[apparmor] Fwd: Re: [Patch 0/4] change accept node handling during expr tree set
Jamie Strandboge
jamie at canonical.com
Tue Jun 23 17:13:03 UTC 2015
I accidentally responded to John privately but meant to respond to the list, so
forwarding here.
-------- Forwarded Message --------
Subject: Re: [apparmor] [Patch 0/4] change accept node handling during expr tree set
Date: Mon, 22 Jun 2015 14:39:44 -0500
From: Jamie Strandboge <jamie at canonical.com>
To: John Johansen <john.johansen at canonical.com>
On 06/22/2015 12:59 PM, John Johansen wrote:
> This series of patches changes the way accept nodes are generated
> and the expression tree is set-up around them. It is a start to the
> backend refactoring and cleanup, and provides a nice little performance
> boost in most cases because
> 1. It reduces the number of accept nodes geneted and considered during
> simplification/factoring, and node set building (shorter node sets
> to construct and compare)
> 2. It reduces the number of Alt nodes (used to combine the accept nodes)
> to consider during simplfication, and node set building (agin shorter
> node sets to construct and compare)
> 3. It reduces the number of nodes that must be consider in any given
> simplification pass, by separating out node sets that can't be
> simplified on the right hand simplification/factoring pass.
>
> The performance change is dependent on the profile being parsed, and
> there is no guarentee that it will be faster for all profiles. With that
> being said, I haven't seen any performance regressions+ and some fairly
> nice performance improvements so its worth considering before the rest
> of the backend factoring is done.
>
> Eg. Using a few example profile tests from a local machine, comparing
> against the 2.9 parser in Ubuntu 14.10 against current 2.10 with
> these patches*
>
> profile with tree simplification -O no-expr-simplify
> ------- ----------------------- -------------------
> evince 22% faster 10% faster
> firefox 40% faster 11% faster
> chromium 32% faster 11% faster
> cupsd 35% faster 3% faster
> dnsmasq 12% faster 17% faster
> dhclient 36% faster 5% faster
> klogd 0% 8% faster
>
> *Note: 2.10 is actually handicapped by a couple fixes to change_profile
> encoding that causes its dfa to have a few extra nodes.
> +There was some regression, in a few cases on individual runs but when
> averaged over a few runs, the timing variations resulted in small net
> wins, in those cases.
I'm curious how this affects Ubuntu Touch and Core policy. Attached are three
profiles-- can you try with these (and also add these three to wherever you are
storing the test profiles)? Also, what architecture was this on? Did you test on
arm?
Thanks!
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
# Description: default AppArmor template
# Usage: common
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_APPNAME}="core"
@{APP_ID_DBUS}="default_5fcore_5f1_2e0_2e18"
@{APP_PKGNAME_DBUS}="default"
@{APP_PKGNAME}="default"
@{APP_VERSION}="1.0.18"
@{CLICK_DIR}="{/apps,/oem}"
profile "default_core_1.0.18" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# for python apps/services
#include <abstractions/python>
/usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
# for perl apps/services
#include <abstractions/perl>
/usr/bin/perl{,5*} ixr,
# Explicitly deny ptrace for now since it can be abused to break out of the
# seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
audit deny ptrace (trace),
# Explicitly deny capability mknod so apps can't create devices
audit capability mknod,
# Explicitly deny mount, remount and umount so apps can't modify things in
# their namespace
audit deny mount,
audit deny remount,
audit deny umount,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
/bin/bash ixr,
/bin/dash ixr,
/etc/bash.bashrc r,
/usr/share/terminfo/** r,
/etc/inputrc r,
deny @{HOME}/.inputrc r,
# Common utilities for shell scripts
/{,usr/}bin/{,g,m}awk ixr,
/{,usr/}bin/basename ixr,
/{,usr/}bin/bunzip2 ixr,
/{,usr/}bin/bzcat ixr,
/{,usr/}bin/bzdiff ixr,
/{,usr/}bin/bzgrep ixr,
/{,usr/}bin/bzip2 ixr,
/{,usr/}bin/cat ixr,
/{,usr/}bin/chmod ixr,
/{,usr/}bin/cmp ixr,
/{,usr/}bin/cp ixr,
/{,usr/}bin/cpio ixr,
/{,usr/}bin/cut ixr,
/{,usr/}bin/date ixr,
/{,usr/}bin/dd ixr,
/{,usr/}bin/diff{,3} ixr,
/{,usr/}bin/dir ixr,
/{,usr/}bin/dirname ixr,
/{,usr/}bin/echo ixr,
/{,usr/}bin/{,e,f,r}grep ixr,
/{,usr/}bin/env ixr,
/{,usr/}bin/expr ixr,
/{,usr/}bin/false ixr,
/{,usr/}bin/find ixr,
/{,usr/}bin/fmt ixr,
/{,usr/}bin/getopt ixr,
/{,usr/}bin/head ixr,
/{,usr/}bin/hostname ixr,
/{,usr/}bin/id ixr,
/{,usr/}bin/igawk ixr,
/{,usr/}bin/kill ixr,
/{,usr/}bin/ldd ixr,
/{,usr/}bin/ln ixr,
/{,usr/}bin/line ixr,
/{,usr/}bin/link ixr,
/{,usr/}bin/logger ixr,
/{,usr/}bin/ls ixr,
/{,usr/}bin/md5sum ixr,
/{,usr/}bin/mkdir ixr,
/{,usr/}bin/mktemp ixr,
/{,usr/}bin/mv ixr,
/{,usr/}bin/pgrep ixr,
/{,usr/}bin/printenv ixr,
/{,usr/}bin/printf ixr,
/{,usr/}bin/ps ixr,
/{,usr/}bin/pwd ixr,
/{,usr/}bin/readlink ixr,
/{,usr/}bin/realpath ixr,
/{,usr/}bin/rev ixr,
/{,usr/}bin/rm ixr,
/{,usr/}bin/rmdir ixr,
/{,usr/}bin/sed ixr,
/{,usr/}bin/seq ixr,
/{,usr/}bin/sleep ixr,
/{,usr/}bin/sort ixr,
/{,usr/}bin/stat ixr,
/{,usr/}bin/tac ixr,
/{,usr/}bin/tail ixr,
/{,usr/}bin/tar ixr,
/{,usr/}bin/tee ixr,
/{,usr/}bin/test ixr,
/{,usr/}bin/tempfile ixr,
/{,usr/}bin/touch ixr,
/{,usr/}bin/tr ixr,
/{,usr/}bin/true ixr,
/{,usr/}bin/uname ixr,
/{,usr/}bin/uniq ixr,
/{,usr/}bin/unlink ixr,
/{,usr/}bin/unxz ixr,
/{,usr/}bin/unzip ixr,
/{,usr/}bin/vdir ixr,
/{,usr/}bin/wc ixr,
/{,usr/}bin/which ixr,
/{,usr/}bin/xz ixr,
/{,usr/}bin/yes ixr,
/{,usr/}bin/zcat ixr,
/{,usr/}bin/z{,e,f}grep ixr,
/{,usr/}bin/zip ixr,
/{,usr/}bin/zipgrep ixr,
# uptime
/{,usr/}bin/uptime ixr,
@{PROC}/uptime r,
@{PROC}/loadavg r,
# this is an information leak
deny /{,var/}run/utmp r,
# Miscellaneous accesses
/etc/mime.types r,
@{PROC}/ r,
/etc/{,writable/}hostname r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/fs/file-max r,
@{PROC}/sys/kernel/pid_max r,
# this leaks interface names and stats, but not in a way that is traceable
# to the user/device
@{PROC}/net/dev r,
# Read-only for the install directory
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Read-only home area for other versions
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/ r,
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/ r,
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
# Writable home area for this version.
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
# Read-only system area for other versions
/var/lib/apps/@{APP_PKGNAME}/ r,
/var/lib/apps/@{APP_PKGNAME}/** mrkix,
# TODO: the write on these is needed in case they doesn't exist, but means an
# app could adjust inode data and affect rollbacks.
owner @{HOMEDIRS}/*/apps/@{APP_PKGNAME}/ w,
/var/lib/apps/@{APP_PKGNAME}/ w,
# Writable system area only for this version
/var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
/var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
# The ubuntu-core-launcher creates an app-specific private restricted /tmp
# and will fail to launch the app if something goes wrong. As such, we can
# simply allow full access to /tmp.
/tmp/ r,
/tmp/** mrwlkix,
# Also do the same for shm
/{dev,run}/shm/snaps/@{APP_PKGNAME}/ r,
/{dev,run}/shm/snaps/@{APP_PKGNAME}/** rk,
/{dev,run}/shm/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ r,
/{dev,run}/shm/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,
# for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
/{,s}bin/udevadm ixr,
/etc/udev/udev.conf r,
/{,var/}run/udev/tags/snappy-assign/ r,
@{PROC}/cmdline r,
@{PROC}/[0-9]*/stat r,
/sys/devices/**/uevent r,
# LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
# requires:
# /run/udev/data/* r,
# but that reveals too much about the system and cannot be granted to apps
# by default at this time.
# For convenience, allow apps to see what is in /dev even though cgroups
# will block most access
/dev/ r,
/dev/**/ r,
# No abstractions specified
# No policy groups specified
# No read paths specified
# No write paths specified
}
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_APPNAME}="bar"
@{APP_ID_DBUS}="qmlapp_5fbar_5f0_2e5_2e4"
@{APP_PKGNAME_DBUS}="qmlapp"
@{APP_PKGNAME}="qmlapp"
@{APP_VERSION}="0.5.4"
@{CLICK_DIR}="{/custom/click,/opt/click.ubuntu.com,/usr/share/click/preinstalled}"
profile "qmlapp_bar_0.5.4" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Apps fail to start when linked against newer curl/gnutls if we don't allow
# this. (LP: #1350152)
#include <abstractions/openssl>
# Mir-specific stuff
#include <abstractions/mir>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
#
# IPC rules common for all apps
#
# Allow connecting to session bus and where to connect to services
#include <abstractions/dbus-session-strict>
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
#include <abstractions/dbus-strict>
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
peer=(label=unconfined),
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate}
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery"
peer=(label=unconfined),
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness"
peer=(label=unconfined),
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server,label=unconfined),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/maliit-server/dbus-*"),
# clipboard (LP: #1371170)
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="com.canonical.QtMir.Clipboard"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(label=unconfined),
# usensors
dbus (send)
bus=session
path=/com/canonical/usensord/haptic
interface=com.canonical.usensord.haptic
peer=(label=unconfined),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL"
peer=(label=unconfined),
# This is needed when the app is already running and needs to be passed in
# a URL to open. This is most often used with content-hub providers and
# url-dispatcher, but is actually supported by Qt generally (though because
# we don't allow the send a malicious app can't send this to another app).
dbus (receive)
bus=session
path=/@{APP_ID_DBUS}
interface="org.freedesktop.Application"
member="Open"
peer=(label=unconfined),
# This is needed for apps to interact with the Launcher (eg, for the counter)
dbus (receive, send)
bus=session
path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
peer=(label=unconfined),
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus,label=unconfined),
dbus (receive)
bus=session
interface=org.a11y.atspi**
peer=(label=unconfined),
dbus (receive, send)
bus=accessibility
peer=(label=unconfined),
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
audit deny dbus bus=session
interface="com.canonical.snapdecisions",
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
# LP: #1433590
deny dbus bus=system
path="/org/freedesktop/Accounts",
# LP: #1378823
deny dbus (bind)
name="org.freedesktop.Application",
#
# end DBus rules common for all apps
#
# Don't allow apps to access scope endpoints
audit deny /run/user/[0-9]*/zmq/ rw,
audit deny /run/user/[0-9]*/zmq/** rwk,
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
deny /dev/tty rw,
# LP: #1378115
deny /run/user/[0-9]*/dconf/user rw,
deny owner @{HOME}/.config/dconf/user r,
deny /custom/etc/dconf_profile r,
# LP: #1381620
deny @{HOME}/.cache/QML/Apps/ r,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
/usr/share/unity/icons/** r,
/usr/share/thumbnailer/icons/** r,
# /custom access
/custom/xdg/data/themes/ r,
/custom/xdg/data/themes/** r,
/custom/usr/share/fonts/ r,
/custom/usr/share/fonts/** r,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
/usr/share/glib*/schemas/gschemas.compiled r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/{,android/}system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# LP: #1352432
deny /dev/xLog w,
deny @{PROC}/xlog/ r,
deny @{PROC}/xlog/* rw,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/devices/system/cpu/ r,
/sys/kernel/debug/tracing/trace_marker w,
# LP: #1286162
/etc/udev/udev.conf r,
/sys/devices/pci[0-9]*/**/uevent r,
# Not required, but noisy
deny /run/udev/data/** r,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
# Allow communications with thumbnailer for thumbnailing local files
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Thumbnailer"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/Thumbnailer"
interface="com.canonical.Thumbnailer"
member="GetThumbnail"
peer=(label=unconfined),
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# apps may always use the accelerometer and orientation sensor
#
/etc/xdg/QtProject/Sensors.conf r,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# cordova-ubuntu
#
/usr/share/cordova-ubuntu*/ r,
/usr/share/cordova-ubuntu*/** r,
#
# ubuntu-html5-app-launcher
#
/usr/share/ubuntu-html5-app-launcher/ r,
/usr/share/ubuntu-html5-app-launcher/** r,
/usr/share/ubuntu-html5-ui-toolkit/ r,
/usr/share/ubuntu-html5-ui-toolkit/** r,
# Launching under upstart requires this
/usr/bin/qtchooser rmix,
/usr/bin/cordova-ubuntu* rmix,
/usr/bin/ubuntu-html5-app-launcher rmix,
# qmlscene webview
# TODO: these should go away once /usr/bin/ubuntu-html5-app-launcher uses
# Oxide
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Don't allow plugins in webviews for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
# don't want to give access to that. cordova-ubuntu will fallback to
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
# the denial and ship a profile for lsb_release and add a Pxr rule
deny /usr/bin/lsb_release rx,
/etc/ r,
/etc/lsb-release r,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060, LP: #1377648 (don't remove until qtwebkit is off the
# image)
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1370218
owner /{run,dev}/shm/shmfd-* rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect
peer=(label=unconfined),
# Allow DownloadManager to send us signals, etc
dbus (receive)
bus=session
interface=com.canonical.applications.Download{,er}Manager
peer=(label=unconfined),
# Restrict apps to just their own downloads
owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/ rw,
owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/** rwk,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
interface=com.canonical.applications.Download
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
interface=com.canonical.applications.GroupDownload
peer=(label=unconfined),
# Be explicit about the allowed members we can send to
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=createDownload
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=createDownloadGroup
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=getAllDownloads
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=getAllDownloadsWithMetadata
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=defaultThrottle
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=isGSMDownloadAllowed
peer=(label=unconfined),
# Explicitly deny DownloadManager APIs apps shouldn't have access to in order
# to make sure they aren't accidentally added in the future (see LP: #1277578
# for details)
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=allowGSMDownload,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=createMmsDownload,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=exit,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=setDefaultThrottle,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
deny dbus (receive, send)
bus=system
peer=(name=org.freedesktop.NetworkManager),
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# Description: Can use UserMetrics to update the InfoGraphic
# Usage: common
dbus (send)
bus=system
path=/com/canonical/UserMetrics**
peer=(name=com.canonical.UserMetrics,label=unconfined),
# No read paths specified
# No write paths specified
}
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_APPNAME}="bar"
@{APP_ID_DBUS}="webapp_5fbar_5f0_2e11_2e2"
@{APP_PKGNAME_DBUS}="webapp"
@{APP_PKGNAME}="webapp"
@{APP_VERSION}="0.11.2"
@{CLICK_DIR}="{/custom/click,/opt/click.ubuntu.com,/usr/share/click/preinstalled}"
profile "webapp_bar_0.11.2" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Apps fail to start when linked against newer curl/gnutls if we don't allow
# this. (LP: #1350152)
#include <abstractions/openssl>
# Mir-specific stuff
#include <abstractions/mir>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
#
# IPC rules common for all webapps
#
# Allow connecting to session bus and where to connect to services
#include <abstractions/dbus-session-strict>
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
#include <abstractions/dbus-strict>
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
peer=(label=unconfined),
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate}
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery"
peer=(label=unconfined),
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness"
peer=(label=unconfined),
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server,label=unconfined),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/maliit-server/dbus-*"),
# clipboard (LP: #1371170)
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="com.canonical.QtMir.Clipboard"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(label=unconfined),
# usensors
dbus (send)
bus=session
path=/com/canonical/usensord/haptic
interface=com.canonical.usensord.haptic
peer=(label=unconfined),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL"
peer=(label=unconfined),
# This is needed when the app is already running and needs to be passed in
# a URL to open. This is most often used with content-hub providers and
# url-dispatcher, but is actually supported by Qt generally (though because
# we don't allow the send a malicious app can't send this to another app).
dbus (receive)
bus=session
path=/@{APP_ID_DBUS}
interface="org.freedesktop.Application"
member="Open"
peer=(label=unconfined),
# This is needed for apps to interact with the Launcher (eg, for the counter)
dbus (receive, send)
bus=session
path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
peer=(label=unconfined),
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus,label=unconfined),
dbus (receive)
bus=session
interface=org.a11y.atspi**
peer=(label=unconfined),
dbus (receive, send)
bus=accessibility
peer=(label=unconfined),
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
audit deny dbus bus=session
interface="com.canonical.snapdecisions",
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
# LP: #1433590
deny dbus bus=system
path="/org/freedesktop/Accounts",
# LP: #1342129
deny dbus (bind)
name="org.freedesktop.Application",
#
# end DBus rules common for all webapps
#
# Don't allow apps to access scope endpoints
audit deny /run/user/[0-9]*/zmq/ rw,
audit deny /run/user/[0-9]*/zmq/** rwk,
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
deny /dev/tty rw,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
/usr/share/unity/icons/** r,
/usr/share/thumbnailer/icons/** r,
# /custom access
/custom/xdg/data/themes/ r,
/custom/xdg/data/themes/** r,
/custom/usr/share/fonts/ r,
/custom/usr/share/fonts/** r,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/{,android/}system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# LP: #1352432
deny /dev/xLog w,
deny @{PROC}/xlog/ r,
deny @{PROC}/xlog/* rw,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/devices/system/cpu/ r,
/sys/kernel/debug/tracing/trace_marker w,
# LP: #1286162
/etc/udev/udev.conf r,
/sys/devices/pci[0-9]*/**/uevent r,
# Not required, but noisy
deny /run/udev/data/** r,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# apps may always use the accelerometer and orientation sensor
#
/etc/xdg/QtProject/Sensors.conf r,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# webbrowser-app
#
/usr/share/webbrowser-app/ r,
/usr/share/webbrowser-app/** r,
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
# TODO: investigate child profile
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# Special API for the webapp-container to prepopulate the webapp's cookie jar
# with online accounts' cookie for the account of the site of the webapp
dbus (receive, send)
bus=session
interface=com.nokia.singlesignonui
member=cookiesForIdentity
peer=(label=unconfined),
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# system user scripts
/usr/share/unity-webapps/userscripts/ r,
/usr/share/unity-webapps/userscripts/** r,
# Don't allow plugins in webapps for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# webapp-container for some reason asks for read on these directories, but
# nothing else. This isn't needed, so deny the write
deny /sys/bus/ r,
deny /sys/class/ r,
# Launching under upstart requires this
/usr/bin/webapp-container rmix,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060, LP: #1377648 (don't remove until qtwebkit is off the
# image)
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1370218
owner /{run,dev}/shm/shmfd-* rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can play audio (allows playing remote content via media-hub)
# Usage: common
/dev/ashmem rw,
# Don't include the audio abstraction and enforce use of pulse instead
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r, # could allow enumerating apps
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.pulse/ r,
owner @{HOME}/.pulse/* rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
# used by confined apps
owner @{HOME}/.config/pulse/cookie rk,
# Force the use of pulseaudio and silence any denials for ALSA
deny /usr/share/alsa/alsa.conf r,
deny /dev/snd/ r,
deny /dev/snd/* r,
# Allow communications with media-hub
dbus (receive, send)
bus=session
path=/core/ubuntu/media/Service{,/**}
peer=(label="{unconfined,/usr/bin/media-hub-server}"),
# Allow communications with thumbnailer for retrieving album art
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Thumbnailer"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/Thumbnailer"
member={GetAlbumArt,GetArtistArt}
peer=(label=unconfined),
# Allow communications with mediascanner2
dbus (send)
bus=session
path=/com/canonical/MediaScanner2
interface=com.canonical.MediaScanner2
peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
dbus (receive)
bus=session
peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
# sound files on the device
/usr/share/sounds/ r,
/usr/share/sounds/** r,
/custom/usr/share/sounds/ r,
/custom/usr/share/sounds/** r,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/audio.d"
# Description: Can access Location
# Usage: common
# TODO: when implementation for LP: #1223371 and LP: #1223211 is finalized,
# pick one of these
# session bus (not currently used-- maybe with trust-store)
dbus (send)
bus=session
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service"
peer=(name="com.ubuntu.location.Service",label=unconfined),
dbus (receive)
bus=session
path="/com/ubuntu/location/Service"
peer=(label=unconfined),
dbus (receive, send)
bus=session
interface="com.ubuntu.location.Service.Session"
peer=(label=unconfined),
# system bus
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (send)
bus=system
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service"
peer=(name="com.ubuntu.location.Service",label=unconfined),
dbus (receive)
bus=system
path="/com/ubuntu/location/Service"
peer=(label=unconfined),
dbus (receive, send)
bus=system
interface="com.ubuntu.location.Service.Session"
peer=(label=unconfined),
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect
peer=(label=unconfined),
# Allow DownloadManager to send us signals, etc
dbus (receive)
bus=session
interface=com.canonical.applications.Download{,er}Manager
peer=(label=unconfined),
# Restrict apps to just their own downloads
owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/ rw,
owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/** rwk,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
interface=com.canonical.applications.Download
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
interface=com.canonical.applications.GroupDownload
peer=(label=unconfined),
# Be explicit about the allowed members we can send to
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=createDownload
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=createDownloadGroup
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=getAllDownloads
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=getAllDownloadsWithMetadata
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=defaultThrottle
peer=(label=unconfined),
dbus (send)
bus=session
path=/
interface=com.canonical.applications.DownloadManager
member=isGSMDownloadAllowed
peer=(label=unconfined),
# Explicitly deny DownloadManager APIs apps shouldn't have access to in order
# to make sure they aren't accidentally added in the future (see LP: #1277578
# for details)
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=allowGSMDownload,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=createMmsDownload,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=exit,
audit deny dbus (send)
bus=session
interface=com.canonical.applications.DownloadManager
member=setDefaultThrottle,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
deny dbus (receive, send)
bus=system
peer=(name=org.freedesktop.NetworkManager),
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# Description: Can play video (allows playing remote content via media-hub)
# Usage: common
# android-based access. Remove once move away from binder (LP: #1197134)
/dev/binder rw,
/dev/ashmem rw,
# gstreamer - should these be application specific?
owner @{HOME}/.gstreamer*/registry.*.bin* r,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
# Allow communications with media-hub
dbus (receive, send)
bus=session
path=/core/ubuntu/media/Service{,/**}
peer=(label="{unconfined,/usr/bin/media-hub-server}"),
# Allow communications with mediascanner2
dbus (send)
bus=session
path=/com/canonical/MediaScanner2
interface=com.canonical.MediaScanner2
peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
dbus (receive)
bus=session
peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
# converged desktop
#include <abstractions/video>
/dev/video* r,
/sys/devices/**/video4linux/video** r,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/video.d"
# Description: Can use the UbuntuWebview
# Usage: common
# UbuntuWebview
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
/usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
ptrace (read, trace) peer=@{profile_name},
signal peer=@{profile_name}//oxide_helper,
# Allow communicating with sandbox
unix (receive, send) peer=(label=@{profile_name}//oxide_helper),
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we'll use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/* r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
# LP: #1275917 (not a problem, but unnecessary)
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# LP: #1260044
deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
deny /usr/bin/locales/ w,
# LP: #1260101
deny /run/user/[0-9]*/dconf/user rw,
deny owner @{HOME}/.config/dconf/user r,
deny /custom/etc/dconf_profile r,
# LP: #1357371 (webapp-container needs corresponding 'bind' call on
# org.freedesktop.Application, which we block elsewhere. webapp-container
# shouldn't be doing this under confinement, but we allow this rule in
# content_exchange, so just allow it to avoid confusion)
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(label=unconfined),
# LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
owner @{HOME}/.pki/nssdb/ r,
owner @{HOME}/.pki/nssdb/** rk,
deny @{HOME}/.pki/nssdb/ w,
deny @{HOME}/.pki/nssdb/** w,
# LP: #
/sys/bus/pci/devices/ r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/etc/udev/udev.conf r,
# LP: #1260098
/tmp/ r,
/var/tmp/ r,
# LP: #1260103
owner /run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we can use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
profile oxide_helper (attach_disconnected) {
#
# Shared by chrome-sandbox and oxide-helper
#
#include <abstractions/base>
# So long as we don't give /dev/binder, this should be 'ok'
/{,android/}vendor/lib/*.so mr,
/{,android/}system/lib/*.so mr,
/{,android/}system/vendor/lib/*.so mr,
/{,android/}system/build.prop r,
/dev/socket/property_service rw, # attach_disconnected path
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq r,
#
# chrome-sandbox specific
#
# Required for dropping into PID namespace. Keep in mind that until the
# process drops this capability it can escape confinement, but once it
# drops CAP_SYS_ADMIN we are ok.
capability sys_admin,
# All of these are for sanely dropping from root and chrooting
capability chown,
capability fsetid,
capability setgid,
capability setuid,
capability dac_override,
capability dac_read_search,
capability sys_chroot,
capability sys_ptrace,
ptrace (read, readby),
signal peer=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION},
unix peer=(label=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}),
unix (create),
unix peer=(label=@{profile_name}),
unix (getattr, getopt, setopt, shutdown),
# LP: #1260115
deny @{PROC}/[0-9]*/oom_adj w,
deny @{PROC}/[0-9]*/oom_score_adj w,
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix,
#
# oxide-renderer specific
#
#include <abstractions/fonts>
@{PROC}/sys/kernel/shmmax r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
deny /etc/passwd r,
deny /tmp/ r,
deny /var/tmp/ r,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox rmix,
# The renderer may need access to app-specific files, such as WebCore
# databases
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw,
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,
# LP: #1260103
/run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260048
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
# LP: #1260044
deny /usr/lib/@{multiarch}/oxide-qt/locales/ w,
}
# No read paths specified
# No write paths specified
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150623/9fc889b8/attachment-0001.pgp>
More information about the AppArmor
mailing list