Author: Jamie Strandboge <[email protected]> Description: chromium-browser profile Forwarded: yes
--- profiles/apparmor.d/usr.bin.chromium-browser | 221 +++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) Index: b/profiles/apparmor.d/usr.bin.chromium-browser =================================================================== --- /dev/null +++ b/profiles/apparmor.d/usr.bin.chromium-browser @@ -0,0 +1,221 @@ +# Author: Jamie Strandboge <[email protected]> +#include <tunables/global> + +# We need 'flags=(attach_disconnected)' in newer chromium versions +/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { + #include <abstractions/audio> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/gnome> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if + # you want access to productivity applications, adjust the following file + # accordingly. + #include <abstractions/ubuntu-browsers.d/chromium-browser> + + # Networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # Should maybe be in abstractions + /etc/mime.types r, + /etc/mailcap r, + /etc/mtab r, + /etc/xdg/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + @{PROC}/ r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/io r, + @{PROC}/[0-9]*/smaps r, + owner @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/statm r, + owner @{PROC}/[0-9]*/status r, + + # Newer chromium needs these now + /etc/udev/udev.conf r, + /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, + /sys/devices/pci[0-9]*/**/class r, + /sys/devices/pci[0-9]*/**/device r, + /sys/devices/pci[0-9]*/**/irq r, + /sys/devices/pci[0-9]*/**/resource r, + /sys/devices/pci[0-9]*/**/vendor r, + /sys/devices/pci[0-9]*/**/removable r, + /sys/devices/pci[0-9]*/**/uevent r, + /sys/devices/pci[0-9]*/**/block/**/size r, + /sys/devices/virtual/block/**/removable r, + /sys/devices/virtual/block/**/uevent r, + /sys/devices/virtual/block/**/size r, + # This is requested, but doesn't seem to actually be needed so deny for now + deny /run/udev/data/** r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/auxv r, + + # chromium mmaps all kinds of things for speed. + /etc/passwd m, + /usr/share/fonts/truetype/**/*.tt[cf] m, + /usr/share/fonts/**/*.pfb m, + /usr/share/mime/mime.cache m, + /usr/share/icons/**/*.cache m, + owner /{dev,run}/shm/pulse-shm* m, + owner @{HOME}/.local/share/mime/mime.cache m, + owner /tmp/** m, + + @{PROC}/sys/kernel/shmmax r, + owner /{dev,run}/shm/{,.}org.chromium.* mrw, + + /usr/lib/chromium-browser/*.pak mr, + /usr/lib/chromium-browser/locales/* mr, + + # Noisy + deny /usr/lib/chromium-browser/** w, + + # Make browsing directories work + / r, + /**/ r, + + # Allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}** r, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Public/ r, + owner @{HOME}/Public/* r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/* rw, + + # Helpers + /usr/bin/xdg-open ixr, + /usr/bin/gnome-open ixr, + /usr/bin/gvfs-open ixr, + # TODO: kde, xfce + + # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** + # which is provided by abstractions/ubuntu-browsers.d/user-files). + @{PROC}/[0-9]*/oom_{,score_}adj w, + /etc/firefox/profile/bookmarks.html r, + owner @{HOME}/.mozilla/** k, + + # Chromium configuration + owner @{HOME}/.pki/nssdb/* rwk, + owner @{HOME}/.cache/chromium/ rw, + owner @{HOME}/.cache/chromium/** rw, + owner @{HOME}/.cache/chromium/Cache/* mr, + owner @{HOME}/.config/chromium/ rw, + owner @{HOME}/.config/chromium/** rwk, + owner @{HOME}/.config/chromium/**/Cache/* mr, + owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, + owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, + + # Allow transitions to ourself and our sandbox + /usr/lib/chromium-browser/chromium-browser ix, + /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, + /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, + + /bin/ps Uxr, + /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, + /usr/bin/xdg-settings Cxr -> xdgsettings, + + # GSettings + owner /{,var/}run/user/*/dconf/ rw, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + profile xdgsettings { + #include <abstractions/bash> + #include <abstractions/gnome> + + /bin/dash ixr, + + /etc/ld.so.cache r, + /usr/bin/xdg-settings r, + /usr/lib/chromium-browser/xdg-settings r, + /usr/share/applications/*.desktop r, + + # Checking default browser + /bin/grep ixr, + /bin/readlink ixr, + /bin/sed ixr, + /bin/which ixr, + /usr/bin/basename ixr, + /usr/bin/cut ixr, + + # Setting the default browser + /bin/mkdir ixr, + /bin/mv ixr, + /bin/touch ixr, + /usr/bin/dirname ixr, + /usr/bin/gconftool-2 ix, + /usr/bin/[gm]awk ixr, + /usr/bin/xdg-mime ixr, + owner @{HOME}/.local/share/applications/ w, + owner @{HOME}/.local/share/applications/mimeapps.list* rw, + } + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.chromium-browser> + +profile chromium_browser_sandbox { + # Be fanatical since it is setuid root and don't use an abstraction + /lib/libgcc_s.so* mr, + /lib{,32,64}/libm-*.so* mr, + /lib/@{multiarch}/libm-*.so* mr, + /lib{,32,64}/libpthread-*.so* mr, + /lib/@{multiarch}/libpthread-*.so* mr, + /lib{,32,64}/libc-*.so* mr, + /lib/@{multiarch}/libc-*.so* mr, + /lib{,32,64}/libld-*.so* mr, + /lib/@{multiarch}/libld-*.so* mr, + /lib{,32,64}/ld-*.so* mr, + /lib/@{multiarch}/ld-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, + /usr/lib/libstdc++.so* mr, + /etc/ld.so.cache r, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting + capability chown, + capability fsetid, + capability setgid, + capability setuid, + capability dac_override, + capability sys_chroot, + + # *Sigh* + capability sys_ptrace, + + @{PROC}/ r, + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/oom_adj w, + @{PROC}/[0-9]*/oom_score_adj w, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /usr/bin/chromium-browser r, + /usr/lib/chromium-browser/chromium-browser Px, + /usr/lib/chromium-browser/chromium-browser-sandbox r, + /usr/lib/chromium-browser/chrome-sandbox r, + + /dev/null rw, + + owner /tmp/** rw, + } +} -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
