On Fri, 2017 Sep 29 00:18+0200, Guido Günther wrote: > > Attaching to this the report is fine. I can handle it from there.
Okay, greatly appreciated. My current profile is attached. Please Cc: me on the new bug report. As it happens, this file is identical to the current version of the profile in the apparmor-profiles Git repository, with the exception of the Debian alias lines. It seems that the AppArmor folks accepted my changes in the merge request, not by approving the merge, but by applying the changes to a new version-specific copy in the repo. They added a few more things of their own, which I have in turn merged into my/this copy. I never heard anything from them about this, however; I learned about this only now that I diffed my profile with their latest. Their process could certainly stand to be more transparent.
# Author: Jamie Strandboge <ja...@canonical.com> #include <tunables/global> # Debian compatibility aliases # https://bugs.debian.org/742829 # alias /etc/chromium-browser/ -> /etc/chromium/, alias /usr/bin/chromium-browser -> /usr/bin/chromium, alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox, alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium, alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, # We need 'flags=(attach_disconnected)' in newer chromium versions /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-session> #include <abstractions/dbus-strict> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/nameservice> #include <abstractions/user-tmp> # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if # you want access to productivity applications, adjust the following file # accordingly. #include <abstractions/ubuntu-browsers.d/chromium-browser> # Networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, # Should maybe be in abstractions /etc/mime.types r, /etc/mailcap r, /etc/mtab r, /etc/xdg/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, @{PROC}/[0-9]*/fd/ r, @{PROC}/filesystems r, @{PROC}/ r, @{PROC}/[0-9]*/task/[0-9]*/stat r, owner @{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/io r, owner @{PROC}/[0-9]*/setgroups w, owner @{PROC}/[0-9]*/{uid,gid}_map w, @{PROC}/[0-9]*/smaps r, owner @{PROC}/[0-9]*/stat r, @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/[0-9]*/status r, deny @{PROC}/[0-9]*/oom_{,score_}adj w, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/ipv4/tcp_fastopen r, # Newer chromium needs these now /etc/udev/udev.conf r, /sys/devices/**/uevent r, /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, /sys/devices/system/node/node*/meminfo r, /sys/devices/pci[0-9]*/**/class r, /sys/devices/pci[0-9]*/**/device r, /sys/devices/pci[0-9]*/**/irq r, /sys/devices/pci[0-9]*/**/resource r, /sys/devices/pci[0-9]*/**/vendor r, /sys/devices/pci[0-9]*/**/removable r, /sys/devices/pci[0-9]*/**/block/**/size r, /sys/devices/virtual/block/**/removable r, /sys/devices/virtual/block/**/size r, /sys/devices/virtual/tty/tty*/active r, # This is requested, but doesn't seem to actually be needed so deny for now deny /run/udev/data/** r, # Needed for the crash reporter owner @{PROC}/[0-9]*/auxv r, # chromium mmaps all kinds of things for speed. /etc/passwd m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/fonts/**/*.pfb m, /usr/share/mime/mime.cache m, /usr/share/icons/**/*.cache m, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/.local/share/mime/mime.cache m, owner /tmp/** m, @{PROC}/sys/kernel/shmmax r, owner /{dev,run}/shm/{,.}org.chromium.* mrw, owner /{,var/}run/shm/shmfd-* mrw, /usr/lib/chromium-browser/*.pak mr, /usr/lib/chromium-browser/locales/* mr, # Noisy deny /usr/lib/chromium-browser/** w, capability sys_admin, capability sys_chroot, capability sys_ptrace, # Allow ptracing ourselves ptrace (trace) peer=@{profile_name}, # Make browsing directories work / r, /**/ r, # Allow access to documentation and other files the user may want to look # at in /usr /usr/{include,share,src}** r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # For migration owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.mozilla/firefox/*/prefs.js r, # Helpers /usr/bin/xdg-open ixr, /usr/bin/gnome-open ixr, /usr/bin/gvfs-open ixr, /usr/bin/kdialog ixr, # TODO: xfce # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** # which is provided by abstractions/ubuntu-browsers.d/user-files). /etc/firefox/profile/bookmarks.html r, owner @{HOME}/.mozilla/** k, # Chromium Policies /etc/chromium-browser/policies/** r, # Chromium configuration owner @{HOME}/.pki/nssdb/* rwk, owner @{HOME}/.cache/chromium/ rw, owner @{HOME}/.cache/chromium/** rw, owner @{HOME}/.cache/chromium/Cache/* mr, owner @{HOME}/.config/chromium/ rw, owner @{HOME}/.config/chromium/** rwk, owner @{HOME}/.config/chromium/**/Cache/* mr, owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, # Allow transitions to ourself and our sandbox /usr/lib/chromium-browser/chromium-browser ix, /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, # Allow communicating with sandbox unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), /{usr/,}bin/ps Uxr, /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, /usr/bin/xdg-settings Cxr -> xdgsettings, /usr/bin/lsb_release Cxr -> lsb_release, # GSettings owner /{,var/}run/user/*/dconf/ rw, owner /{,var/}run/user/*/dconf/user rw, owner @{HOME}/.config/dconf/user r, profile xdgsettings { #include <abstractions/bash> #include <abstractions/gnome> /{usr/,}bin/dash ixr, /etc/ld.so.cache r, /etc/xdg/** r, /usr/bin/xdg-settings r, /usr/lib/chromium-browser/xdg-settings r, /usr/share/applications/*.desktop r, # Checking default browser /{usr/,}bin/grep ixr, /{usr/,}bin/readlink ixr, /{usr/,}bin/sed ixr, /{usr/,}bin/which ixr, /usr/bin/basename ixr, /usr/bin/cut ixr, # Setting the default browser /{usr/,}bin/mkdir ixr, /{usr/,}bin/mv ixr, /{usr/,}bin/touch ixr, /usr/bin/dirname ixr, /usr/bin/gconftool-2 ix, /usr/bin/[gm]awk ixr, /usr/bin/xdg-mime ixr, owner @{HOME}/.local/share/applications/ w, owner @{HOME}/.local/share/applications/mimeapps.list* rw, } profile lsb_release { #include <abstractions/base> #include <abstractions/python> /usr/bin/lsb_release r, /{usr/,}bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2.[4567]/pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /etc/dpkg/origins/** r, /usr/share/distro-info/** r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-9]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-9] mr, } # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.chromium-browser> profile chromium_browser_sandbox { # Be fanatical since it is setuid root and don't use an abstraction /{usr/,}lib/libgcc_s.so* mr, /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, /{usr/,}lib{,32,64}/libm-*.so* mr, /{usr/,}lib/@{multiarch}/libm-*.so* mr, /{usr/,}lib{,32,64}/libpthread-*.so* mr, /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, /{usr/,}lib{,32,64}/libc-*.so* mr, /{usr/,}lib/@{multiarch}/libc-*.so* mr, /{usr/,}lib{,32,64}/libld-*.so* mr, /{usr/,}lib/@{multiarch}/libld-*.so* mr, /{usr/,}lib{,32,64}/ld-*.so* mr, /{usr/,}lib/@{multiarch}/ld-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, /usr/lib/libstdc++.so* mr, /usr/lib/@{multiarch}/libstdc++.so* mr, /etc/ld.so.cache r, # Required for dropping into PID namespace. Keep in mind that until the # process drops this capability it can escape confinement, but once it # drops CAP_SYS_ADMIN we are ok. capability sys_admin, # All of these are for sanely dropping from root and chrooting capability chown, capability fsetid, capability setgid, capability setuid, capability dac_override, capability sys_chroot, capability sys_ptrace, ptrace (read, readby), signal (receive) peer=unconfined, signal peer=@{profile_name}, signal (receive, send) set=("exists"), signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), unix (create), unix peer=(label=@{profile_name}), unix (getattr, getopt, setopt, shutdown) addr=none, @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, deny @{PROC}/[0-9]*/oom_adj w, deny @{PROC}/[0-9]*/oom_score_adj w, @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/task/[0-9]*/stat r, /usr/bin/chromium-browser r, /usr/lib/chromium-browser/chromium-browser Px, /usr/lib/chromium-browser/chromium-browser-sandbox r, /usr/lib/chromium-browser/chrome-sandbox mr, /dev/null rw, owner /tmp/** rw, } }
