[apparmor] [profile] for usr.lib.chromium.chromium

Christian Boltz apparmor at cboltz.de
Tue Jan 8 21:56:22 UTC 2013 

Hello,

(sorry, accidently sent off-list before)

Am Dienstag, 8. Januar 2013 schrieben Sie:
> Here I attached profile for usr.lib.chromium.chromium
> 
> Plus mozilla plugin support, gtalk plugin support
> (adjust your installation path if not /opt/google/talkplugin/)

I never used chromium, but I'll comment nevertheless on some things that 
look "interesting" to me ;-)

>   capability dac_override,
>   capability setgid,
>   capability setuid,
>   capability sys_admin,
>   capability sys_chroot,
>   capability sys_ptrace,

That are *lots* of capabilities for a browser.

Probably those lines explain it (moved here from the bottom of the 
profile):

>   /usr/lib/chromium/chromium mrix,
>   /usr/lib/chromium/chromium-sandbox rix,
>   /usr/lib/chromium/nacl_helper_bootstrap rix,

Assuming only one of them (chromium-sandbox?) needs the capabilities, 
having a separate profile or child profile for it would be a good idea. 
(You can probably easily find out which binary needs the capabilities - 
just check which one has the suid or sgid bit set.)

>   /home/*/.Xauthority r,
>   /home/*/.cache/fontconfig/* mr,
>   /home/*/.fonts/ r,
>   /home/*/.gtkrc-2.0 r,

Shouldn't that be covered by abstractions? (If not, it should probably 
go there.)

>   /dev/shm/.org.chromium.Chromium.* rmkw,

Any reason for not using "owner" here?

>   # WTF?
>   /usr/share/fonts/** rm,
>   /usr/share/icons/** rm,
>   /usr/share/mime/** rm,
>   /usr/local/share/mime/mime.cache rm,

I'm slightly wondering why "m" is needed.

>   /run/udev/data/* r,
> 
>   /proc/*/ r,
>   /proc/*/fd/ r,

On the longer term, all /proc/*/ should probably be /proc/@{pid}/ 
(you'll need the newest abstractions from bzr trunk for it)

>   /sys/devices/pci0000:00/** r,
>   /sys/devices/system/cpu/** r,

Not sure which information chromium needs exactly - and if there's 
something sensitive in those /sys/devices/ directories.

>   /usr/lib{,32,64}/** mr,

Looks very wide...

>   /etc/udev/udev.conf r,

I guess/hope chromium doesn't read this file directly - something for an 
abstraction?

What I'm missing in your profile is something like 
    owner /home/*/downloads/ r,
    owner /home/*/downloads/** rw,
This could mean two things:
a) you didn't download any file while creating the profile
b) chromium has a clever(?) way to handle downloads in a separate, 
   unconfined process


Regards,

Christian Boltz
-- 
> The wiki is as much yours as it is ours, and if you think that
> someone deserves recognition by naming them, you don't need
> anybody's permission.
Then I must put my thanks to Bill Gates somewhere. he made me use
Linux.  :-)          [> Peter Flodin and houghi in opensuse-wiki]

More information about the AppArmor mailing list