, greatly appreciated. My current profile is attached. Please Cc: me > on the new bug report. > > As it happens, this file is identical to the current version of the > profile in the apparmor-profiles Git repository, with the exception of > the Debian alias lines. > > It seems that the AppArmor folks accepted my changes in the merge > request, not by approving the merge, but by applying the changes to a > new version-specific copy in the repo. They added a few more things of > their own, which I have in turn merged into my/this copy. > > I never heard anything from them about this, however; I learned about > this only now that I diffed my profile with their latest. Their process > could certainly stand to be more transparent.
This is #877391 against chromium. I've added some rules to allow access to some more files that popped up as denials and pulled in the browser abstraction verbatim. Thanks! -- Guido > # Author: Jamie Strandboge <ja...@canonical.com> > #include <tunables/global> > > # Debian compatibility aliases > # https://bugs.debian.org/742829 > # > alias /etc/chromium-browser/ -> /etc/chromium/, > alias /usr/bin/chromium-browser -> /usr/bin/chromium, > alias /usr/lib/chromium-browser/chromium-browser-sandbox -> > /usr/lib/chromium/chrome-sandbox, > alias /usr/lib/chromium-browser/chromium-browser -> > /usr/lib/chromium/chromium, > alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, > > # We need 'flags=(attach_disconnected)' in newer chromium versions > /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { > #include <abstractions/audio> > #include <abstractions/cups-client> > #include <abstractions/dbus-session> > #include <abstractions/dbus-strict> > #include <abstractions/gnome> > #include <abstractions/ibus> > #include <abstractions/nameservice> > #include <abstractions/user-tmp> > > # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if > # you want access to productivity applications, adjust the following file > # accordingly. > #include <abstractions/ubuntu-browsers.d/chromium-browser> > > # Networking > network inet stream, > network inet6 stream, > @{PROC}/[0-9]*/net/if_inet6 r, > @{PROC}/[0-9]*/net/ipv6_route r, > > # Should maybe be in abstractions > /etc/mime.types r, > /etc/mailcap r, > /etc/mtab r, > /etc/xdg/xubuntu/applications/defaults.list r, > owner @{HOME}/.local/share/applications/defaults.list r, > owner @{HOME}/.local/share/applications/mimeinfo.cache r, > > @{PROC}/[0-9]*/fd/ r, > @{PROC}/filesystems r, > @{PROC}/ r, > @{PROC}/[0-9]*/task/[0-9]*/stat r, > owner @{PROC}/[0-9]*/cmdline r, > owner @{PROC}/[0-9]*/io r, > owner @{PROC}/[0-9]*/setgroups w, > owner @{PROC}/[0-9]*/{uid,gid}_map w, > @{PROC}/[0-9]*/smaps r, > owner @{PROC}/[0-9]*/stat r, > @{PROC}/[0-9]*/statm r, > owner @{PROC}/[0-9]*/status r, > owner @{PROC}/[0-9]*/task/[0-9]*/status r, > deny @{PROC}/[0-9]*/oom_{,score_}adj w, > @{PROC}/sys/kernel/yama/ptrace_scope r, > @{PROC}/sys/net/ipv4/tcp_fastopen r, > > # Newer chromium needs these now > /etc/udev/udev.conf r, > /sys/devices/**/uevent r, > /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, > /sys/devices/system/node/node*/meminfo r, > /sys/devices/pci[0-9]*/**/class r, > /sys/devices/pci[0-9]*/**/device r, > /sys/devices/pci[0-9]*/**/irq r, > /sys/devices/pci[0-9]*/**/resource r, > /sys/devices/pci[0-9]*/**/vendor r, > /sys/devices/pci[0-9]*/**/removable r, > /sys/devices/pci[0-9]*/**/block/**/size r, > /sys/devices/virtual/block/**/removable r, > /sys/devices/virtual/block/**/size r, > /sys/devices/virtual/tty/tty*/active r, > # This is requested, but doesn't seem to actually be needed so deny for now > deny /run/udev/data/** r, > > # Needed for the crash reporter > owner @{PROC}/[0-9]*/auxv r, > > # chromium mmaps all kinds of things for speed. > /etc/passwd m, > /usr/share/fonts/truetype/**/*.tt[cf] m, > /usr/share/fonts/**/*.pfb m, > /usr/share/mime/mime.cache m, > /usr/share/icons/**/*.cache m, > owner /{dev,run}/shm/pulse-shm* m, > owner @{HOME}/.local/share/mime/mime.cache m, > owner /tmp/** m, > > @{PROC}/sys/kernel/shmmax r, > owner /{dev,run}/shm/{,.}org.chromium.* mrw, > owner /{,var/}run/shm/shmfd-* mrw, > > /usr/lib/chromium-browser/*.pak mr, > /usr/lib/chromium-browser/locales/* mr, > > # Noisy > deny /usr/lib/chromium-browser/** w, > > capability sys_admin, > capability sys_chroot, > capability sys_ptrace, > > # Allow ptracing ourselves > ptrace (trace) peer=@{profile_name}, > > # Make browsing directories work > / r, > /**/ r, > > # Allow access to documentation and other files the user may want to look > # at in /usr > /usr/{include,share,src}** r, > > # Default profile allows downloads to ~/Downloads and uploads from ~/Public > owner @{HOME}/ r, > owner @{HOME}/Public/ r, > owner @{HOME}/Public/* r, > owner @{HOME}/Downloads/ r, > owner @{HOME}/Downloads/* rw, > > # For migration > owner @{HOME}/.mozilla/firefox/profiles.ini r, > owner @{HOME}/.mozilla/firefox/*/prefs.js r, > > # Helpers > /usr/bin/xdg-open ixr, > /usr/bin/gnome-open ixr, > /usr/bin/gvfs-open ixr, > /usr/bin/kdialog ixr, > # TODO: xfce > > # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** > # which is provided by abstractions/ubuntu-browsers.d/user-files). > /etc/firefox/profile/bookmarks.html r, > owner @{HOME}/.mozilla/** k, > > # Chromium Policies > /etc/chromium-browser/policies/** r, > > # Chromium configuration > owner @{HOME}/.pki/nssdb/* rwk, > owner @{HOME}/.cache/chromium/ rw, > owner @{HOME}/.cache/chromium/** rw, > owner @{HOME}/.cache/chromium/Cache/* mr, > owner @{HOME}/.config/chromium/ rw, > owner @{HOME}/.config/chromium/** rwk, > owner @{HOME}/.config/chromium/**/Cache/* mr, > owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, > owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, > > # Allow transitions to ourself and our sandbox > /usr/lib/chromium-browser/chromium-browser ix, > /usr/lib/chromium-browser/chromium-browser-sandbox cx -> > chromium_browser_sandbox, > /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, > > # Allow communicating with sandbox > unix (receive, send) > peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), > > /{usr/,}bin/ps Uxr, > /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, > /usr/bin/xdg-settings Cxr -> xdgsettings, > /usr/bin/lsb_release Cxr -> lsb_release, > > # GSettings > owner /{,var/}run/user/*/dconf/ rw, > owner /{,var/}run/user/*/dconf/user rw, > owner @{HOME}/.config/dconf/user r, > > profile xdgsettings { > #include <abstractions/bash> > #include <abstractions/gnome> > > /{usr/,}bin/dash ixr, > > /etc/ld.so.cache r, > /etc/xdg/** r, > /usr/bin/xdg-settings r, > /usr/lib/chromium-browser/xdg-settings r, > /usr/share/applications/*.desktop r, > > # Checking default browser > /{usr/,}bin/grep ixr, > /{usr/,}bin/readlink ixr, > /{usr/,}bin/sed ixr, > /{usr/,}bin/which ixr, > /usr/bin/basename ixr, > /usr/bin/cut ixr, > > # Setting the default browser > /{usr/,}bin/mkdir ixr, > /{usr/,}bin/mv ixr, > /{usr/,}bin/touch ixr, > /usr/bin/dirname ixr, > /usr/bin/gconftool-2 ix, > /usr/bin/[gm]awk ixr, > /usr/bin/xdg-mime ixr, > owner @{HOME}/.local/share/applications/ w, > owner @{HOME}/.local/share/applications/mimeapps.list* rw, > } > > profile lsb_release { > #include <abstractions/base> > #include <abstractions/python> > /usr/bin/lsb_release r, > /{usr/,}bin/dash ixr, > /usr/bin/dpkg-query ixr, > /usr/include/python2.[4567]/pyconfig.h r, > /etc/lsb-release r, > /etc/debian_version r, > /etc/dpkg/origins/** r, > /usr/share/distro-info/** r, > /var/lib/dpkg/** r, > > /usr/local/lib/python3.[0-9]/dist-packages/ r, > /usr/bin/ r, > /usr/bin/python3.[0-9] mr, > } > > > # Site-specific additions and overrides. See local/README for details. > #include <local/usr.bin.chromium-browser> > > profile chromium_browser_sandbox { > # Be fanatical since it is setuid root and don't use an abstraction > /{usr/,}lib/libgcc_s.so* mr, > /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, > /{usr/,}lib{,32,64}/libm-*.so* mr, > /{usr/,}lib/@{multiarch}/libm-*.so* mr, > /{usr/,}lib{,32,64}/libpthread-*.so* mr, > /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, > /{usr/,}lib{,32,64}/libc-*.so* mr, > /{usr/,}lib/@{multiarch}/libc-*.so* mr, > /{usr/,}lib{,32,64}/libld-*.so* mr, > /{usr/,}lib/@{multiarch}/libld-*.so* mr, > /{usr/,}lib{,32,64}/ld-*.so* mr, > /{usr/,}lib/@{multiarch}/ld-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, > /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, > /usr/lib/libstdc++.so* mr, > /usr/lib/@{multiarch}/libstdc++.so* mr, > /etc/ld.so.cache r, > > # Required for dropping into PID namespace. Keep in mind that until the > # process drops this capability it can escape confinement, but once it > # drops CAP_SYS_ADMIN we are ok. > capability sys_admin, > > # All of these are for sanely dropping from root and chrooting > capability chown, > capability fsetid, > capability setgid, > capability setuid, > capability dac_override, > capability sys_chroot, > > capability sys_ptrace, > ptrace (read, readby), > > signal (receive) peer=unconfined, > signal peer=@{profile_name}, > signal (receive, send) set=("exists"), > signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, > > unix (receive, send) > peer=(label=/usr/lib/chromium-browser/chromium-browser), > unix (create), > unix peer=(label=@{profile_name}), > unix (getattr, getopt, setopt, shutdown) addr=none, > > @{PROC}/ r, > @{PROC}/[0-9]*/ r, > @{PROC}/[0-9]*/fd/ r, > deny @{PROC}/[0-9]*/oom_adj w, > deny @{PROC}/[0-9]*/oom_score_adj w, > @{PROC}/[0-9]*/status r, > @{PROC}/[0-9]*/task/[0-9]*/stat r, > > /usr/bin/chromium-browser r, > /usr/lib/chromium-browser/chromium-browser Px, > /usr/lib/chromium-browser/chromium-browser-sandbox r, > /usr/lib/chromium-browser/chrome-sandbox mr, > > /dev/null rw, > > owner /tmp/** rw, > } > }