From 72abe1f66f9a9115717999de2bdff1017f897693 Mon Sep 17 00:00:00 2001 From: Wolfgang Wiedmeyer Date: Sat, 17 Oct 2015 15:02:48 +0200 Subject: init with apparmor profiles for Virtualbox, Chromium and Iceweasel --- apparmor-profiles/usr.bin.VBox | 69 +++++++ apparmor-profiles/usr.bin.chromium | 273 ++++++++++++++++++++++++++ apparmor-profiles/usr.lib.iceweasel.iceweasel | 152 ++++++++++++++ 3 files changed, 494 insertions(+) create mode 100644 apparmor-profiles/usr.bin.VBox create mode 100644 apparmor-profiles/usr.bin.chromium create mode 100644 apparmor-profiles/usr.lib.iceweasel.iceweasel (limited to 'apparmor-profiles') diff --git a/apparmor-profiles/usr.bin.VBox b/apparmor-profiles/usr.bin.VBox new file mode 100644 index 0000000..68ac718 --- /dev/null +++ b/apparmor-profiles/usr.bin.VBox @@ -0,0 +1,69 @@ +#https://raw.githubusercontent.com/Whonix/apparmor-profile-virtualbox/master/etc/apparmor.d/usr.lib.virtualbox.VirtualBox +# Last Modified: Sat May 24 04:32:08 2014 +#include + +/usr/lib/virtualbox/VirtualBox { + #include + #include + #include + #include + #include + #include + + capability net_raw, + capability sys_ptrace, + + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + #deny /etc/resolv.conf r, + deny /etc/fstab r, + deny /etc/drirc r, + deny /etc/udev/udev.conf r, + #deny @{PROC}/** r, + @{PROC}/ r, + @{PROC}/** r, + deny /var/lib/dbus/machine-id r, + #deny /sys/** r, + /sys/** r, + + /dev/dri/card0 rw, + /dev/vboxdrv rw, + /dev/vboxdrvu rw, + /dev/sr0 r, + /dev/tty r, + /dev/cpu r, + /run/udev/data/** r, + + @{HOME}/.VirtualBox/* rw, + "@{HOME}/VirtualBox VMs/" r, + "@{HOME}/VirtualBox VMs/**" rw, + @{HOME}/.config/VirtualBox/ r, + @{HOME}/.config/VirtualBox/** rwkl, + + /mnt/virtual/wolfi/Progs/virtualbox/ rw, + /mnt/virtual/wolfi/Progs/virtualbox/** rw, + /mnt/virtual/wolfi/Downloads/ rw, + /mnt/virtual/wolfi/Downloads/** rw, + @{HOME}/ r, + ## The .iso, .ova. or .ovf files should be there + @{HOME}/Downloads/ r, + @{HOME}/Downloads/** r, + @{HOME}/MA/code/ rw, + @{HOME}/MA/code/** rw, + + ## Shared folders. Replace with your own host share. + @{HOME}/share/ r, + @{HOME}/share/** rw, + + ## Should be in abstractions/audio? ## + /usr/bin/pulseaudio rix, + /usr/lib/pulse-2.0/** mrix, + ###################################### + + /usr/lib/virtualbox/** mrix, + /bin/dash rix, + + /usr/share/virtualbox/nls/* r, + /usr/share/icons/hicolor/index.theme rwk, # ?? +} + diff --git a/apparmor-profiles/usr.bin.chromium b/apparmor-profiles/usr.bin.chromium new file mode 100644 index 0000000..0f7d4d2 --- /dev/null +++ b/apparmor-profiles/usr.bin.chromium @@ -0,0 +1,273 @@ +# Author: Jamie Strandboge +#include + +# We need 'flags=(attach_disconnected)' in newer chromium versions +/usr/lib/chromium/chromium flags=(attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + + # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if + # you want access to productivity applications, adjust the following file + # accordingly. + ##include + + # Networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + @{PROC}/sys/net/ipv4/tcp_fastopen r, + + # Should maybe be in abstractions + /etc/mime.types r, + /etc/mailcap r, + /etc/mtab r, + /etc/xdg/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + @{PROC}/ r, + @{PROC}/[0-9]*/task/ r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/io r, + @{PROC}/[0-9]*/smaps r, + owner @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/statm r, + owner @{PROC}/[0-9]*/status r, + deny @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Newer chromium needs these now + /etc/udev/udev.conf r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r, + /sys/bus/pci/devices/ r, + /sys/devices/pci[0-9]*/**/class r, + /sys/devices/pci[0-9]*/**/device r, + /sys/devices/pci[0-9]*/**/irq r, + /sys/devices/pci[0-9]*/**/resource r, + /sys/devices/pci[0-9]*/**/vendor r, + /sys/devices/pci[0-9]*/**/removable r, + /sys/devices/pci[0-9]*/**/uevent r, + /sys/devices/pci[0-9]*/**/block/**/size r, + /sys/devices/virtual/block/**/removable r, + /sys/devices/virtual/block/**/uevent r, + /sys/devices/virtual/block/**/size r, + # This is requested, but doesn't seem to actually be needed so deny for now + deny /run/udev/data/** r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/auxv r, + + # chromium mmaps all kinds of things for speed. + /etc/passwd m, + /usr/share/fonts/truetype/**/*.tt[cf] m, + /usr/share/fonts/**/*.pfb m, + /usr/share/mime/mime.cache m, + /usr/share/icons/**/*.cache m, + owner /{dev,run}/shm/pulse-shm* m, + owner @{HOME}/.local/share/mime/mime.cache m, + owner /tmp/** m, + + @{PROC}/sys/kernel/shmmax r, + owner /{dev,run}/shm/{,.}org.chromium.* mrw, + + /usr/lib/chromium/*.pak mr, + /usr/lib/chromium/locales/* mr, + + # Noisy + deny /usr/lib/chromium/** w, + + # Allow ptracing ourselves + ptrace (trace) peer=@{profile_name}, + + # Make browsing directories work + #/ r, + #/**/ r, + + # Allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}** r, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + # geht nicht + # deny /home/** r, + #deny @{HOME}/** r, + owner @{HOME}/Public/ r, + owner @{HOME}/Public/* r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/* rw, + + # For migration + #owner @{HOME}/.mozilla/firefox/profiles.ini r, + #owner @{HOME}/.mozilla/firefox/*/prefs.js r, + + # Helpers + /usr/bin/xdg-open ixr, + /usr/bin/gnome-open ixr, + /usr/bin/gvfs-open ixr, + /usr/bin/kdialog ixr, + # TODO: xfce + + # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** + # which is provided by abstractions/ubuntu-browsers.d/user-files). + /etc/firefox/profile/bookmarks.html r, + #owner @{HOME}/.mozilla/** k, + + # Chromium configuration + owner @{HOME}/.pki/nssdb/* rwk, + owner @{HOME}/.cache/chromium/ rw, + owner @{HOME}/.cache/chromium/** rw, + owner @{HOME}/.cache/chromium/Cache/* mr, + owner @{HOME}/.config/chromium/ rw, + owner @{HOME}/.config/chromium/** rwk, + owner @{HOME}/.config/chromium/**/Cache/* mr, + owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, + owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, + + # Allow transitions to ourself and our sandbox + /usr/lib/chromium/chromium ix, + /usr/lib/chromium/chromium-sandbox cx -> chromium_sandbox, + /usr/lib/chromium/chrome-sandbox cx -> chromium_browser_sandbox, + + # Allow communicating with sandbox + unix (receive, send) peer=(label=/usr/lib/chromium/chromium//chromium_browser_sandbox), + + /bin/ps Uxr, + /usr/lib/chromium/xdg-settings Cxr -> xdgsettings, + /usr/bin/xdg-settings Cxr -> xdgsettings, + /usr/bin/lsb_release Cxr -> lsb_release, + + # GSettings + owner /{,var/}run/user/*/dconf/ rw, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + profile xdgsettings flags=(attach_disconnected) { + #include + #include + + /bin/dash ixr, + + /usr/bin/dbus-send ixr, + /usr/bin/xprop ixr, + + /etc/ld.so.cache r, + /usr/bin/xdg-settings r, + /usr/lib/chromium/xdg-settings r, + /usr/share/applications/*.desktop r, + + /bin/uname ixr, + + # Checking default browser + /bin/grep ixr, + /bin/readlink ixr, + /bin/sed ixr, + /bin/which ixr, + /usr/bin/basename ixr, + /usr/bin/cut ixr, + + # Setting the default browser + /bin/mkdir ixr, + /bin/mv ixr, + /bin/touch ixr, + /usr/bin/dirname ixr, + /usr/bin/gconftool-2 ix, + /usr/bin/[gm]awk ixr, + /usr/bin/xdg-mime ixr, + owner @{HOME}/.local/share/applications/ w, + owner @{HOME}/.local/share/applications/mimeapps.list* rw, + } + + profile lsb_release flags=(attach_disconnected) { + #include + #include + /usr/bin/lsb_release r, + /bin/dash ixr, + /usr/bin/dpkg-query ixr, + /usr/include/python2.[4567]/pyconfig.h r, + /etc/lsb-release r, + /etc/debian_version r, + /var/lib/dpkg/** r, + + /etc/dpkg/origins/debian r, + + /usr/local/lib/python3.[0-4]/dist-packages/ r, + /usr/bin/ r, + /usr/bin/python2.7 r, + /usr/bin/python3.[0-4] r, + } + + + # Site-specific additions and overrides. See local/README for details. + #include + +profile chromium_browser_sandbox flags=(attach_disconnected) { + # Be fanatical since it is setuid root and don't use an abstraction + /lib/libgcc_s.so* mr, + /lib/@{multiarch}/libgcc_s.so* mr, + /lib{,32,64}/libm-*.so* mr, + /lib/@{multiarch}/libm-*.so* mr, + /lib{,32,64}/libpthread-*.so* mr, + /lib/@{multiarch}/libpthread-*.so* mr, + /lib{,32,64}/libc-*.so* mr, + /lib/@{multiarch}/libc-*.so* mr, + /lib{,32,64}/libld-*.so* mr, + /lib/@{multiarch}/libld-*.so* mr, + /lib{,32,64}/ld-*.so* mr, + /lib/@{multiarch}/ld-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, + /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, + /usr/lib/libstdc++.so* mr, + /usr/lib/@{multiarch}/libstdc++.so* mr, + /etc/ld.so.cache r, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting + capability chown, + capability fsetid, + capability setgid, + capability setuid, + capability dac_override, + capability sys_chroot, + + capability sys_ptrace, + ptrace (read, readby), + + unix (receive, send) peer=(label=/usr/lib/chromium/chromium), + unix (create), + unix peer=(label=@{profile_name}), + unix (getattr, getopt, setopt, shutdown) addr=none, + + @{PROC}/ r, + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + deny @{PROC}/[0-9]*/oom_adj w, + deny @{PROC}/[0-9]*/oom_score_adj w, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /usr/bin/chromium r, + /usr/lib/chromium/chromium Px, + /usr/lib/chromium/chromium-sandbox r, + /usr/lib/chromium/chrome-sandbox r, + + /dev/null rw, + + owner /tmp/** rw, + } +} diff --git a/apparmor-profiles/usr.lib.iceweasel.iceweasel b/apparmor-profiles/usr.lib.iceweasel.iceweasel new file mode 100644 index 0000000..f9f8ffd --- /dev/null +++ b/apparmor-profiles/usr.lib.iceweasel.iceweasel @@ -0,0 +1,152 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +# We want to confine the binaries that match: +# /usr/lib/iceweasel-4.0b8/iceweasel +# /usr/lib/iceweasel-4.0b8/iceweasel +# but not: +# /usr/lib/iceweasel-4.0b8/iceweasel.sh +/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} { + #include + #include + #include + #include + #include + #include + #include + + # for networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # should maybe be in abstractions + #/usr/share/xubuntu/applications/defaults.list r, + owner /tmp/** m, + owner /var/tmp/** m, + /tmp/.X[0-9]*-lock r, + + /etc/timezone r, + /etc/wildmidi/wildmidi.cfg r, + + # iceweasel specific + /etc/iceweasel*/** r, + /etc/xul-ext/** r, + /etc/xulrunner{,-[0-9]*}/** r, + /etc/gre.d/* r, + /etc/mailcap r, + /etc/mime.types r, + + #selbst eingefuegt + owner /run/user/1000/dconf/user rw, + /usr/local/share/applications r, + /usr/local/share/applications/* r, + #for printing + /sys/devices/** r, + /run/udev/data/** r, + /etc/udev/udev.conf r, + + # noisy + deny /usr/lib/iceweasel{,-[0-9]*}/** w, + deny /usr/lib/{iceweasel,xulrunner}-addons/** w, + deny /usr/lib/xulrunner-*/components/*.tmp w, + deny /.suspended r, + deny /boot/initrd.img* r, + deny /boot/vmlinuz* r, + deny /var/cache/fontconfig/ w, + + deny /usr/bin/gconftool-2 x, + + # These are needed when a new user starts iceweasel and iceweasel.sh is used + /usr/lib/iceweasel{,-[0-9]*}/** ixr, + deny /usr/lib/iceweasel/iceweasel.sh x, + /usr/bin/basename ixr, + /usr/bin/dirname ixr, + /usr/bin/pwd ixr, + /sbin/killall5 ixr, + /bin/which ixr, + /usr/bin/tr ixr, + @{PROC}/[0-9]*/cmdline r, + @{PROC}/[0-9]*/mountinfo r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /etc/mtab r, + /etc/fstab r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/environ r, + owner @{PROC}/[0-9]*/auxv r, + /etc/lsb-release r, + /usr/bin/expr ix, + + # Needed for container to work in xul builds + /usr/lib/xulrunner-*/plugin-container ixr, + + # Make browsing directories work + #auch mal deaktivieren + #/ r, + #/**/ r, + + # allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}/** r, + #hinzugefügt + /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k, + #um das Öffnen externer Programme zu ermöglichen + /usr/bin/exo-open ix, + /usr/bin/evince rix, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + # owner @{HOME}/ r, + owner @{HOME}/Öffentlich/ r, + owner @{HOME}/Öffentlich/** r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/** rw, + owner @{HOME}/.thumbnails/*/*.png r, + owner @{HOME}/.cache/thumbnails/*/*.png r, + #added, crashes otherwise + owner @{HOME}/.config/gtk-3.0/bookmarks r, + owner @{HOME}/.config/dconf/user r, + owner @{HOME}/.cache/gstreamer-1.0/*.bin r, + + # per-user iceweasel configuration + owner @{HOME}/.{iceweasel,mozilla}/ rw, + owner @{HOME}/.{iceweasel,mozilla}/** rw, + owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, + owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, + owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, + owner @{HOME}/.gnome2/iceweasel*-bin-* rw, + #hinzugefügt + owner @{HOME}/.cache/mozilla/firefox/ rw, + owner @{HOME}/.cache/mozilla/firefox/** rwk, + + # + # Extensions + # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above. + # Allow 'x' for downloaded extensions, but inherit policy for safety + owner @{HOME}/.mozilla/**/extensions/** mixr, + + deny /usr/lib/iceweasel{,-[0-9]*}/update.test w, + deny /usr/lib/mozilla/extensions/**/ w, + deny /usr/lib/xulrunner-addons/extensions/**/ w, + deny /usr/share/mozilla/extensions/**/ w, + deny /usr/share/mozilla/ w, + + # Site-specific additions and overrides. See local/README for details. + # Local path is disabled, we only enable them for profiles we promote + # out of extras. + ## include +} -- cgit v1.1