diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index ebc78c19..1f771685 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -7,15 +7,18 @@ abi , include -@{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable} -@{CHROME_HOMEDIR} = @{user_config_dirs}/google-chrome{,-beta,-unstable} -@{CHROME_CACHEDIR} = @{user_cache_dirs}/google-chrome{,-beta,-unstable} +@{chromiun_domain} = "com.google.Chrome" +@{chromiun_install_dirs} = /opt/google/chrome{,-beta,-unstable} +@{chromiun_config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} +@{chromiun_cache_dirs} = @{user_cache_dirs}/google-chrome{,-beta,-unstable} -@{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable} +@{exec_path} = @{chromiun_install_dirs}/chrome{,-beta,-unstable} profile google-chrome-chrome @{exec_path} { include include include + include + include include include include @@ -26,7 +29,17 @@ profile google-chrome-chrome @{exec_path} { include include include + include + include + capability sys_ptrace, + + ptrace (read) peer=browserpass, + ptrace (read) peer=chrome-gnome-shell, + ptrace (read) peer=gnome-browser-connector-host, + ptrace (read) peer=keepassxc-proxy, + ptrace (read) peer=lsb_release, + ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, signal (send) set=(term, kill) peer=keepassxc-proxy, @@ -39,14 +52,17 @@ profile google-chrome-chrome @{exec_path} { @{exec_path} mrix, - @{CHROME_INSTALLDIR}/{,**} r, - @{CHROME_INSTALLDIR}/chrome-sandbox rPx, - @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable} rPx, - @{CHROME_INSTALLDIR}/nacl_helper rix, - @{CHROME_INSTALLDIR}/xdg-mime rix, - @{CHROME_INSTALLDIR}/xdg-settings rix, - @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, - @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, + @{chromiun_install_dirs}/{,**} r, + @{chromiun_install_dirs}/*.so* mr, + @{chromiun_install_dirs}/chrome_crashpad_handler rPx, + @{chromiun_install_dirs}/chrome-sandbox rPx, + @{chromiun_install_dirs}/google-chrome{,-beta,-unstable} rPx, + @{chromiun_install_dirs}/libwidevinecdm.so mr, + @{chromiun_install_dirs}/libwidevinecdmadapter.so mr, + @{chromiun_install_dirs}/nacl_helper rix, + @{chromiun_install_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + @{chromiun_install_dirs}/xdg-mime rix, + @{chromiun_install_dirs}/xdg-settings rix, # For "google-chrome --help" /{usr/,}bin/man rPUx, @@ -56,6 +72,7 @@ profile google-chrome-chrome @{exec_path} { /{usr/,}bin/browserpass rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/xdg-desktop-menu rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, @@ -63,24 +80,25 @@ profile google-chrome-chrome @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/fstab r, + /etc/libva.conf r, /var/lib/dbus/machine-id r, /etc/machine-id r, # Google Chrome home files owner @{HOME}/ r, - owner @{CHROME_HOMEDIR}/ rw, - owner @{CHROME_HOMEDIR}/** rwk, + owner @{chromiun_config_dirs}/ rw, + owner @{chromiun_config_dirs}/** rwk, - owner @{user_share_dirs}/.com.google.Chrome.* rw, + owner @{user_share_dirs}/.@{chromiun_domain}.* rw, owner @{user_cache_dirs}/ rw, - owner @{CHROME_CACHEDIR}/{,**/} rw, - owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw, - owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw, - owner @{CHROME_CACHEDIR}/*/**/todelete_* rw, - owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw, - owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw, + owner @{chromiun_cache_dirs}/{,**/} rw, + owner @{chromiun_cache_dirs}/*/**/{*-,}index rw, + owner @{chromiun_cache_dirs}/*/**/[a-f0-9]*_? rw, + owner @{chromiun_cache_dirs}/*/**/todelete_* rw, + owner @{chromiun_cache_dirs}/PnaclTranslationCache/index rw, + owner @{chromiun_cache_dirs}/PnaclTranslationCache/data_[0-9]*[0-9] rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -99,6 +117,14 @@ profile google-chrome-chrome @{exec_path} { # owner @{user_config_dirs}/chromium/*/ r, # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + owner /dev/shm/.@{chromiun_domain}* rw, + owner /tmp/.@{chromiun_domain}.* rw, + owner /tmp/.@{chromiun_domain}*/{,**} rw, + owner /tmp/scoped_dir*/{,**} rw, + owner /tmp/tmp.* rw, + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @@ -133,13 +159,20 @@ profile google-chrome-chrome @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty[0-9]/active r, + /dev/ r, + /dev/hidraw[0-9]* rw, + /dev/tty rw, + /dev/video[0-9]* rw, + # Silencer - deny @{CHROME_INSTALLDIR}/** w, + deny @{chromiun_install_dirs}/** w, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler b/apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler new file mode 100644 index 00000000..58f88dcd --- /dev/null +++ b/apparmor.d/groups/browsers/google-chrome-chrome-crashpad-handler @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + +abi , + +include + +@{exec_path} = /opt/google/chrome/chrome_crashpad_handler +profile google-chrome-crashpad-handler @{exec_path} flags=(complain) { + include + + capability sys_ptrace, + + ptrace peer=chromium-chromium, + signal (send) peer=chromium-chromium, + + @{exec_path} mrix, + + owner "@{HOME}/.config/google-chrome/Crash Reports/**" rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/mem r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/ r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r, + + include if exists +} diff --git a/apparmor.d/groups/browsers/google-chrome-google-chrome b/apparmor.d/groups/browsers/google-chrome-google-chrome index 203673ec..3c3f646f 100644 --- a/apparmor.d/groups/browsers/google-chrome-google-chrome +++ b/apparmor.d/groups/browsers/google-chrome-google-chrome @@ -18,11 +18,12 @@ profile google-chrome-google-chrome @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}bin/cat rix, /{usr/,}bin/dirname rix, /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/which{,.debianutils} rix, @{CHROME_INSTALLDIR}/chrome rPx, @@ -31,5 +32,8 @@ profile google-chrome-google-chrome @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists }