From 58e458f4ab998b1ceca70b4e63b75dcad6637543 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 May 2024 23:13:23 +0100 Subject: [PATCH] feat(profile): add the app/firefox abstraction. --- apparmor.d/abstractions/app/firefox | 160 +++++++++++++++++++++++++ apparmor.d/groups/browsers/firefox | 175 +--------------------------- apparmor.d/groups/whonix/torbrowser | 136 +++------------------ 3 files changed, 180 insertions(+), 291 deletions(-) create mode 100644 apparmor.d/abstractions/app/firefox diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox new file mode 100644 index 00000000..109be2ea --- /dev/null +++ b/apparmor.d/abstractions/app/firefox @@ -0,0 +1,160 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Full set of rules for all firefox based browsers. It works as a *function* +# and requires some variables to be provided as *arguments* and set in the +# header of the calling profile. Example: +# +# @{name} = firefox{,.sh,-esr,-bin} +# @{lib_dirs} = @{lib}/@{name} /opt/@{name} +# @{config_dirs} = @{HOME}/.mozilla/ +# @{cache_dirs} = @{user_cache_dirs}/mozilla/ +# + + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + # userns, + + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 + capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 + capability sys_ptrace, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal (send) set=(term, kill) peer=@{profile_name}-*, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/expr rix, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so mr, + @{lib_dirs}/crashreporter rPx, + @{lib_dirs}/glxtest rPx, + @{lib_dirs}/minidump-analyzer rPx, + @{lib_dirs}/pingsender rPx, + @{lib_dirs}/plugin-container rPx, + @{lib_dirs}/vaapitest rPx, + + # Desktop integration + @{bin}/lsb_release rPx -> lsb_release, + + /usr/share/@{name}/{,**} r, + /usr/share/doc/{,**} r, + /usr/share/mozilla/extensions/{,**} r, + /usr/share/webext/{,**} r, + /usr/share/xul-ext/kwallet5/* r, + + /etc/@{name}/{,**} r, + /etc/cups/client.conf r, + /etc/fstab r, + /etc/mailcap r, + /etc/mime.types r, + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + /etc/sysconfig/proxy r, + /etc/xdg/* r, + /etc/xul-ext/kwallet5.js r, + + /var/lib/nscd/services r, + + owner @{HOME}/ r, + owner @{HOME}/.cups/lpoptions r, + + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwk, + + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwk, + + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/firefox/ rw, + owner @{tmp}/firefox/* rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/* rwk, + owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon-@{int} r, + + @{run}/mount/utab r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/renderD128/ r, + @{sys}/devices/@{pci}/drm/renderD129/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/power/events/energy-* r, + @{sys}/devices/power/type r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, + + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj w, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/tty rw, + /dev/video@{int} rw, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner /dev/tty@{int} rw, # File Inherit + + # Silencer + deny dbus send bus=system path=/org/freedesktop/hostname1, + deny /tmp/MozillaUpdateLock-* w, + deny owner @{HOME}/ r, + deny owner @{HOME}/.* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, + + include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 224b4cc7..7e364cf3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,79 +15,15 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - # userns, - - capability sys_admin, # If kernel.unprivileged_userns_clone = 1 - capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=@{profile_name}, + include signal (send) set=(term, kill) peer=keepassxc-proxy, - signal (send) set=(term, kill) peer=firefox-*, #aa:dbus own bus=session name=org.mozilla.firefox - - deny dbus send bus=system path=/org/freedesktop/hostname1, - - dbus bind bus=session name=org.mpris.MediaPlayer2.firefox.*, - dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="{org.freedesktop.DBus,:*}"), - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Playlists - member=GetPlaylists - peer=(name=:*), - - dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit - interface=org.freedesktop.PowerManagement.Inhibit - member=Inhibit - peer=(name=org.freedesktop.PowerManagement), + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/expr rix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/*.so mr, - @{lib_dirs}/crashreporter rPx, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/minidump-analyzer rPx, - @{lib_dirs}/pingsender rPx, - @{lib_dirs}/plugin-container rPx, - @{lib_dirs}/vaapitest rPx, - @{lib}/mozilla/kmozillahelper rPUx, - @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, @{lib}/mozilla/plugins/libvlcplugin.so mr, @@ -95,10 +31,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # Desktop integration @{bin}/gnome-software rPx, @{bin}/kreadconfig5 rix, - @{bin}/lsb_release rPx -> lsb_release, @{bin}/plasma-browser-integration-host rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, + @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, # Common extensions @@ -107,33 +43,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # As a temporary solution - see issue #128 @{bin}/keepassxc-proxy rix, - /usr/share/@{name}/{,**} r, - /usr/share/doc/{,**} r, - /usr/share/mozilla/extensions/{,**} r, - /usr/share/webext/{,**} r, - /usr/share/xul-ext/kwallet5/* r, - - /etc/@{name}/{,**} r, - /etc/cups/client.conf r, - /etc/fstab r, - /etc/mailcap r, - /etc/mime.types r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, - /etc/sysconfig/proxy r, - /etc/xdg/* r, - /etc/xul-ext/kwallet5.js r, - - /var/lib/nscd/services r, - - owner @{HOME}/ r, - owner @{HOME}/.cups/lpoptions r, - owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, @@ -141,96 +53,21 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{config_dirs}/ rw, - owner @{config_dirs}/{extensions,systemextensionsdev}/ rw, - owner @{config_dirs}/extensions/\{*\}/ r, - owner @{config_dirs}/firefox/ rw, - owner @{config_dirs}/firefox/*/ rw, - owner @{config_dirs}/firefox/*/** rwk, - owner @{config_dirs}/firefox/installs.ini rw, - owner @{config_dirs}/firefox/profiles.ini rw, - owner @{config_dirs}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, - - owner @{cache_dirs}/ rw, - owner @{cache_dirs}/** rwk, - - /tmp/ r, - /var/tmp/ r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{name}/ rw, - owner @{tmp}/@{name}/* rwk, owner @{tmp}/@{rand6}.tmp r, owner @{tmp}/@{rand8}.txt w, owner @{tmp}/* w, # file downloads (to anywhere) - owner @{tmp}/firefox_*/ rw, - owner @{tmp}/firefox_*/* rwk, - owner @{tmp}/mozilla_*/ rw, - owner @{tmp}/mozilla_*/* rw, - owner @{tmp}/mozilla-temp-@{int} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, - owner @{tmp}/Temp-@{uuid}/ rw, - owner @{tmp}/Temp-@{uuid}/** rwk, - owner @{tmp}/tmp-???.xpi rw, - owner @{tmp}/tmpaddon r, - owner @{tmp}/tmpaddon-@{int} r, - - @{run}/mount/utab r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/bus/ r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/devices/@{pci}/drm/renderD128/ r, - @{sys}/devices/@{pci}/drm/renderD129/ r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/background.slice/*/cpu.max r, - - @{PROC}/@{pid}/net/arp r, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/route r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/tty rw, - /dev/video@{int} rw, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - owner /dev/tty@{int} rw, # File Inherit # Silencer deny @{lib_dirs}/** w, - deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, - deny /tmp/MozillaUpdateLock-* w, - deny owner @{HOME}/.* r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index 341c1e1f..6c06cdc7 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -15,72 +15,14 @@ include @{exec_path} = @{lib_dirs}/firefox{,.real} profile torbrowser @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - # userns, - - capability sys_admin, # If kernel.unprivileged_userns_clone = 1 - capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - signal (send) set=(term, kill) peer=torbrowser-*, - - deny dbus send bus=system path=/org/freedesktop/hostname1, + include @{exec_path} mrix, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dirname rix, - @{bin}/expr rix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/*.so mr, @{lib_dirs}/abicheck rix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/plugin-container rPx, @{lib_dirs}/updater rPx, - @{lib_dirs}/vaapitest rPx, - # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, - - /usr/share/@{name}/{,**} r, - /usr/share/doc/{,**} r, /usr/share/homepage/{,**} r, - /usr/share/xul-ext/kwallet5/* r, - - /etc/@{name}.d/{,**} r, - /etc/mailcap r, - /etc/mime.types r, - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, - /etc/sysconfig/proxy r, - /etc/xdg/* r, - /etc/xul-ext/kwallet5.js r, - - /var/lib/nscd/services r, owner @{lib_dirs}/.cache/{,**} rw, owner @{lib_dirs}/.local/{,**} rw, @@ -88,70 +30,22 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner @{lib_dirs}/fonts/** r, owner @{lib_dirs}/TorBrowser/UpdateInfo/{,**} rw, - owner @{config_dirs}/ rw, - owner @{config_dirs}/** rwk, - - owner @{cache_dirs}/ rw, - owner @{cache_dirs}/** rwk, - - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/ rw, - owner @{tmp}/* w, - owner @{tmp}/Temp-@{uuid}/ rw, - owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/firefox/ rw, - owner @{tmp}/firefox/* rwk, - owner @{tmp}/@{name}/ rw, - owner @{tmp}/@{name}/* rwk, + owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, - owner "@{tmp}/Tor Project*" rwk, - - @{run}/mount/utab r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/bus/ r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/devices/@{pci}/drm/renderD128/ r, - @{sys}/devices/@{pci}/drm/renderD129/ r, - @{sys}/devices/**/uevent r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-1.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/tty rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - owner /dev/tty@{int} rw, # File Inherit # Due to the nature of the browser, we silence much more than for Firefox. + deny network inet dgram, # TOR does not work over UDP + deny network inet6 dgram, + deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user deny @{bin}/lsb_release x, + deny @{lib_dirs}/crashreporter x, + deny @{lib_dirs}/glxtest x, + deny @{lib_dirs}/minidump-analyzer x, + deny @{lib_dirs}/pingsender x, + deny /usr/share/dconf/** r, + deny /etc/dconf/** r, + deny /etc/fstab r, deny /etc/group r, deny /etc/host.conf r, deny /etc/hosts r, @@ -162,12 +56,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny /etc/passwd r, deny /etc/resolv.conf r, deny /var/lib/dbus/machine-id r, - deny /tmp/MozillaUpdateLock-* w, - deny owner @{HOME}/.* r, + deny owner @{user_config_dirs}/dconf/user r, deny owner @{user_config_dirs}/gtk-*/{,**} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny owner @{run}/user/@{uid}/dconf/ rw, deny owner @{run}/user/@{uid}/dconf/user rw, - deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{sys}/class/input/ r, deny @{sys}/devices/system/cpu/*/cache/index@{int}/size r, deny @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,