[apparmor] Thunderbird profile - Links in GNOME
John Johansen
john.johansen at canonical.com
Sun Apr 2 10:31:02 UTC 2017
And the chromium profile, with the warnings that
1. It really isn't ready to be generally be deployed, it will certainly need some modification for debian
2. It uses an undocumented permission modifier "other" which will never be officially supported
3. Its usefulness is questionable due to the broad perms it currently requires
-------------- next part --------------
# Last Modified: Sun Apr 2 02:54:46 2017
#include <tunables/global>
# Author: Jamie Strandboge <jamie at canonical.com>
# We need 'flags=(attach_disconnected)' in newer chromium versions
profile chromium /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers.d/chromium-browser>
#include <abstractions/user-tmp>
#include <local/usr.bin.chromium-browser>
deny capability sys_ptrace,
capability sys_admin,
capability sys_chroot,
network inet stream,
network inet6 stream,
dbus send bus=system path="/org/freedesktop/UPower" interface="org.freedesktop.UPower" member="EnumerateDevices",
dbus send bus="system" path="/org/freedesktop/UPower/devices/battery_BAT0" interface="org.freedesktop.DBus.Properties" member="GetAll",
dbus send bus="system" path="/org/freedesktop/UPower/devices/battery_BAT0" interface="org.freedesktop.DBus.Properties" member="GetAll",
dbus send bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects",
dbus send peer=(name=org.freedesktop.DBus label=unconfined),
dbus send bus="system" path="/org/bluez" interface="org.bluez.AgentManager1" member="UnregisterAgent",
signal send peer=chromium//sandbox,
ptrace trace peer=@{profile_name},
unix (receive, send) peer=(label=chromium//sandbox),
deny other /proc/@{pid}/stat r,
deny other /proc/@{pid}/task/@{pid}/status r,
deny other /dev/shm/shmfd-* rw,
deny /run/udev/data/** r,
deny /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
deny /usr/lib/chromium-browser/** w,
deny @{PROC}/*/setgroups w,
deny @{PROC}/*/{u,g}id_map rw,
deny @{PROC}/[0-9]*/oom_{,score_}adj w,
/ r,
/**/ r,
/bin/dash ix,
/bin/ps rUx,
owner /dev/shm/shmfd-* rw,
/dev/video* r,
/etc/chromium-browser/policies/** r,
/etc/firefox/profile/bookmarks.html r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/passwd m,
/etc/udev/udev.conf r,
/etc/xdg/xubuntu/applications/defaults.list r,
/proc/@{pid}/task/@{pid}/status r,
/run/dbus/system_bus_socket rw,
/run/shm/shmfd-* rw,
/sys/devices/**/id{Vendor,Product} r,
/sys/devices/**/video4linux/*/name r,
/sys/devices/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
/sys/devices/system/cpu/cpu*/topology/core_id r,
/sys/devices/system/cpu/present r,
/sys/devices/virtual/block/**/removable r,
/sys/devices/virtual/block/**/size r,
/sys/devices/virtual/tty/tty0/active r,
owner /tmp/** m,
/usr/bin/gnome-open rix,
/usr/bin/gvfs-open rix,
/usr/bin/kdialog rix,
/usr/bin/lsb_release rCx -> lsb_release,
/usr/bin/which ix,
/usr/bin/xdg-open rix,
/usr/bin/xdg-settings rCx -> xdgsettings,
/usr/lib/chromium-browser/*.pak mr,
/usr/lib/chromium-browser/chrome-sandbox cx -> sandbox,
/usr/lib/chromium-browser/chromium-browser ix,
/usr/lib/chromium-browser/chromium-browser-sandbox cx -> sandbox,
/usr/lib/chromium-browser/locales/* mr,
/usr/lib/chromium-browser/xdg-settings rCx -> xdgsettings,
/usr/share/fonts/**/*.pfb m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/icons/**/*.cache m,
/usr/share/mime/mime.cache m,
/usr/{include,share,src}** r,
owner /{,var/}run/shm/shmfd-* mrw,
owner /{,var/}run/user/*/dconf/ rw,
owner /{,var/}run/user/*/dconf/user rw,
owner /{dev,run}/shm/pulse-shm* m,
owner /{dev,run}/shm/{,.}org.chromium.* mrw,
owner @{HOME}/ r,
owner @{HOME}/.cache/chromium/ rw,
owner @{HOME}/.cache/chromium/** rw,
owner @{HOME}/.cache/chromium/Cache/* mr,
owner @{HOME}/.config/chromium/ rw,
owner @{HOME}/.config/chromium/** rwk,
owner @{HOME}/.config/chromium/**/Cache/* mr,
owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.local/share/mime/mime.cache m,
owner @{HOME}/.mozilla/** k,
owner @{HOME}/.mozilla/firefox/*/prefs.js r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.pki/nssdb/* rwk,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
@{PROC}/ r,
owner @{PROC}/*/stat r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/io r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/smaps r,
owner @{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/kernel/shmmax r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/bin/dash rix,
/etc/apt/apt.conf.d/ r,
/etc/debian_version r,
/etc/default/apport r,
/etc/lsb-release r,
/usr/bin/ r,
/usr/bin/dpkg-query rix,
/usr/bin/lsb_release r,
/usr/bin/python3.5 mr,
/usr/bin/python3.[0-4] r,
/usr/include/python2.[4567]/pyconfig.h r,
/usr/local/lib/python3.[0-4]/dist-packages/ r,
/usr/share/distro-info/debian.csv r,
/var/lib/dpkg/** r,
}
profile sandbox {
capability chown,
capability dac_override,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
signal (receive send) set=exists,
signal peer=@{profile_name},
signal receive peer=chromium,
signal receive peer=unconfined,
ptrace (read readby),
unix (receive, send) peer=(label=chromium),
unix (create),
unix peer=(label=@{profile_name}),
unix (getattr, getopt, setopt, shutdown) addr=none,
deny @{PROC}/[0-9]*/oom_adj w,
deny @{PROC}/[0-9]*/oom_score_adj w,
/dev/null rw,
/etc/ld.so.cache r,
/lib/@{multiarch}/ld-*.so* mr,
/lib/@{multiarch}/libc-*.so* mr,
/lib/@{multiarch}/libgcc_s.so* mr,
/lib/@{multiarch}/libld-*.so* mr,
/lib/@{multiarch}/libm-*.so* mr,
/lib/@{multiarch}/libpthread-*.so* mr,
/lib/libgcc_s.so* mr,
/lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
/lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
/lib{,32,64}/ld-*.so* mr,
/lib{,32,64}/libc-*.so* mr,
/lib{,32,64}/libld-*.so* mr,
/lib{,32,64}/libm-*.so* mr,
/lib{,32,64}/libpthread-*.so* mr,
owner /run/shm/.org.chromium.Chromium.* rw,
owner /tmp/** rw,
/usr/bin/chromium-browser r,
/usr/lib/@{multiarch}/libstdc++.so* mr,
/usr/lib/chromium-browser/chrome-sandbox mr,
/usr/lib/chromium-browser/chromium-browser Px,
/usr/lib/chromium-browser/chromium-browser-sandbox r,
/usr/lib/libstdc++.so* mr,
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
}
profile xdgsettings {
#include <abstractions/bash>
#include <abstractions/gnome>
unix (send, connect) peer=(label=unconfined addr=@/tmp/dbus-*),
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/mv rix,
/bin/readlink rix,
/bin/sed rix,
/bin/touch rix,
/bin/which rix,
/etc/ld.so.cache r,
/usr/bin/[gm]awk rix,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/gconftool-2 ix,
/usr/bin/tr rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-settings r,
/usr/lib/chromium-browser/xdg-settings r,
/usr/share/applications/*.desktop r,
owner @{HOME}/.local/share/applications/ w,
owner @{HOME}/.local/share/applications/mimeapps.list* rw,
}
}
More information about the AppArmor
mailing list