Share your AppArmor Profiles

[jgoguen]

Back onto the topic of sharing profiles Here's a profile I've made for Firefox. It allows downloading only to ~/Downloads/, and it allows uploading from ~/Music/, ~/Pictures/, or ~/Videos/. It also allows downloading to /tmp/, and PDF files may be opened from Firefox with Evince (the default PDF viewer in GNOME). The OpenJDK plugin is allowed as the Java plugin.

Code:

#include <tunables/global>
/usr/lib/firefox-3.0.5/firefox.sh {
    #include <abstractions/base>
    #include <abstractions/gnome>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>

##### BEGIN READ-ONLY PERMISSIONS #####
    owner @{HOME}/ r,
    owner @{HOME}/.esd_auth r,
    owner @{HOME}/.icons/ r,
    owner @{HOME}/.local/** r,
    owner @{HOME}/.mozilla/firefox/**.so rm,
    owner @{HOME}/.thumbnails/** r,
    owner @{HOME}/Music/ r,
    owner @{HOME}/Music/** r,
    owner @{HOME}/Pictures/ r,
    owner @{HOME}/Pictures/** r,
    owner @{HOME}/Videos/ r,
    owner @{HOME}/Videos/** r,

    @{PROC}/ r,
    owner @{PROC}/*/fd/ r,
    owner @{PROC}/*/cmdline r,
    owner @{PROC}/*/maps r,
    owner @{PROC}/*/mounts r,
    owner @{PROC}/*/net/** r,
    owner @{PROC}/*/stat r,
    @{PROC}/sys/kernel/pid_max r,
    @{PROC}/uptime r,
    @{PROC}/version r,

    /dev/tty r,

    /etc/ r,
    /etc/firefox-*/pref/ r,
    /etc/firefox-*/pref/* r,
    /etc/gre.d/ r,
    /etc/gre.d/* r,
    /etc/java-6-openjdk/** r,
    /etc/kde4/** r,
    /etc/lsb-release r,
    /etc/pulse/* r,
    /etc/ssl/certs/** r,
    /etc/xulrunner-*/* r,

    /etc/gnome/defaults.list r,
    /etc/kde4rc r,
    /etc/mailcap r,
    /etc/mime.types r,
    /etc/mtab r,
    /etc/sound/events/gtk-events-2.soundlist r,

    /sys/devices/system/cpu/** r,

    /usr/lib/browser-plugins/** rm,
    /usr/lib/firefox-*/**.so rm,
    /usr/lib/jvm/** rm,
    /usr/lib/kde4/**.so rm,

    /usr/local/share/applications/ r,
    /usr/local/share/applications/* r,
    /usr/local/share/mime/** r,

    /usr/share/alsa/** r,
    /usr/share/applications/ r,
    /usr/share/applications/** r,
    /usr/share/evince/** r,
    /usr/share/gvfs/remote-volume-monitors/ r,
    /usr/share/gvfs/remote-volume-monitors/* r,
    /usr/share/icons/**.theme rk,
    /usr/share/java/** r,
    /usr/share/kubuntu-default-settings/** r,
    /usr/share/libthai/** r,
    /usr/share/locale-langpack/** r,
    /usr/share/mime/** r,
    /usr/share/myspell/dicts/ r,
    /usr/share/myspell/dicts/** r,
    /usr/share/ubufox/** r,
##### END READ-ONLY PERMISSIONS #####

##### BEGIN WRITE-ONLY PERMISSIONS #####
    /var/run/cups/cups.sock w,
    /var/run/dbus/system_bus_socket w,
##### END WRITE-ONLY PERMISSIONS #####

##### BEGIN READ-WRITE PERMISSIONS #####
    owner @{HOME}/.config/** rwk,
    owner @{HOME}/.gnome2/accelsevince rw,
    owner @{HOME}/.gnome2/evince/** rw,
    owner @{HOME}/.icedteaplugin/** rw,
    owner @{HOME}/.java/** rwk,
    owner @{HOME}/.kde/** rwk,
    owner @{HOME}/.macromedia/** rw,
    owner @{HOME}/.mozilla/** rwk,
    owner @{HOME}/.recently-used.xbel* rwk,
    owner @{HOME}/Downloads/ rw,
    owner @{HOME}/Downloads/** rw,

    /dev/shm/ rw,
    /dev/shm/* rw,
    /dev/snd/* rw,
##### END READ-WRITE PERMISSIONS #####

##### BEGIN EXECUTE PERMISSIONS #####
    /bin/dash rmix,
    /bin/grep rix,
    /bin/ps rix,
    /bin/readlink rmix,
    /bin/sed rix,

    /usr/bin/basename rix,
    /usr/bin/dirname rix,
    /usr/bin/evince rix,
    /usr/bin/launchpad-integration rix,

    /usr/lib/firefox-*/firefox ix,
    /usr/lib/firefox-*/firefox.sh ix,
    /usr/lib/gamin/gam_server ix,
    /usr/lib/jvm/java-6-openjdk/jre/bin/** rix,
##### END EXECUTE PERMISSIONS #####
}

[q.dinar]

I used it only once and found it was easier for me to just create the profile from scratch each time, or modify an existing profile.
...
You have a good point there

how do you choose right name for profile file i.e. right executable file?

[jgoguen]

First, you find the file that is actually executed when you call the command. That may require following some links. For example, here's how you would find what to use for Firefox in a Terminal:

• Note that the command used in the menus is firefox
• Use the which command to find where this is: which firefox
• The output is /usr/bin/firefox. See if that's a link: ls -l /usr/bin/firefox
• The output shows that /usr/bin/firefox points to firefox-3.0 in the same directory. See if that's a link: ls -l /usr/bin/firefox-3.0
• The output shows that /usr/bin/firefox-3.0 points to ../lib/firefox-3.0.5/firefox.sh. That means the full path is /usr/lib/firefox-3.0.5/firefox.sh. See if that's a link: ls -l /usr/lib/firefox-3.0.5/firefox.sh
• The output does not point to any other file, so this is the file to use.

Now that you know that /usr/lib/firefox-3.0.5/firefox.sh is the actual file executed to run Firefox, you can construct the name of the AppArmor profile file. To do this, follow these steps:

• Take the full path name: /usr/lib/firefox-3.0.5/firefox.sh
• Drop the first slash. This gives: usr/lib/firefox-3.0.5/firefox.sh
• Convert all remaining slashes to periods. This gives: usr.lib.firefox-3.0.5.firefox.sh
• This is the file name for the AppArmor profile

When generating the profile, the executable name is the full path you found earlier.

[q.dinar]

hello.
why firefox has asked for these? :
/home/*/.purple/
and
/home/*/.sudo_as_admin_successful
?

[q.dinar]

how to make separate profile for flash player?

[jgoguen]

hello.
why firefox has asked for these? :
/home/*/.purple/
and
/home/*/.sudo_as_admin_successful
?

Is it just asking for read permissions? I don't know why it's asking for them. In a full profile, I would deny that, Firefox has no need to access either of those. I don't believe the profile I posted for Firefox does deny that, but it's still being tweaked. I posted it as-is hoping a) that someone else would look at it, see something I missed, and post about it, and b) that it would be helpful to someone.

how to make separate profile for flash player?

Do you mean the Flash player plugin for Firefox? You can't. You can only make profiles for executables, and the Flash plugin is loaded by Firefox, not executed as its own program. Whatever Firefox has access to, Flash has access to. That's the danger and benefit of plugins. The same goes for any other addon, if I write an addon, and you install it, my addon has access to everything you give Firefox access to. If you mean a Flash player executable, then you would just make a new profile for that executable, but it wouldn't affect Flash in Firefox.

[q.dinar]

"I don't believe the profile I posted for Firefox does deny that"
that was asked with profile made by me. (i know, you did not said contrary.)
"Do you mean the Flash player plugin for Firefox?"
yes
"You can't. You can only make profiles for executables, and the Flash plugin is loaded by Firefox, not executed as its own program."
hm. but it is separate [binary] executable file as i think. cannot apparmor developers make apparmor to can use separate profiles for them?
"I would deny that" i also have not allowed them.

[jgoguen]

that was asked with profile made by me. (i know, you did not said contrary.)

I'm just saying that my profile doesn't deny it in case someone sees that I said it should be denied and then sees that my profile doesn't deny it. I'm acknowledging a known "bug" in my profile

hm. but it is separate [binary] executable file as i think. cannot apparmor developers make apparmor to can use separate profiles for them?

If you're using the flash player plugin from Adobe, it's not a separate executable. It's a shared object file that gets loaded by Firefox. I sincerely hope that I'm wrong though, I think it would be nice if AppArmor would restrict plugins. Just because I trust Firefox to have write access to ~/Downloads/ doesn't mean I want Flash doing the same thing.

[teddks]

hello.
why firefox has asked for these? :
/home/*/.purple/
and
/home/*/.sudo_as_admin_successful
?

Probably asked for the .purple stuff for aim:// and irc:// and other urls that are registered to Pidgin. sudo_as_admin_successful might be for AptURL?

[q.dinar]

hello.
xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program.
also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root.
wine asks for:
... operation="capable" name="dac_override" ... profile="/usr/bin/wine"
... operation="capable" name="dac_read_search" ... profile="/usr/bin/wine"
... operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=0 name="/root/.wine/" ... profile="/usr/bin/wine"

25th jan. 14:44 gmt: AppArmor Support Thread thread(topic) appeared for this type of questions.