Package: chromium Version: 61.0.3163.100-2 Severity: wishlist Tags: patch Hi, I'd be great if Debian would ship an apparmor profile for chromium. The attached profile was mostly prepared by Daniel Richard and is based on the one in Ubuntu so I assume it has seen quiet some exposure to real world usage. It works here nicely here. I'm sure there will be tweaks needed over time so feel free to cc' me and Richard on apparmor related issues. If this shouldn't work out we can always disable it again.
Cheers, -- Guido -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chromium depends on: ii chromium-common 61.0.3163.100-2 ii libasound2 1.1.3-5 ii libatk1.0-0 2.26.0-2 ii libavcodec57 7:3.3.4-1 ii libavformat57 7:3.3.4-1 ii libavutil55 7:3.3.4-1 ii libc6 2.24-17 ii libcairo2 1.14.10-1 ii libcups2 2.2.4-7 ii libdbus-1-3 1.11.16+really1.10.22-1 ii libevent-2.1-6 2.1.8-stable-4 ii libexpat1 2.2.3-1 ii libflac8 1.3.2-1 ii libfontconfig1 2.12.3-0.2 ii libfreetype6 2.8-0.2 ii libgcc1 1:7.2.0-5 ii libgdk-pixbuf2.0-0 2.36.5-2 ii libglib2.0-0 2.54.0-1 ii libgtk2.0-0 2.24.31-2 ii libharfbuzz0b 1.4.2-1 ii libicu57 57.1-6 ii libjpeg62-turbo 1:1.5.2-2 ii liblcms2-2 2.8-4 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.16-1 ii libnss3 2:3.32-2 ii libopus0 1.2~alpha2-1 ii libpango-1.0-0 1.40.12-1 ii libpangocairo-1.0-0 1.40.12-1 ii libpng16-16 1.6.32-1 ii libpulse0 11.0-2 ii libre2-3 20170101+dfsg-1 ii libsnappy1v5 1.1.7-1 ii libstdc++6 7.2.0-5 ii libvpx4 1.6.1-3 ii libwebp6 0.6.0-3 ii libwebpdemux2 0.6.0-3 ii libwebpmux3 0.6.0-3 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxcursor1 1:1.1.14-3 ii libxdamage1 1:1.1.4-3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxml2 2.9.4+dfsg1-4 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxslt1.1 1.1.29-2.1 ii libxss1 1:1.2.2-1+b2 ii libxtst6 2:1.2.3-1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages chromium recommends: ii fonts-liberation 1:1.07.4-2 Versions of packages chromium suggests: ii chromium-driver 61.0.3163.100-2 pn chromium-l10n <none> pn chromium-shell <none> pn chromium-widevine <none> -- Configuration Files: /etc/apparmor.d/usr.bin.chromium changed [not included] -- no debconf information
>From 3d35e9547fae383afd004608c9da646377caab66 Mon Sep 17 00:00:00 2001 Message-Id: <3d35e9547fae383afd004608c9da646377caab66.1506853631.git....@sigxcpu.org> From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> Date: Sat, 30 Sep 2017 11:26:15 +0200 Subject: [PATCH] Add apparmor profile The profile is based on the Ubuntu one and the one provided by Daniel Richard G. --- debian/apparmor/usr.bin.chromium | 304 +++++++++++++++++++++++++++++++++++++++ debian/chromium.install | 2 + debian/control | 1 + debian/rules | 1 + 4 files changed, 308 insertions(+) create mode 100644 debian/apparmor/usr.bin.chromium diff --git a/debian/apparmor/usr.bin.chromium b/debian/apparmor/usr.bin.chromium new file mode 100644 index 0000000..472664d --- /dev/null +++ b/debian/apparmor/usr.bin.chromium @@ -0,0 +1,304 @@ +# Author: Jamie Strandboge <ja...@canonical.com> +#include <tunables/global> + +# Debian compatibility aliases +# https://bugs.debian.org/742829 +# +alias /etc/chromium-browser/ -> /etc/chromium/, +alias /usr/bin/chromium-browser -> /usr/bin/chromium, +alias /usr/lib/chromium-browser/chromium-browser-sandbox -> /usr/lib/chromium/chrome-sandbox, +alias /usr/lib/chromium-browser/chromium-browser -> /usr/lib/chromium/chromium, +alias /usr/lib/chromium-browser/ -> /usr/lib/chromium/, + +# We need 'flags=(attach_disconnected)' in newer chromium versions +/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) { + #include <abstractions/audio> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/dbus-strict> + #include <abstractions/gnome> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + # Browser specific abstratctions + #include <abstractions/ubuntu-browsers.d/plugins-common> + #include <abstractions/ubuntu-browsers.d/mailto> + #include <abstractions/ubuntu-browsers.d/multimedia> + #include <abstractions/ubuntu-browsers.d/productivity> + #include <abstractions/ubuntu-browsers.d/java> + #include <abstractions/ubuntu-browsers.d/kde> + #include <abstractions/ubuntu-browsers.d/text-editors> + #include <abstractions/ubuntu-browsers.d/ubuntu-integration> + #include <abstractions/ubuntu-browsers.d/user-files> + + # Networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # Should maybe be in abstractions + /etc/mime.types r, + /etc/mailcap r, + /etc/mtab r, + /etc/xdg/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + @{PROC}/ r, + @{PROC}/vmstat r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/io r, + owner @{PROC}/[0-9]*/setgroups w, + owner @{PROC}/[0-9]*/{uid,gid}_map w, + @{PROC}/[0-9]*/smaps r, + owner @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/statm r, + owner @{PROC}/[0-9]*/status r, + owner @{PROC}/[0-9]*/task/[0-9]*/status r, + deny @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/net/ipv4/tcp_fastopen r, + @{PROC}/@{pid}/task/@{tid}/status rw, + + # Newer chromium needs these now + /etc/udev/udev.conf r, + /sys/devices/**/uevent r, + /sys/devices/system/cpu/cpu*/{cpufreq,policy*}/cpuinfo_max_freq r, + /sys/devices/system/node/node*/meminfo r, + /sys/devices/pci[0-9]*/**/class r, + /sys/devices/pci[0-9]*/**/config r, + /sys/devices/pci[0-9]*/**/device r, + /sys/devices/pci[0-9]*/**/irq r, + /sys/devices/pci[0-9]*/**/resource r, + /sys/devices/pci[0-9]*/**/revision r, + /sys/devices/pci[0-9]*/**/vendor r, + /sys/devices/pci[0-9]*/**/subsystem_vendor r, + /sys/devices/pci[0-9]*/**/subsystem_device r, + /sys/devices/pci[0-9]*/**/removable r, + /sys/devices/pci[0-9]*/**/block/**/size r, + /sys/devices/virtual/block/**/removable r, + /sys/devices/virtual/block/**/size r, + /sys/devices/virtual/tty/tty*/active r, + # This is requested, but doesn't seem to actually be needed so deny for now + deny /run/udev/data/** r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/auxv r, + + # chromium mmaps all kinds of things for speed. + /etc/passwd m, + /usr/share/fonts/truetype/**/*.tt[cf] m, + /usr/share/fonts/**/*.pfb m, + /usr/share/mime/mime.cache m, + /usr/share/icons/**/*.cache m, + owner /{dev,run}/shm/pulse-shm* m, + owner @{HOME}/.local/share/mime/mime.cache m, + owner /tmp/** m, + + @{PROC}/sys/kernel/shmmax r, + owner /{dev,run}/shm/{,.}org.chromium.* mrw, + owner /{,var/}run/shm/shmfd-* mrw, + + /usr/lib/chromium-browser/*.pak mr, + /usr/lib/chromium-browser/locales/* mr, + + # Noisy + deny /usr/lib/chromium-browser/** w, + + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + + # Allow ptracing ourselves + ptrace (trace) peer=@{profile_name}, + + # Make browsing directories work + / r, + /**/ r, + + # Allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}** r, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Public/ r, + owner @{HOME}/Public/* r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/* rw, + + # For migration + owner @{HOME}/.mozilla/firefox/profiles.ini r, + owner @{HOME}/.mozilla/firefox/*/prefs.js r, + + # Helpers + /usr/bin/xdg-open ixr, + /usr/bin/gnome-open ixr, + /usr/bin/gvfs-open ixr, + /usr/bin/kdialog ixr, + # TODO: xfce + + # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** + # which is provided by abstractions/ubuntu-browsers.d/user-files). + /etc/firefox/profile/bookmarks.html r, + owner @{HOME}/.mozilla/** k, + + # Chromium Policies + /etc/chromium-browser/policies/** r, + + # Chromium configuration + owner @{HOME}/.pki/nssdb/* rwk, + owner @{HOME}/.cache/chromium/ rw, + owner @{HOME}/.cache/chromium/** rw, + owner @{HOME}/.cache/chromium/Cache/* mr, + owner @{HOME}/.config/chromium/ rw, + owner @{HOME}/.config/chromium/** rwk, + owner @{HOME}/.config/chromium/**/Cache/* mr, + owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr, + owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr, + + # Allow transitions to ourself and our sandbox + /usr/lib/chromium-browser/chromium-browser ix, + /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox, + /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox, + + # Allow communicating with sandbox + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox), + + /{usr/,}bin/ps Uxr, + /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings, + /usr/bin/xdg-settings Cxr -> xdgsettings, + /usr/bin/lsb_release Cxr -> lsb_release, + + # GSettings + owner /{,var/}run/user/*/dconf/ rw, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + + profile xdgsettings { + #include <abstractions/bash> + #include <abstractions/gnome> + + /{usr/,}bin/dash ixr, + + /etc/ld.so.cache r, + /etc/xdg/** r, + /usr/bin/xdg-settings r, + /usr/lib/chromium-browser/xdg-settings r, + /usr/share/applications/*.desktop r, + /usr/share/applications/gnome-mimeapps.list r, + + # Checking default browser + /{usr/,}bin/grep ixr, + /{usr/,}bin/readlink ixr, + /{usr/,}bin/sed ixr, + /{usr/,}bin/which ixr, + /{usr/,}bin/tr ixr, + /{usr/,}bin/head ixr, + /usr/bin/basename ixr, + /usr/bin/cut ixr, + + # Setting the default browser + /{usr/,}bin/mkdir ixr, + /{usr/,}bin/mv ixr, + /{usr/,}bin/touch ixr, + /usr/bin/dirname ixr, + /usr/bin/gconftool-2 ix, + /usr/bin/[gm]awk ixr, + /usr/bin/xdg-mime ixr, + owner @{HOME}/.local/share/applications/ w, + owner @{HOME}/.local/share/applications/mimeapps.list* rw, + } + + profile lsb_release { + #include <abstractions/base> + #include <abstractions/python> + /usr/bin/lsb_release r, + /{usr/,}bin/dash ixr, + /usr/bin/dpkg-query ixr, + /usr/include/python2.[4567]/pyconfig.h r, + /etc/lsb-release r, + /etc/debian_version r, + /etc/dpkg/origins/** r, + /usr/share/distro-info/** r, + /var/lib/dpkg/** r, + + /usr/local/lib/python3.[0-9]/dist-packages/ r, + /usr/bin/ r, + /usr/bin/python3.[0-9] mr, + } + + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.chromium-browser> + +profile chromium_browser_sandbox { + # Be fanatical since it is setuid root and don't use an abstraction + /{usr/,}lib/libgcc_s.so* mr, + /{usr/,}lib/@{multiarch}/libgcc_s.so* mr, + /{usr/,}lib{,32,64}/libm-*.so* mr, + /{usr/,}lib/@{multiarch}/libm-*.so* mr, + /{usr/,}lib{,32,64}/libpthread-*.so* mr, + /{usr/,}lib/@{multiarch}/libpthread-*.so* mr, + /{usr/,}lib{,32,64}/libc-*.so* mr, + /{usr/,}lib/@{multiarch}/libc-*.so* mr, + /{usr/,}lib{,32,64}/libld-*.so* mr, + /{usr/,}lib/@{multiarch}/libld-*.so* mr, + /{usr/,}lib{,32,64}/ld-*.so* mr, + /{usr/,}lib/@{multiarch}/ld-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr, + /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr, + /usr/lib/libstdc++.so* mr, + /usr/lib/@{multiarch}/libstdc++.so* mr, + /etc/ld.so.cache r, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting + capability chown, + capability fsetid, + capability setgid, + capability setuid, + capability dac_override, + capability sys_chroot, + + capability sys_ptrace, + ptrace (read, readby), + + signal (receive) peer=unconfined, + signal peer=@{profile_name}, + signal (receive, send) set=("exists"), + signal (receive) peer=/usr/lib/chromium-browser/chromium-browser, + + unix (receive, send) peer=(label=/usr/lib/chromium-browser/chromium-browser), + unix (create), + unix peer=(label=@{profile_name}), + unix (getattr, getopt, setopt, shutdown) addr=none, + + @{PROC}/ r, + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + deny @{PROC}/[0-9]*/oom_adj w, + deny @{PROC}/[0-9]*/oom_score_adj w, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /usr/bin/chromium-browser r, + /usr/lib/chromium-browser/chromium-browser Px, + /usr/lib/chromium-browser/chromium-browser-sandbox r, + /usr/lib/chromium-browser/chrome-sandbox mr, + + /dev/null rw, + + owner /tmp/** rw, + } +} diff --git a/debian/chromium.install b/debian/chromium.install index 6b20df4..039b43c 100644 --- a/debian/chromium.install +++ b/debian/chromium.install @@ -19,3 +19,5 @@ debian/chromium.desktop usr/share/applications debian/apikeys etc/chromium.d debian/extensions etc/chromium.d debian/default-flags etc/chromium.d + +debian/apparmor/usr.bin.chromium etc/apparmor.d diff --git a/debian/control b/debian/control index 695d483..6e75760 100644 --- a/debian/control +++ b/debian/control @@ -9,6 +9,7 @@ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git Homepage: http://www.chromium.org/Home Build-Depends: debhelper (>= 10), + dh-apparmor, python3, pkg-config, ninja-build, diff --git a/debian/rules b/debian/rules index 8da3679..fe0f6e2 100755 --- a/debian/rules +++ b/debian/rules @@ -130,6 +130,7 @@ override_dh_auto_install-arch: mkdir -p $$dst; \ cp $$file $$dst/chromium.$$ext; \ done + dh_apparmor --profile-name=usr.bin.chromium -p chromium override_dh_fixperms: dh_fixperms --exclude chrome-sandbox -- 2.14.1
