[pkg-apparmor] Bug#742829: closed by intrigeri <intrigeri at debian.org> (Bug#742829: fixed in apparmor 2.10.95-8)
Guido Günther
agx at sigxcpu.org
Sat Sep 30 17:19:03 UTC 2017
Hi Daniel,
On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote:
> On Fri, 2017 Sep 29 00:18+0200, Guido Günther wrote:
> >
> > Attaching to this the report is fine. I can handle it from there.
>
> Okay, greatly appreciated. My current profile is attached. Please Cc: me
> on the new bug report.
>
> As it happens, this file is identical to the current version of the
> profile in the apparmor-profiles Git repository, with the exception of
> the Debian alias lines.
>
> It seems that the AppArmor folks accepted my changes in the merge
> request, not by approving the merge, but by applying the changes to a
> new version-specific copy in the repo. They added a few more things of
> their own, which I have in turn merged into my/this copy.
>
> I never heard anything from them about this, however; I learned about
> this only now that I diffed my profile with their latest. Their process
> could certainly stand to be more transparent.
> # Author: Jamie Strandboge <jamie at canonical.com>
> #include <tunables/global>
>
> # Debian compatibility aliases
> # https://bugs.debian.org/742829
> #
> alias /etc/chromium-browser/ -> /etc/chromium/,
> alias /usr/bin/chromium-browser -> /usr/bin/chromium,
> alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox,
> alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium,
> alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/,
>
> # We need 'flags=(attach_disconnected)' in newer chromium versions
> /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
> #include <abstractions/audio>
> #include <abstractions/cups-client>
> #include <abstractions/dbus-session>
> #include <abstractions/dbus-strict>
> #include <abstractions/gnome>
> #include <abstractions/ibus>
> #include <abstractions/nameservice>
> #include <abstractions/user-tmp>
>
> # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
> # you want access to productivity applications, adjust the following file
> # accordingly.
> #include <abstractions/ubuntu-browsers.d/chromium-browser>
This file is currently not included in Debian's apparmor
package. @intrigeri, can this be added? I assume we don't want other
packages to mess around in abstractions? If not I can pull the code from
that file into the profile.
I'm attaching a patch against chromium here for reference.
Cheers,
-- Guido
>
> # Networking
> network inet stream,
> network inet6 stream,
> @{PROC}/[0-9]*/net/if_inet6 r,
> @{PROC}/[0-9]*/net/ipv6_route r,
>
> # Should maybe be in abstractions
> /etc/mime.types r,
> /etc/mailcap r,
> /etc/mtab r,
> /etc/xdg/xubuntu/applications/defaults.list r,
> owner @{HOME}/.local/share/applications/defaults.list r,
> owner @{HOME}/.local/share/applications/mimeinfo.cache r,
>
> @{PROC}/[0-9]*/fd/ r,
> @{PROC}/filesystems r,
> @{PROC}/ r,
> @{PROC}/[0-9]*/task/[0-9]*/stat r,
> owner @{PROC}/[0-9]*/cmdline r,
> owner @{PROC}/[0-9]*/io r,
> owner @{PROC}/[0-9]*/setgroups w,
> owner @{PROC}/[0-9]*/{uid,gid}_map w,
> @{PROC}/[0-9]*/smaps r,
> owner @{PROC}/[0-9]*/stat r,
> @{PROC}/[0-9]*/statm r,
> owner @{PROC}/[0-9]*/status r,
> owner @{PROC}/[0-9]*/task/[0-9]*/status r,
> deny @{PROC}/[0-9]*/oom_{,score_}adj w,
> @{PROC}/sys/kernel/yama/ptrace_scope r,
> @{PROC}/sys/net/ipv4/tcp_fastopen r,
>
> # Newer chromium needs these now
> /etc/udev/udev.conf r,
> /sys/devices/**/uevent r,
> /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
> /sys/devices/system/node/node*/meminfo r,
> /sys/devices/pci[0-9]*/**/class r,
> /sys/devices/pci[0-9]*/**/device r,
> /sys/devices/pci[0-9]*/**/irq r,
> /sys/devices/pci[0-9]*/**/resource r,
> /sys/devices/pci[0-9]*/**/vendor r,
> /sys/devices/pci[0-9]*/**/removable r,
> /sys/devices/pci[0-9]*/**/block/**/size r,
> /sys/devices/virtual/block/**/removable r,
> /sys/devices/virtual/block/**/size r,
> /sys/devices/virtual/tty/tty*/active r,
> # This is requested, but doesn't seem to actually be needed so deny for now
> deny /run/udev/data/** r,
>
> # Needed for the crash reporter
> owner @{PROC}/[0-9]*/auxv r,
>
> # chromium mmaps all kinds of things for speed.
> /etc/passwd m,
> /usr/share/fonts/truetype/**/*.tt[cf] m,
> /usr/share/fonts/**/*.pfb m,
> /usr/share/mime/mime.cache m,
> /usr/share/icons/**/*.cache m,
> owner /{dev,run}/shm/pulse-shm* m,
> owner @{HOME}/.local/share/mime/mime.cache m,
> owner /tmp/** m,
>
> @{PROC}/sys/kernel/shmmax r,
> owner /{dev,run}/shm/{,.}org.chromium.* mrw,
> owner /{,var/}run/shm/shmfd-* mrw,
>
> /usr/lib/chromium-browser/*.pak mr,
> /usr/lib/chromium-browser/locales/* mr,
>
> # Noisy
> deny /usr/lib/chromium-browser/** w,
>
> capability sys_admin,
> capability sys_chroot,
> capability sys_ptrace,
>
> # Allow ptracing ourselves
> ptrace (trace) peer=@{profile_name},
>
> # Make browsing directories work
> / r,
> /**/ r,
>
> # Allow access to documentation and other files the user may want to look
> # at in /usr
> /usr/{include,share,src}** r,
>
> # Default profile allows downloads to ~/Downloads and uploads from ~/Public
> owner @{HOME}/ r,
> owner @{HOME}/Public/ r,
> owner @{HOME}/Public/* r,
> owner @{HOME}/Downloads/ r,
> owner @{HOME}/Downloads/* rw,
>
> # For migration
> owner @{HOME}/.mozilla/firefox/profiles.ini r,
> owner @{HOME}/.mozilla/firefox/*/prefs.js r,
>
> # Helpers
> /usr/bin/xdg-open ixr,
> /usr/bin/gnome-open ixr,
> /usr/bin/gvfs-open ixr,
> /usr/bin/kdialog ixr,
> # TODO: xfce
>
> # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
> # which is provided by abstractions/ubuntu-browsers.d/user-files).
> /etc/firefox/profile/bookmarks.html r,
> owner @{HOME}/.mozilla/** k,
>
> # Chromium Policies
> /etc/chromium-browser/policies/** r,
>
> # Chromium configuration
> owner @{HOME}/.pki/nssdb/* rwk,
> owner @{HOME}/.cache/chromium/ rw,
> owner @{HOME}/.cache/chromium/** rw,
> owner @{HOME}/.cache/chromium/Cache/* mr,
> owner @{HOME}/.config/chromium/ rw,
> owner @{HOME}/.config/chromium/** rwk,
> owner @{HOME}/.config/chromium/**/Cache/* mr,
> owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
> owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
>
> # Allow transitions to ourself and our sandbox
> /usr/lib/chromium-browser/chromium-browser ix,
> /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
> /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
>
> # Allow communicating with sandbox
> unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
>
> /{usr/,}bin/ps Uxr,
> /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
> /usr/bin/xdg-settings Cxr -> xdgsettings,
> /usr/bin/lsb_release Cxr -> lsb_release,
>
> # GSettings
> owner /{,var/}run/user/*/dconf/ rw,
> owner /{,var/}run/user/*/dconf/user rw,
> owner @{HOME}/.config/dconf/user r,
>
> profile xdgsettings {
> #include <abstractions/bash>
> #include <abstractions/gnome>
>
> /{usr/,}bin/dash ixr,
>
> /etc/ld.so.cache r,
> /etc/xdg/** r,
> /usr/bin/xdg-settings r,
> /usr/lib/chromium-browser/xdg-settings r,
> /usr/share/applications/*.desktop r,
>
> # Checking default browser
> /{usr/,}bin/grep ixr,
> /{usr/,}bin/readlink ixr,
> /{usr/,}bin/sed ixr,
> /{usr/,}bin/which ixr,
> /usr/bin/basename ixr,
> /usr/bin/cut ixr,
>
> # Setting the default browser
> /{usr/,}bin/mkdir ixr,
> /{usr/,}bin/mv ixr,
> /{usr/,}bin/touch ixr,
> /usr/bin/dirname ixr,
> /usr/bin/gconftool-2 ix,
> /usr/bin/[gm]awk ixr,
> /usr/bin/xdg-mime ixr,
> owner @{HOME}/.local/share/applications/ w,
> owner @{HOME}/.local/share/applications/mimeapps.list* rw,
> }
>
> profile lsb_release {
> #include <abstractions/base>
> #include <abstractions/python>
> /usr/bin/lsb_release r,
> /{usr/,}bin/dash ixr,
> /usr/bin/dpkg-query ixr,
> /usr/include/python2.[4567]/pyconfig.h r,
> /etc/lsb-release r,
> /etc/debian_version r,
> /etc/dpkg/origins/** r,
> /usr/share/distro-info/** r,
> /var/lib/dpkg/** r,
>
> /usr/local/lib/python3.[0-9]/dist-packages/ r,
> /usr/bin/ r,
> /usr/bin/python3.[0-9] mr,
> }
>
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.bin.chromium-browser>
>
> profile chromium_browser_sandbox {
> # Be fanatical since it is setuid root and don't use an abstraction
> /{usr/,}lib/libgcc_s.so* mr,
> /{usr/,}lib/@{multiarch}/libgcc_s.so* mr,
> /{usr/,}lib{,32,64}/libm-*.so* mr,
> /{usr/,}lib/@{multiarch}/libm-*.so* mr,
> /{usr/,}lib{,32,64}/libpthread-*.so* mr,
> /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
> /{usr/,}lib{,32,64}/libc-*.so* mr,
> /{usr/,}lib/@{multiarch}/libc-*.so* mr,
> /{usr/,}lib{,32,64}/libld-*.so* mr,
> /{usr/,}lib/@{multiarch}/libld-*.so* mr,
> /{usr/,}lib{,32,64}/ld-*.so* mr,
> /{usr/,}lib/@{multiarch}/ld-*.so* mr,
> /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
> /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
> /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
> /usr/lib/libstdc++.so* mr,
> /usr/lib/@{multiarch}/libstdc++.so* mr,
> /etc/ld.so.cache r,
>
> # Required for dropping into PID namespace. Keep in mind that until the
> # process drops this capability it can escape confinement, but once it
> # drops CAP_SYS_ADMIN we are ok.
> capability sys_admin,
>
> # All of these are for sanely dropping from root and chrooting
> capability chown,
> capability fsetid,
> capability setgid,
> capability setuid,
> capability dac_override,
> capability sys_chroot,
>
> capability sys_ptrace,
> ptrace (read, readby),
>
> signal (receive) peer=unconfined,
> signal peer=@{profile_name},
> signal (receive, send) set=("exists"),
> signal (receive) peer=/usr/lib/chromium-browser/chromium-browser,
>
> unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser),
> unix (create),
> unix peer=(label=@{profile_name}),
> unix (getattr, getopt, setopt, shutdown) addr=none,
>
> @{PROC}/ r,
> @{PROC}/[0-9]*/ r,
> @{PROC}/[0-9]*/fd/ r,
> deny @{PROC}/[0-9]*/oom_adj w,
> deny @{PROC}/[0-9]*/oom_score_adj w,
> @{PROC}/[0-9]*/status r,
> @{PROC}/[0-9]*/task/[0-9]*/stat r,
>
> /usr/bin/chromium-browser r,
> /usr/lib/chromium-browser/chromium-browser Px,
> /usr/lib/chromium-browser/chromium-browser-sandbox r,
> /usr/lib/chromium-browser/chrome-sandbox mr,
>
> /dev/null rw,
>
> owner /tmp/** rw,
> }
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-apparmor-profile.patch
Type: text/x-diff
Size: 11298 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170930/d9f966cf/attachment-0001.patch>
More information about the pkg-apparmor-team
mailing list