summaryrefslogtreecommitdiffstats
path: root/apparmor-profiles
diff options
context:
space:
mode:
authorWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-10-17 15:02:48 +0200
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2015-10-17 15:16:00 +0200
commit72abe1f66f9a9115717999de2bdff1017f897693 (patch)
treef7bad81fe914beb9d1ccc92eb8174a707c96ae03 /apparmor-profiles
downloadconfig-72abe1f66f9a9115717999de2bdff1017f897693.zip
config-72abe1f66f9a9115717999de2bdff1017f897693.tar.gz
config-72abe1f66f9a9115717999de2bdff1017f897693.tar.bz2
init with apparmor profiles for Virtualbox, Chromium and Iceweasel
Diffstat (limited to 'apparmor-profiles')
-rw-r--r--apparmor-profiles/usr.bin.VBox69
-rw-r--r--apparmor-profiles/usr.bin.chromium273
-rw-r--r--apparmor-profiles/usr.lib.iceweasel.iceweasel152
3 files changed, 494 insertions, 0 deletions
diff --git a/apparmor-profiles/usr.bin.VBox b/apparmor-profiles/usr.bin.VBox
new file mode 100644
index 0000000..68ac718
--- /dev/null
+++ b/apparmor-profiles/usr.bin.VBox
@@ -0,0 +1,69 @@
+#https://raw.githubusercontent.com/Whonix/apparmor-profile-virtualbox/master/etc/apparmor.d/usr.lib.virtualbox.VirtualBox
+# Last Modified: Sat May 24 04:32:08 2014
+#include <tunables/global>
+
+/usr/lib/virtualbox/VirtualBox {
+ #include <abstractions/base>
+ #include <abstractions/gnome>
+ #include <abstractions/kde>
+ #include <abstractions/fonts>
+ #include <abstractions/audio>
+ #include <abstractions/user-download>
+
+ capability net_raw,
+ capability sys_ptrace,
+
+ deny /etc/nsswitch.conf r,
+ deny /etc/passwd r,
+ #deny /etc/resolv.conf r,
+ deny /etc/fstab r,
+ deny /etc/drirc r,
+ deny /etc/udev/udev.conf r,
+ #deny @{PROC}/** r,
+ @{PROC}/ r,
+ @{PROC}/** r,
+ deny /var/lib/dbus/machine-id r,
+ #deny /sys/** r,
+ /sys/** r,
+
+ /dev/dri/card0 rw,
+ /dev/vboxdrv rw,
+ /dev/vboxdrvu rw,
+ /dev/sr0 r,
+ /dev/tty r,
+ /dev/cpu r,
+ /run/udev/data/** r,
+
+ @{HOME}/.VirtualBox/* rw,
+ "@{HOME}/VirtualBox VMs/" r,
+ "@{HOME}/VirtualBox VMs/**" rw,
+ @{HOME}/.config/VirtualBox/ r,
+ @{HOME}/.config/VirtualBox/** rwkl,
+
+ /mnt/virtual/wolfi/Progs/virtualbox/ rw,
+ /mnt/virtual/wolfi/Progs/virtualbox/** rw,
+ /mnt/virtual/wolfi/Downloads/ rw,
+ /mnt/virtual/wolfi/Downloads/** rw,
+ @{HOME}/ r,
+ ## The .iso, .ova. or .ovf files should be there
+ @{HOME}/Downloads/ r,
+ @{HOME}/Downloads/** r,
+ @{HOME}/MA/code/ rw,
+ @{HOME}/MA/code/** rw,
+
+ ## Shared folders. Replace with your own host share.
+ @{HOME}/share/ r,
+ @{HOME}/share/** rw,
+
+ ## Should be in abstractions/audio? ##
+ /usr/bin/pulseaudio rix,
+ /usr/lib/pulse-2.0/** mrix,
+ ######################################
+
+ /usr/lib/virtualbox/** mrix,
+ /bin/dash rix,
+
+ /usr/share/virtualbox/nls/* r,
+ /usr/share/icons/hicolor/index.theme rwk, # ??
+}
+
diff --git a/apparmor-profiles/usr.bin.chromium b/apparmor-profiles/usr.bin.chromium
new file mode 100644
index 0000000..0f7d4d2
--- /dev/null
+++ b/apparmor-profiles/usr.bin.chromium
@@ -0,0 +1,273 @@
+# Author: Jamie Strandboge <jamie@canonical.com>
+#include <tunables/global>
+
+# We need 'flags=(attach_disconnected)' in newer chromium versions
+/usr/lib/chromium/chromium flags=(attach_disconnected) {
+ #include <abstractions/audio>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
+ # you want access to productivity applications, adjust the following file
+ # accordingly.
+ ##include <abstractions/ubuntu-browsers.d/chromium-browser>
+
+ # Networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+
+ @{PROC}/sys/net/ipv4/tcp_fastopen r,
+
+ # Should maybe be in abstractions
+ /etc/mime.types r,
+ /etc/mailcap r,
+ /etc/mtab r,
+ /etc/xdg/xubuntu/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+
+ @{PROC}/[0-9]*/fd/ r,
+ @{PROC}/filesystems r,
+ @{PROC}/ r,
+ @{PROC}/[0-9]*/task/ r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/cmdline r,
+ owner @{PROC}/[0-9]*/io r,
+ @{PROC}/[0-9]*/smaps r,
+ owner @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/statm r,
+ owner @{PROC}/[0-9]*/status r,
+ deny @{PROC}/[0-9]*/oom_{,score_}adj w,
+ @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+ # Newer chromium needs these now
+ /etc/udev/udev.conf r,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+ /sys/bus/pci/devices/ r,
+ /sys/devices/pci[0-9]*/**/class r,
+ /sys/devices/pci[0-9]*/**/device r,
+ /sys/devices/pci[0-9]*/**/irq r,
+ /sys/devices/pci[0-9]*/**/resource r,
+ /sys/devices/pci[0-9]*/**/vendor r,
+ /sys/devices/pci[0-9]*/**/removable r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+ /sys/devices/pci[0-9]*/**/block/**/size r,
+ /sys/devices/virtual/block/**/removable r,
+ /sys/devices/virtual/block/**/uevent r,
+ /sys/devices/virtual/block/**/size r,
+ # This is requested, but doesn't seem to actually be needed so deny for now
+ deny /run/udev/data/** r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/auxv r,
+
+ # chromium mmaps all kinds of things for speed.
+ /etc/passwd m,
+ /usr/share/fonts/truetype/**/*.tt[cf] m,
+ /usr/share/fonts/**/*.pfb m,
+ /usr/share/mime/mime.cache m,
+ /usr/share/icons/**/*.cache m,
+ owner /{dev,run}/shm/pulse-shm* m,
+ owner @{HOME}/.local/share/mime/mime.cache m,
+ owner /tmp/** m,
+
+ @{PROC}/sys/kernel/shmmax r,
+ owner /{dev,run}/shm/{,.}org.chromium.* mrw,
+
+ /usr/lib/chromium/*.pak mr,
+ /usr/lib/chromium/locales/* mr,
+
+ # Noisy
+ deny /usr/lib/chromium/** w,
+
+ # Allow ptracing ourselves
+ ptrace (trace) peer=@{profile_name},
+
+ # Make browsing directories work
+ #/ r,
+ #/**/ r,
+
+ # Allow access to documentation and other files the user may want to look
+ # at in /usr
+ /usr/{include,share,src}** r,
+
+ # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+ # geht nicht
+ # deny /home/** r,
+ #deny @{HOME}/** r,
+ owner @{HOME}/Public/ r,
+ owner @{HOME}/Public/* r,
+ owner @{HOME}/Downloads/ r,
+ owner @{HOME}/Downloads/* rw,
+
+ # For migration
+ #owner @{HOME}/.mozilla/firefox/profiles.ini r,
+ #owner @{HOME}/.mozilla/firefox/*/prefs.js r,
+
+ # Helpers
+ /usr/bin/xdg-open ixr,
+ /usr/bin/gnome-open ixr,
+ /usr/bin/gvfs-open ixr,
+ /usr/bin/kdialog ixr,
+ # TODO: xfce
+
+ # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
+ # which is provided by abstractions/ubuntu-browsers.d/user-files).
+ /etc/firefox/profile/bookmarks.html r,
+ #owner @{HOME}/.mozilla/** k,
+
+ # Chromium configuration
+ owner @{HOME}/.pki/nssdb/* rwk,
+ owner @{HOME}/.cache/chromium/ rw,
+ owner @{HOME}/.cache/chromium/** rw,
+ owner @{HOME}/.cache/chromium/Cache/* mr,
+ owner @{HOME}/.config/chromium/ rw,
+ owner @{HOME}/.config/chromium/** rwk,
+ owner @{HOME}/.config/chromium/**/Cache/* mr,
+ owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
+ owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
+
+ # Allow transitions to ourself and our sandbox
+ /usr/lib/chromium/chromium ix,
+ /usr/lib/chromium/chromium-sandbox cx -> chromium_sandbox,
+ /usr/lib/chromium/chrome-sandbox cx -> chromium_browser_sandbox,
+
+ # Allow communicating with sandbox
+ unix (receive, send) peer=(label=/usr/lib/chromium/chromium//chromium_browser_sandbox),
+
+ /bin/ps Uxr,
+ /usr/lib/chromium/xdg-settings Cxr -> xdgsettings,
+ /usr/bin/xdg-settings Cxr -> xdgsettings,
+ /usr/bin/lsb_release Cxr -> lsb_release,
+
+ # GSettings
+ owner /{,var/}run/user/*/dconf/ rw,
+ owner /{,var/}run/user/*/dconf/user rw,
+ owner @{HOME}/.config/dconf/user r,
+
+ profile xdgsettings flags=(attach_disconnected) {
+ #include <abstractions/bash>
+ #include <abstractions/gnome>
+
+ /bin/dash ixr,
+
+ /usr/bin/dbus-send ixr,
+ /usr/bin/xprop ixr,
+
+ /etc/ld.so.cache r,
+ /usr/bin/xdg-settings r,
+ /usr/lib/chromium/xdg-settings r,
+ /usr/share/applications/*.desktop r,
+
+ /bin/uname ixr,
+
+ # Checking default browser
+ /bin/grep ixr,
+ /bin/readlink ixr,
+ /bin/sed ixr,
+ /bin/which ixr,
+ /usr/bin/basename ixr,
+ /usr/bin/cut ixr,
+
+ # Setting the default browser
+ /bin/mkdir ixr,
+ /bin/mv ixr,
+ /bin/touch ixr,
+ /usr/bin/dirname ixr,
+ /usr/bin/gconftool-2 ix,
+ /usr/bin/[gm]awk ixr,
+ /usr/bin/xdg-mime ixr,
+ owner @{HOME}/.local/share/applications/ w,
+ owner @{HOME}/.local/share/applications/mimeapps.list* rw,
+ }
+
+ profile lsb_release flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/python>
+ /usr/bin/lsb_release r,
+ /bin/dash ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/include/python2.[4567]/pyconfig.h r,
+ /etc/lsb-release r,
+ /etc/debian_version r,
+ /var/lib/dpkg/** r,
+
+ /etc/dpkg/origins/debian r,
+
+ /usr/local/lib/python3.[0-4]/dist-packages/ r,
+ /usr/bin/ r,
+ /usr/bin/python2.7 r,
+ /usr/bin/python3.[0-4] r,
+ }
+
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.chromium-browser>
+
+profile chromium_browser_sandbox flags=(attach_disconnected) {
+ # Be fanatical since it is setuid root and don't use an abstraction
+ /lib/libgcc_s.so* mr,
+ /lib/@{multiarch}/libgcc_s.so* mr,
+ /lib{,32,64}/libm-*.so* mr,
+ /lib/@{multiarch}/libm-*.so* mr,
+ /lib{,32,64}/libpthread-*.so* mr,
+ /lib/@{multiarch}/libpthread-*.so* mr,
+ /lib{,32,64}/libc-*.so* mr,
+ /lib/@{multiarch}/libc-*.so* mr,
+ /lib{,32,64}/libld-*.so* mr,
+ /lib/@{multiarch}/libld-*.so* mr,
+ /lib{,32,64}/ld-*.so* mr,
+ /lib/@{multiarch}/ld-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
+ /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
+ /usr/lib/libstdc++.so* mr,
+ /usr/lib/@{multiarch}/libstdc++.so* mr,
+ /etc/ld.so.cache r,
+
+ # Required for dropping into PID namespace. Keep in mind that until the
+ # process drops this capability it can escape confinement, but once it
+ # drops CAP_SYS_ADMIN we are ok.
+ capability sys_admin,
+
+ # All of these are for sanely dropping from root and chrooting
+ capability chown,
+ capability fsetid,
+ capability setgid,
+ capability setuid,
+ capability dac_override,
+ capability sys_chroot,
+
+ capability sys_ptrace,
+ ptrace (read, readby),
+
+ unix (receive, send) peer=(label=/usr/lib/chromium/chromium),
+ unix (create),
+ unix peer=(label=@{profile_name}),
+ unix (getattr, getopt, setopt, shutdown) addr=none,
+
+ @{PROC}/ r,
+ @{PROC}/[0-9]*/ r,
+ @{PROC}/[0-9]*/fd/ r,
+ deny @{PROC}/[0-9]*/oom_adj w,
+ deny @{PROC}/[0-9]*/oom_score_adj w,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+
+ /usr/bin/chromium r,
+ /usr/lib/chromium/chromium Px,
+ /usr/lib/chromium/chromium-sandbox r,
+ /usr/lib/chromium/chrome-sandbox r,
+
+ /dev/null rw,
+
+ owner /tmp/** rw,
+ }
+}
diff --git a/apparmor-profiles/usr.lib.iceweasel.iceweasel b/apparmor-profiles/usr.lib.iceweasel.iceweasel
new file mode 100644
index 0000000..f9f8ffd
--- /dev/null
+++ b/apparmor-profiles/usr.lib.iceweasel.iceweasel
@@ -0,0 +1,152 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+# We want to confine the binaries that match:
+# /usr/lib/iceweasel-4.0b8/iceweasel
+# /usr/lib/iceweasel-4.0b8/iceweasel
+# but not:
+# /usr/lib/iceweasel-4.0b8/iceweasel.sh
+/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
+ #include <abstractions/audio>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+
+ # for networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+
+ # should maybe be in abstractions
+ #/usr/share/xubuntu/applications/defaults.list r,
+ owner /tmp/** m,
+ owner /var/tmp/** m,
+ /tmp/.X[0-9]*-lock r,
+
+ /etc/timezone r,
+ /etc/wildmidi/wildmidi.cfg r,
+
+ # iceweasel specific
+ /etc/iceweasel*/** r,
+ /etc/xul-ext/** r,
+ /etc/xulrunner{,-[0-9]*}/** r,
+ /etc/gre.d/* r,
+ /etc/mailcap r,
+ /etc/mime.types r,
+
+ #selbst eingefuegt
+ owner /run/user/1000/dconf/user rw,
+ /usr/local/share/applications r,
+ /usr/local/share/applications/* r,
+ #for printing
+ /sys/devices/** r,
+ /run/udev/data/** r,
+ /etc/udev/udev.conf r,
+
+ # noisy
+ deny /usr/lib/iceweasel{,-[0-9]*}/** w,
+ deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
+ deny /usr/lib/xulrunner-*/components/*.tmp w,
+ deny /.suspended r,
+ deny /boot/initrd.img* r,
+ deny /boot/vmlinuz* r,
+ deny /var/cache/fontconfig/ w,
+
+ deny /usr/bin/gconftool-2 x,
+
+ # These are needed when a new user starts iceweasel and iceweasel.sh is used
+ /usr/lib/iceweasel{,-[0-9]*}/** ixr,
+ deny /usr/lib/iceweasel/iceweasel.sh x,
+ /usr/bin/basename ixr,
+ /usr/bin/dirname ixr,
+ /usr/bin/pwd ixr,
+ /sbin/killall5 ixr,
+ /bin/which ixr,
+ /usr/bin/tr ixr,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/[0-9]*/mountinfo r,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+
+ /etc/mtab r,
+ /etc/fstab r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/environ r,
+ owner @{PROC}/[0-9]*/auxv r,
+ /etc/lsb-release r,
+ /usr/bin/expr ix,
+
+ # Needed for container to work in xul builds
+ /usr/lib/xulrunner-*/plugin-container ixr,
+
+ # Make browsing directories work
+ #auch mal deaktivieren
+ #/ r,
+ #/**/ r,
+
+ # allow access to documentation and other files the user may want to look
+ # at in /usr
+ /usr/{include,share,src}/** r,
+ #hinzugefügt
+ /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
+ #um das Öffnen externer Programme zu ermöglichen
+ /usr/bin/exo-open ix,
+ /usr/bin/evince rix,
+
+ # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+ # owner @{HOME}/ r,
+ owner @{HOME}/Öffentlich/ r,
+ owner @{HOME}/Öffentlich/** r,
+ owner @{HOME}/Downloads/ r,
+ owner @{HOME}/Downloads/** rw,
+ owner @{HOME}/.thumbnails/*/*.png r,
+ owner @{HOME}/.cache/thumbnails/*/*.png r,
+ #added, crashes otherwise
+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
+ owner @{HOME}/.config/dconf/user r,
+ owner @{HOME}/.cache/gstreamer-1.0/*.bin r,
+
+ # per-user iceweasel configuration
+ owner @{HOME}/.{iceweasel,mozilla}/ rw,
+ owner @{HOME}/.{iceweasel,mozilla}/** rw,
+ owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
+ owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
+ owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
+ owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
+ #hinzugefügt
+ owner @{HOME}/.cache/mozilla/firefox/ rw,
+ owner @{HOME}/.cache/mozilla/firefox/** rwk,
+
+ #
+ # Extensions
+ # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
+ # Allow 'x' for downloaded extensions, but inherit policy for safety
+ owner @{HOME}/.mozilla/**/extensions/** mixr,
+
+ deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
+ deny /usr/lib/mozilla/extensions/**/ w,
+ deny /usr/lib/xulrunner-addons/extensions/**/ w,
+ deny /usr/share/mozilla/extensions/**/ w,
+ deny /usr/share/mozilla/ w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ # Local path is disabled, we only enable them for profiles we promote
+ # out of extras.
+ ## include <local/usr.bin.iceweasel>
+}