Results 1 to 10 of 32

Thread: I Still Can't Get The Chromium Apparmor Profile to work!

Hybrid View

  1. #1
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    I Still Can't Get The Chromium Apparmor Profile to work!

    I've always had an issue with this; no matter what I try, everytime I enforce the usr.bin.chromium-browser profile, Chromium won't start. I can see it in the system monitor, and it shows up enforce, but the windows itself doesn't load. I've tried doing what this guy said here but the bug still does not appear to be fixed in apparmor 2.7. Here is the profile:
    Code:
    # Author: Jamie Strandboge <jamie@canonical.com>
    #include <tunables/global>
    
    # We need 'flags=(attach_disconnected)' in newer chromium versions
    /usr/lib/chromium-browser/chromium-browser flags=(complain) {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
      # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
      # you want access to productivity applications, adjust the following file
      # accordingly.
      #include <abstractions/ubuntu-browsers.d/chromium-browser>
    
      # Networking
      network inet stream,
      network inet6 stream,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
      # Should maybe be in abstractions
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/xdg/xubuntu/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      owner @{PROC}/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/status r,
    
      # Newer chromium needs these now
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
    
      # Needed for the crash reporter
      owner @{PROC}/[0-9]*/auxv r,
    
      # chromium mmaps all kinds of things for speed.
      /etc/passwd m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/mime/mime.cache m,
      /usr/share/icons/**/*.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner /tmp/** m,
    
      @{PROC}/sys/kernel/shmmax r,
      owner /{dev,run}/shm/{,.}org.chromium.* mrw,
    
      /usr/lib/chromium-browser/*.pak mr,
      /usr/lib/chromium-browser/locales/* mr,
    
      # Noisy
      deny /usr/lib/chromium-browser/** w,
    
      # Make browsing directories work
      / r,
      /**/ r,
    
      # Allow access to documentation and other files the user may want to look
      # at in /usr
      /usr/{include,share,src}** r,
    
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    
      # Helpers
      /usr/bin/xdg-open ixr,
      /usr/bin/gnome-open ixr,
      /usr/bin/gvfs-open ixr,
      # TODO: kde, xfce
    
      # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
      # which is provided by abstractions/ubuntu-browsers.d/user-files).
      @{PROC}/[0-9]*/oom_{,score_}adj w,
      /etc/firefox/profile/bookmarks.html r,
      owner @{HOME}/.mozilla/** k,
    
      # Chromium configuration
      owner @{HOME}/.pki/nssdb/* rwk,
      owner @{HOME}/.cache/chromium/ rw,
      owner @{HOME}/.cache/chromium/** rw,
      owner @{HOME}/.cache/chromium/Cache/* mr,
      owner @{HOME}/.config/chromium/ rw,
      owner @{HOME}/.config/chromium/** rwk,
      owner @{HOME}/.config/chromium/**/Cache/* mr,
      owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
      owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
    
      # Allow transitions to ourself and our sandbox
      /usr/lib/chromium-browser/chromium-browser ix,
      /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
    
      # TODO: child profile
      /bin/ps Uxr,
      /usr/lib/chromium-browser/xdg-settings Ux,
      /usr/bin/xdg-settings Ux,
    
      # Site-specific additions and overrides. See local/README for details.
      #include <local/usr.bin.chromium-browser>
    
    profile chromium_browser_sandbox flags=(complain) {
        # Be fanatical since it is setuid root and don't use an abstraction
        /lib/libgcc_s.so* mr,
        /lib{,32,64}/libm-*.so* mr,
        /lib/@{multiarch}/libm-*.so* mr,
        /lib{,32,64}/libpthread-*.so* mr,
        /lib/@{multiarch}/libpthread-*.so* mr,
        /lib{,32,64}/libc-*.so* mr,
        /lib/@{multiarch}/libc-*.so* mr,
        /lib{,32,64}/libld-*.so* mr,
        /lib/@{multiarch}/libld-*.so* mr,
        /lib{,32,64}/ld-*.so* mr,
        /lib/@{multiarch}/ld-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
        /usr/lib/libstdc++.so* mr,
        /etc/ld.so.cache r,
    
        # Required for dropping into PID namespace. Keep in mind that until the
        # process drops this capability it can escape confinement, but once it
        # drops CAP_SYS_ADMIN we are ok.
        capability sys_admin,
    
        # All of these are for sanely dropping from root and chrooting
        capability chown,
        capability fsetid,
        capability setgid,
        capability setuid,
        capability dac_override,
        capability sys_chroot,
    
        # *Sigh*
        capability sys_ptrace,
    
        @{PROC}/ r,
        @{PROC}/[0-9]*/ r,
        @{PROC}/[0-9]*/fd/ r,
        @{PROC}/[0-9]*/oom_adj w,
        @{PROC}/[0-9]*/oom_score_adj w,
        @{PROC}/[0-9]*/task/[0-9]*/stat r,
    
        /usr/bin/chromium-browser r,
        /usr/lib/chromium-browser/chromium-browser Px,
        /usr/lib/chromium-browser/chromium-browser-sandbox r,
    
        owner /tmp/** rw,
      }
    }
    Any help?
    Read my technology blog at: http://penguincampaigner.wordpress.com

  2. #2
    Join Date
    Mar 2011
    Beans
    665

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    If you're not receiving anything through aa-logprof delete any 'deny' rules.

  3. #3
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    If you're not receiving anything through aa-logprof delete any 'deny' rules.
    Do you know of any Chromium (or Chrome) profiles that will actually work? Ideally, ones that will allow me to download to specific folders...
    Read my technology blog at: http://penguincampaigner.wordpress.com

  4. #4
    Join Date
    Mar 2011
    Beans
    665

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

    edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.

    # Last Modified: Wed May 16 23:18:45 2012
    #include <tunables/global>

    /opt/google/chrome/chrome-sandbox {
    #include <abstractions/base>
    #include <abstractions/ubuntu-konsole>

    capability chown,
    capability dac_override,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability sys_admin,
    capability sys_chroot,
    capability sys_ptrace,



    /etc/ld.so.cache r,
    /home/*/.config/google-chrome/Default/** rwk,
    /home/*/.config/google-chrome/Dictionaries/* r,
    "/home/*/.config/google-chrome/Profile 1/Pepper Data/**" w,
    /home/documents/ r,
    /lib/@{multiarch}/ld-*.so* mr,
    /lib/@{multiarch}/libc-*.so* mr,
    /lib/@{multiarch}/libld-*.so* mr,
    /lib/@{multiarch}/libm-*.so* mr,
    /lib/@{multiarch}/libpthread-*.so* mr,
    /lib/libgcc_s.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /lib{,32,64}/ld-*.so* mr,
    /lib{,32,64}/libc-*.so* mr,
    /lib{,32,64}/libld-*.so* mr,
    /lib{,32,64}/libm-*.so* mr,
    /lib{,32,64}/libpthread-*.so* mr,
    /opt/google/** mr,
    /opt/google/chrome/ r,
    /opt/google/chrome/chrome rix,
    /opt/google/chrome/chrome-sandbox r,
    /opt/google/chrome/google-chrome r,
    /opt/google/chrome/nacl_helper_bootstrap px,
    /proc/ r,
    /proc/*/ r,
    /proc/*/fd/ r,
    /proc/*/oom_score_adj w,
    /proc/*/status r,
    /proc/sys/kernel/shmmax r,
    /run/shm/* rw,
    /sys/devices/system/cpu/** r,
    /usr/lib/libstdc++.so* mr,
    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/oom_adj w,
    @{PROC}/[0-9]*/oom_score_adj w,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,

    }
    # Last Modified: Wed May 16 23:18:45 2012
    #include <tunables/global>

    /opt/google/chrome/google-chrome {
    #include <abstractions/audio>
    #include <abstractions/base>
    #include <abstractions/bash>
    #include <abstractions/cups-client>
    #include <abstractions/dbus-session>
    #include <abstractions/fonts>
    #include <abstractions/freedesktop.org>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/nvidia>
    #include <abstractions/ubuntu-konsole>
    #include <abstractions/user-tmp>

    deny capability dac_override,
    deny capability dac_read_search,

    capability ipc_lock,
    capability sys_ptrace,

    network inet stream,
    network inet6 stream,

    deny /media/truecrypt1/ r,
    /home/*/Documents/Misc/** r,
    /bin/bash rix,
    /bin/dash rix,
    /bin/grep rix,
    /bin/mkdir rix,
    /bin/mv rix,
    /bin/ps rix,
    /bin/readlink rix,
    /bin/sed rix,
    /bin/touch rix,
    /bin/which rix,
    /dev/ r,
    /dev/video0 r,
    /etc/ati/amdpcsdb.default r,
    /etc/ati/atiogl.xml r,
    /etc/lsb-release r,
    /etc/passwd m,
    /etc/python2.7/sitecustomize.py r,
    owner /home/*/.adobe/** rwk,
    owner /home/*/.cache/dconf/user rwk,
    owner /home/*/.cache/google-chrome/** rwk,
    owner /home/*/.config/autostart/google-chrome.desktop rwk,
    owner /home/*/.config/dconf/user r,
    owner /home/*/.config/google-chrome/ rwk,
    owner /home/*/.config/google-chrome/** rwk,
    /home/*/.fontconfig/** rk,
    owner /home/*/.local/share/applications/* rwk,
    /home/*/.macromedia/** rk,
    /home/*/.mozilla/firefox/** r,
    /home/*/.pki/nssdb/** rwk,
    /home/*/.thumbnails/normal/* r,
    owner /opt/google/** rk,
    owner /opt/google/chrome/* mrk,
    /opt/google/chrome/PepperFlash/* mrk,
    /opt/google/chrome/chrome rix,
    /opt/google/chrome/chrome-sandbox px,
    /opt/google/chrome/google-chrome rix,
    /opt/google/chrome/xdg-settings rix,
    /proc/ r,
    /proc/*/fd/ r,
    /proc/*/io r,
    /proc/*/oom_score_adj w,
    /proc/*/statm r,
    /proc/*/task/ r,
    /proc/ati/major r,
    /proc/sys/kernel/pid_max r,
    /proc/tty/drivers r,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
    /proc/uptime r,
    /proc/version r,
    /root/.local/share/Trash/files/* rwk,
    /root/.local/share/Trash/files/** rwk,
    /run/shm/* mrw,
    /selinux/ r,
    /sys/bus/pci/devices/ r,
    /sys/devices/** r,
    owner /tmp/** mlk,
    /tmp/** rw,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/dirname rix,
    /usr/bin/file-roller rix,
    /usr/bin/gconftool-2 rix,
    /usr/bin/gvfs-open rix,
    /usr/bin/lsb_release rix,
    /usr/bin/mawk rix,
    /usr/bin/nautilus rix,
    /usr/bin/transmission-gtk px,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-open rix,
    /usr/bin/xdg-settings rix,
    /usr/include/python2.7/pyconfig.h r,
    /usr/lib{,32,64}/** mr,
    /usr/local/lib/python2.7/dist-packages/ r,
    /usr/share/fonts/**/*.pfb m,
    /usr/share/fonts/truetype/**/*.tt[cf] m,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /usr/share/icons/**/*.cache m,
    /usr/share/mime/mime.cache m,
    /usr/share/pyshared/* r,
    owner /{dev,run}/shm/pulse-shm* m,
    owner @{HOME}/ r,
    owner @{HOME}/.local/share/mime/mime.cache m,
    owner @{HOME}/Downloads/ r,
    owner @{HOME}/Downloads/* rw,
    owner @{HOME}/Public/ r,
    owner @{HOME}/Public/* r,
    owner @{PROC}/[0-9]*/auxv r,
    @{PROC}/[0-9]*/net/if_inet6 r,
    @{PROC}/[0-9]*/net/ipv6_route r,

    }
    # Last Modified: Sat Mar 31 04:24:18 2012
    #include <tunables/global>

    /opt/google/chrome/nacl_helper_bootstrap {
    #include <abstractions/base>


    deny capability dac_override,
    deny capability dac_read_search,
    deny capability chown,
    deny capability fsetid,
    deny capability setgid,
    deny capability setuid,
    deny capability sys_admin,
    deny capability sys_chroot,
    deny capability sys_ptrace,


    /opt/google/chrome/nacl_helper mr,
    /opt/google/chrome/nacl_irt_x86_64.nexe r,
    /run/shm/* mrw,
    /sys/devices/system/cpu/cpu0/** r,
    /tmp/* r,

    }
    Feel free to edit as you like.
    Last edited by Hungry Man; July 2nd, 2012 at 08:19 PM.

  5. #5
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    Sure. I use a Chrome profile but I haven't actually spent much time making sure it's not full of holes ( could likely keep it more locked down through OWNER tags.) I made these pretty quickly and could likely tighten them more by removing variables.

    edit: Actually going through quickly I can see a few issues with this profile in terms of being way too loose. I'll rewrite it later.







    Feel free to edit as you like.
    I assume this profile limits downloads to the "Downloads" folder? If so, would adding: something like ~/Music in @HOME work?
    Read my technology blog at: http://penguincampaigner.wordpress.com

  6. #6
    Join Date
    Mar 2011
    Beans
    665

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    @{HOME}/Downloads/ rwk,
    @{HOME}/Downloads/Music rwk,

    That's all you need.

    You can use an owner tag to limit it to being only able to write to files it owns in those folders.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •