usr.bin.chromium-browser

Daniel Richard G. Mon, 27 Mar 2017 13:20:45 -0700

Hello list,

I have some updates for the AppArmor Chromium browser profile, tested
with Chromium 57.0.2987.98-1.


A patch against the apparmor-profiles Git repository is attached.

Note that I added a catch-all "r" rule for /sys/devices/**/uevent, as
there were quite a few non-numeric variations of this path. I can list
these explicitly if desired, but I'm not sure how sensitive these files
are to begin with.


--Daniel


P.S.: Please Cc: me on any replies, as I am not subscribed to this list.


-- 
Daniel Richard G. || [email protected]
My ASCII-art .sig got a bad case of Times New Roman.

diff --git a/ubuntu/17.04/usr.bin.chromium-browser 
b/ubuntu/17.04/usr.bin.chromium-browser
index 86f6aae..93c6bf1 100644
--- a/ubuntu/17.04/usr.bin.chromium-browser
+++ b/ubuntu/17.04/usr.bin.chromium-browser
@@ -40,23 +40,26 @@
   owner @{PROC}/[0-9]*/stat r,
   @{PROC}/[0-9]*/statm r,
   owner @{PROC}/[0-9]*/status r,
+  owner @{PROC}/[0-9]*/task/[0-9]*/status r,
   deny @{PROC}/[0-9]*/oom_{,score_}adj w,
   @{PROC}/sys/kernel/yama/ptrace_scope r,
+  @{PROC}/sys/net/ipv4/tcp_fastopen r,
 
   # Newer chromium needs these now
   /etc/udev/udev.conf r,
+  /sys/devices/**/uevent r,
   /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+  /sys/devices/system/node/node*/meminfo r,
   /sys/devices/pci[0-9]*/**/class r,
   /sys/devices/pci[0-9]*/**/device r,
   /sys/devices/pci[0-9]*/**/irq r,
   /sys/devices/pci[0-9]*/**/resource r,
   /sys/devices/pci[0-9]*/**/vendor r,
   /sys/devices/pci[0-9]*/**/removable r,
-  /sys/devices/pci[0-9]*/**/uevent r,
   /sys/devices/pci[0-9]*/**/block/**/size r,
   /sys/devices/virtual/block/**/removable r,
-  /sys/devices/virtual/block/**/uevent r,
   /sys/devices/virtual/block/**/size r,
+  /sys/devices/virtual/tty/tty*/active r,
   # This is requested, but doesn't seem to actually be needed so deny for now
   deny /run/udev/data/** r,
 
@@ -156,6 +159,7 @@
     /{usr/,}bin/dash ixr,
 
     /etc/ld.so.cache r,
+    /etc/xdg/** r,
     /usr/bin/xdg-settings r,
     /usr/lib/chromium-browser/xdg-settings r,
     /usr/share/applications/*.desktop r,
@@ -189,11 +193,13 @@
     /usr/include/python2.[4567]/pyconfig.h r,
     /etc/lsb-release r,
     /etc/debian_version r,
+    /etc/dpkg/origins/** r,
+    /usr/share/distro-info/** r,
     /var/lib/dpkg/** r,
 
-    /usr/local/lib/python3.[0-4]/dist-packages/ r,
+    /usr/local/lib/python3.[0-9]/dist-packages/ r,
     /usr/bin/ r,
-    /usr/bin/python3.[0-4] r,
+    /usr/bin/python3.[0-9] mr,
   }
 
 
@@ -258,7 +264,7 @@ profile chromium_browser_sandbox {
     /usr/bin/chromium-browser r,
     /usr/lib/chromium-browser/chromium-browser Px,
     /usr/lib/chromium-browser/chromium-browser-sandbox r,
-    /usr/lib/chromium-browser/chrome-sandbox r,
+    /usr/lib/chromium-browser/chrome-sandbox mr,
 
     /dev/null rw,

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH] Updates to ubuntu/17.04/usr.bin.chromium-browser

Reply via email to